Forefront TMG

Responsive ISA login form for TMG

My company uses Microsoft Forefront TMG in order to authenticate our external users trying to reach our internal applications.

Designed in a era before the proliferation of mobile devices, TMG’s default login pages are unwieldy. Users have to zoom in if they want to try and input into the username and password fields.

Additionally, my company uses Safenet Authentication Service to provide 2 factor authentication for our external users. This provides one more field that the users struggle to enter data into, and a time sensitive one at that.

Scott Glew developed a set of TMG Responsive Auth Forms that partially solve this problem. While they are ideal with a company only using Name/Password, they don’t work if a company utilizes RADIUS OTP.

I’ve forked Scott’s project and submitted a revision to the file which supports the use of a 2 factor passcode.

Here’s the text submitted as part of that patch which summarizes what I did:

The original ISA responsive form is only for the page asking for username and password (usr_pwd.htm). If you elect to ‘Collected additional delegation credentials in the form” on the listener for use with RADIUS OTP, TMG instead uses usr_pwd_pcode,htm.

This version merges the code from Microsoft’s original non-responsive page into Scott’s responsive form.

We use this version with CryptoCard/BlackShield.

Unlike the original Microsoft form, I have switched the order of the fields to be Name/Password/Passcode instead of Name/Passcode/Password, as the natural flow for users is to enter their regular credentials first and then pause to add the 2-factor passcode.

In the original format, since Passcode is time sensitive, users  often had their passcode rejected as they fumbled with data entry and switching between fields.