A Forum reader recently asked:

“Is it possible to set up a protected resource to use a login page as a last resort without using an authentication contract? As I understand it, authentication contracts are always run before any policy evaluation takes place, and I wont my users to login only if they are not on certain IP subnets. I have created the IP subnet policy, but I can’t find any way to create a login page policy.”

And here is the response from Martin Day …


This can be done if you create two proxy services pointing to the same backend app – for example, and www.

1. For the www. proxy service, don’t assign an authentication contract (i.e. public access) but create an authorization policy granting access to the desired subnet only.

2. Add another rule of lower priority which, instead of denying, is configured to Redirect. Make the redirect URL point to

3. For, assign the desired authentication contract and other policies.

So, all users would access www. If they’re on the right subnet, they get in. If not, they are transparently bounced to another name requiring authentication.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: mday
Feb 13, 2008
7:16 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow