Home    Forums    Feature Requests    Beta Issues    SysAid Resources    Documentation    Support    Do It Yourself
Hello Guest,  Login   
        
DOWNLOAD FREE EDITION
    
     Recent Topics    Hottest Topics    Online Members    Member Listing    Advanced Search
Single Sign On  XML
Forum Index » FAQ
 
Author Message
godlike
SysAider

SysAider from release 6.5 Slovenia
Joined: 05/05/2010
Messages: 1
Offline

Hi all.

SSO wont work on my sistem. I am currently running 30 day trial version.
Have to get this working before we buy this for our company.

The problem is i followed this guide but i still get login screen in IE and Win7.

My serverConf.xml (LDAP configuration is already OK and all users from AD can login through username and pass on login page)



Thank you for the help!
wbeers
SysAider

SysAider from release 5.5 United States
Joined: 28/07/2008
Messages: 20
Offline

A tip I've found useful is to force the computer to send LM & NTLM responses via Group Policy...

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: LAN Manager authentication level set to "Send LM & NTLM responses".

This fixed my issue with SSO not working correctly on Windows 7 Professional 32-bit / Internet Explorer 8 and SysAid 7.0.04 with tomcat, Microsoft SQL Server and the jcifs single sign-on module.
mszc
SysAider

SysAider from release 5.5 Germany
Joined: 19/08/2009
Messages: 18
Offline

Hi,

SSO is working but for some users of other domains I need different login credentials. How to manage this? In the entry post there's something about disable NTLM in IE. How to do that?
Wilson
SysAider

SysAider from release 7
Joined: 14/07/2010
Messages: 1
Offline

Hi All

Exists other way to single sign on without input password network user in serverConf.xml ?

thanks in advance

This message was edited 1 time. Last update was at 15/07/2010 11:18:57

itayH
SysAid Customer Relations


Joined: 23/09/2009
Messages: 1092
Offline

Hi Wilson,

Welcome to our community, I hope you will find all the help you need here.

Currently there is no way, but usually no one except admins can enter and open files on the server so it's not a big issue. You can create new user that have only read option and set it in the serverconf.xml just for the SSO if you don't' want the other admins to see your pass. Also make sure that the password is never expired.

Best Regards,
Itay
Cafe Delice
SysAider

SysAider from release 6.5
Joined: 09/08/2010
Messages: 1
Offline

It seems that from version 7, the DB password is encrypted in the ServerConf.xml file. It now contains something similar to <dbPassword>crypt:####</dbPassword>, where #### is the encrypted password.
We are using MS SQL as the DB, with Windows Authentication. So, that DB user is actually an ActiveDirectory (AD) user that can be used for SSO.

To test SSO, I used this same AD user in <ntlmParamValue>password</ntlmParamValue>, but I copied/pasted the crypt:#### there. And it works fine !
That's great, because it means you actually don't need to save the SSO information in clear text.

Of course, this worked because I knew the encrypted version of the password that the installation program generated for me in the <dbPassword> key.

My question : how can we generate an encrypted version of a password ourselves.... I mean how can we obtain the encrypted string to put behind "crypt:" starting from the clear text version ?
We could of course install a new version of SysAid somewhere and faking the DB password to get it... But it would probably be easier if Ilient provided a tool for this (a system web page for example ?).
Yasar72
SysAider


SysAider from release 3 Australia Pathfinder
Joined: 07/04/2011
Messages: 5
Offline

Thanks copied & paste from old server.xml file and works like a charm
wka
Elite SysAider

SysAider from release 4.5 United Kingdom Pathfinder
Joined: 15/07/2010
Messages: 140
Offline

I've tried to implement this myself.

But I get an issue where the webbrowser window tries to prompt for a logon, which you can do. But I just want the sysaid to go straight in.

Our SysAid system is in a DMZ, I configured it as described.
Our users mostly log on from a Citrix System.
They all log on as AD users.
But when you click on sysaid it prompts for a user/name password, I thought it would just go straight into sysaid as the logged on user..

David Lee
SysAid Customer Relations


Joined: 24/06/2009
Messages: 40
Offline

Hey guys.

wka, you answer will follow, but first, we'll start with the new, correct SSO tags for versions above version 7 (CliGil please update your initial post).

************************************************************************************************************************
Once LDAP integration has been configured to import user accounts from your Active Directory domain, you can configure single sign-on to automatically authenticate users using the NTLM protocol according to the credentials they used to login to the domain.

To configure single sign-on using the built-in Tomcat web-server, please edit the serverConf.xml file located at ...\SysAidServer\root\WEB-INF\conf. Add the following lines after the line <externalLoginClass>none</externalLoginClass>:
<ntlmAuth>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.domain</ntlmParamName>
<ntlmParamValue>ACME</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.http.domainController</ntlmParamName>
<ntlmParamValue>DC1.acme.com</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.username</ntlmParamName>
<ntlmParamValue>username_on_AD</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.password</ntlmParamName>
<ntlmParamValue>password_of_the_above_username</ntlmParamValue>
</ntlmParam>
</ntlmAuth>

Make sure to replace:
1. ACME with the NetBIOS domain name (pre-Windows 2000)
2. DC1.acme.com with the hostname or IP address of your domain controller.
3. username_on_AD with a user-name on Active Directory (Any domain user should be fine; no administrative permissions are necessary. Make sure to set “password never expires” so that the integration will not break whenever the password expires.)
4. password_of_the_above_username with the password of the mentioned user account.

After saving these changes, please restart the SysAid Server service to apply the new integration.

****************************************************************************************

WKA, and anyone who still get a prompt requesting you input login credentials, please use the following:

Since it probably means that the browser (IE) is not passing the credentials to the SysAid server.

Here is how to set IE to pass credentials to the SysAid server.

1. In Internet Explorer, please go to the Tools -> Internet Options -> Advanced tab and check the “Enable Integrated Windows Authentication” check-box.

2. Next, switch to the security tab and click Local Intranet -> Custom Level and select “Automatic log-on with current user name and password” (under User Authentication, Log-on).

3. Do the same to; 'Internet' and 'Trusted Sites'

4. Click OK on all windows and restart Internet Explorer (close all IE windows and open it again).

Forum Index » FAQ
Go to:   
Help Desk Software
Free Help Desk Software
Free Asset Management Software
SysAid Helpdesk Software
Web Based Help Desk Software
SysAid Help Desk Forum
General IT Discussion Forum
SysAid CSS Customer Service Software
Customer Support Software
   SysAid Technologies Ltd.
   Toll-Free phone center (U.S.): 1-800-686-7047
   Offices - U.S.617-231-0124
   Israel:+972-3-533-3675
   Email:helpdesk@sysaid.com
   Optimized by SEO Israel
   SysAid logos and other SysAid Technologies marks
   are trademarks or registered trademarks of
   SysAid Technologies Ltd.
   All Rights Reserved by SysAid Technologies Ltd.
   2002-2011
   Live Support Hours
   07:00 AM - 09:30 PM (UK)
   03:00 AM - 05:30 PM (EDT)

   We provide worldwide services, and we do our best
   to match the working times of customers from
   different time zones.

   SysAid Help Desk Software and Asset Management Software
Privacy Policy © Terms Of Use