Latest posts for the topic "Single Sign On"

Single Sign On

CliGil — GMT

Here's the instructions on how to define single sign on:

These instructions are relevant only if you have LDAP integration with an Active Directory domain. You can configure single sign-on to automatically authenticate the users using the NTLM protocol (according to the credentials they used to login to the domain)

It is also possible to configure SysAid to use Integrated Windows Authentication (single signon) by integrating with IIS, and then letting the IIS handle the SSO authentication. For more information on this, please contact us.

To configure single sign-on using the built-in tomcat webserver please edit the ...\SysAidServer\root\WEB-INF\conf\serverConf.xml file and add the following lines after the none line:

jcifs.smb.client.domain
ACME

jcifs.http.domainController
DC1.acme.com

jcifs.smb.client.username
username_on_AD

jcifs.smb.client.password
password_of_the_above_username

jcifs.smb.lmCompatibility
3

make sure to replace:
1. ACME – with the NetBIOS domain name (pre-Windows 2000).
2. DC1.acme.com – with the hostname or IP address of your domain controller.
3. username_on_AD – with a username on Active Directory (any domain user should be fine. No administrative permissions needed. Make sure to set the Password never expires, so that the integration won't break whenever the password expires).
4. password_of_the_above_username – the password of the mentioned user account.

After saving these changes, please restart the SysAid Server service to apply the new integration.

If all of the above doesn't help, there's an additional change that has to be made in the Domain Controller Security Settings.
Find Local Policies\Security Options and then set the Network Security: LAN Manger Authentication Level to “Send LM & NTLM responses”. Other values may have apply as well. This is the one that worked for us.

Please let me know if that answers your question. If not, or you need further assistance, please don't hesitate to contact us. Your response will be highly appreciated.

Re:Single Sign On

Obelix — GMT

What happen to the existing user if I apply SSO later on ?
Will it be duplicated ?

Re:Single Sign On

Israel Lifshitz — GMT

[quote=Obelix]What happen to the existing user if I apply SSO later on ?
Will it be duplicated ?
[/quote]

SSO does not import user details to database it just handle the authentication of the users. LDAP integration will continue to import the users but will not handle the authentication.

Let me describe more about idea and details of the Single Sign On:

If you already logged in with a trusted source why you need to login again to other systems -- the other systems should check with the trusted source that you already logged in and then let you in.

In the above details the trusted source is the Windows Domain Controller (aka Active Directory) and if you already logged in to your machine you will not need to login to SysAid. The web browser will do the authentication for you using the NTLM protocol (in similar method you do not need to enter user/password for each network resource you use). The Sysaid Login page will be disappearing and you will automatically log in if you have valid user in SysAid and you already logged in to the domain.

SysAid also support other methods of SSO (E.g. CAS). However if you have windows domain the most simple configuration is to use this "Integrated Windows Authentication"

One issue that can arise if you enable the SSO is that you will not able to login with a different user name then the user logged in to the windows. A simple workaround is to temporary disable NTLM in your web browser when you need to login as different user.

Re:Single Sign On

CliGil — GMT

I activated mine when I switch to a new installation on a new server so I did not create users on the new server. I let the LDAP integration pull them all into SysAid

Re:Single Sign On

CliGil — GMT

Excellent suggestion regarding logging in as other users. I have had the need a couple times in the past to do just that.

Thanks for the tip!

Re:Single Sign On

Obelix — GMT

[b]Israel..[/b]
Ok... I thought ldap integration and SSO is interchangeable... my bad.
I'm not interested in SSO... another layer of security is always good especially as it got more and more powerful feature.

Let me rephrase my question... what happened to the existing users if I activate ldap integration later ?
Will the users be duplicated ?

Re:Single Sign On

CliGil — GMT

Obelix,

When LDAP imports the user account into SysAid, the user account will look like this "DOMAIN\username"

Where right now you only have the username. SO the difference is that after LDAP is integrated the users accounts brought in from the domain will require the domain name as part of the login username.
So unless you already have an account like "DOMAIN\username" then it will recreate the users and both accounts will exist.

You can control which OU it pulls from, incase you do not want to create an account for all your users.

Using LDAP we do not need to require the users to login into the help desk because they have already logged into their computer. The computer will have access to information way more sensitive than anything that the help desk will have.

So I make it easy on them with SSO. They will log into the helpdesk with the exact same username and password that they used to get into their computer. Since they are already authenticated why not remove a step from the end user making it easier for them and by making it easier for them they are more likely to use it.

We do not have anyone outside of the comapny accessing the helpdesk.

Re:Single Sign On

Israel Lifshitz — GMT

[quote=CliGil]
When LDAP imports the user account into SysAid, the user account will look like this "DOMAIN\username"

[/quote]

CliGil,

The user name looks like "DOMAIN\username" only if you have more then one domains.

In most cases ther user name is just "username". In such case migration to LDAP integration will be simple if the old usernames are the same names that listed in the A.D.

Re:Single Sign On

CliGil — GMT

[quote=Israel Lifshitz]
The user name looks like "DOMAIN\username" only if you have more then one domains.

In most cases ther user name is just "username". In such case migration to LDAP integration will be simple if the old usernames are the same names that listed in the A.D.

[/quote]

Israel, thanks for clarifying that for me. We do have multiple domains in our forest.

in order to clarify, if we have an existing username in SysAid of "helix" and we have a single domain with a user account "helix", when we active the LDAP integration the domain useraccount "helix" will replace the one in SysAid?

Single Sign On

Obelix — GMT

Cligil...

If the user is duplicated what happened to the existing ?
Since we already got a new one (with domain) will the old account stil able to generate SR ?
If not can I safely delete the old account without losing any SR ?

Single Sign On

CliGil — GMT

[quote=Obelix]Cligil...

If the user is duplicated what happened to the existing ?
Since we already got a new one (with domain) will the old account stil able to generate SR ?
If not can I safely delete the old account without losing any SR ?[/quote]

Obelix,

In my situation both user accounts existed, one with the domain name as part of the username and the original. Because I only have internal users I ended up deleteing all existing users and allowing the LDAP integration to pull in all the users.
The existing service requests remained open. They changed only in that it recongnized the user was no longer an existing account and you can change it or leave the user reference.

So yes, I have deleted user accounts without losing the SR.

As far as the old one being able to generate a SR, if the user account is a domain account when they try to access the helpdesk it should log the SR as that domain account, even if that domain name does not exist as a current user account in SysAid.

Hope this helps

Re:Single Sign On

Obelix — GMT

I don't know... it sounds messy.
But thanks for the info cligil...
*slight nod smile*
Much much appreciated...

Re:Single Sign On

CliGil — GMT

Not that you have this option but when I migrated SysAid to a new server I enabled LDAP right from the start and I do not have any none domain accounts.

For me everything works like a champ.

*shrug*

Re:Single Sign On

Israel Lifshitz — GMT

[quote=CliGil]
in order to clarify, if we have an existing username in SysAid of "helix" and we have a single domain with a user account "helix", when we active the LDAP integration the domain useraccount "helix" will replace the one in SysAid?[/quote]

Yes. The username "helix" will remain and SysAid just override the attributes from the A.D. (e.g. email, phone)

Re:Single Sign On

Israel Lifshitz — GMT

CilGil,

If you use the system with single domain (i.e. "username" users) for a while and then changed it to multiple domains (i.e. "DOMAIN\username" style) you will have the following issues:

1. Duplicates users in the database.
2. Users will not be able to view their old SRs created with the "username" style because SysAid consider them as different users.

The fix are simple:

1. Delete yourself the old users with the multiple record delete option in "End User Manager" page.
2. Contact SysAid support so we help you to changes the username in the old SRs directly in the database.

One note:
It’s better to contact support just after (or just before) you migrate to multiple domain because the database have SRs only with one style. Now your database has mixed record.

Re:Single Sign On

Jason Weston — GMT

Okay i have an issue with SSO, funny thing is i managed to get this working at my last place of employment. Essentially i am not getting SSO to work, i have setup IE correctly and added the site to the Intranet Sites in security but cannot get it to authenticate, it does authenticate users (LDAP imported users) if i type in the login DOMAINNAME\username and password.

Below is my ServerConf.xml file:

org.apache.derby.jdbc.ClientDriver
jdbc:derby:default;create=true
sysdba
masterkey
derby
utf-8
false
ilient

error
false

smtpserver

helpdesk@domainname

multi
administrator
false

jcifs.smb.client.domain
FQDN

jcifs.http.domainController
DC IP

jcifs.smb.client.username
domain\username

jcifs.smb.client.password
password

jcifs.smb.lmCompatibility
3

00
internal
d1efad72dc5b17dc66a46767c32fff40
com.ilient.util.SMSCenterProvider

info

Of course i have taken out company info. Any help would be appreciated as i have tried just about everything.......

Re:Single Sign On

johnny — GMT

Newbie in sysaid:

SSO is working perfectly, but, it's possible to change the user connected when SSO is enabled? By default, every time I enter the login page, program use the system login user.

I want to change the user, because sometimes I need to use a administrator user in a remote location, when another user is logged.

Thanks.

Single Sign On

rado — GMT

Jason,
I experienced just the same problem. SSO with IE just did not work. I would appreciate any help ...

Re:Single Sign On

CliGil — GMT

SSO by design would take whatever user is logged in and use that account.

Can you remotely log into another computer to access sysaid?

Not perfect but might work.

Re:Single Sign On

OCL — GMT

Has anyone managed to get SSO to work in a multi domain environment? We are rolling out sysaid to 7000 users aprox and teaching them to type their domain\username is becoming a pain!

Any help much appreciated

Thanks

Re:Single Sign On

argentieri — GMT

Dear Ilient I have a problem with Sigle Sign on.
I made the changes to the post
http://www.ilient.com/Sysforums/posts/list/277.page # 671
But it does not work correctly.
Some users (1 or 2) you connect, others do not connect.
Could you help me?

Single Sign On

Haim — GMT

Jason Weston,

This means that the browser (IE) is not passing the credentials to the SysAid server.

Make sure that typing the domain credentials allows you to login, and if it does, this means that SSO is configured correctly.

Here is how to set IE to pass credentials to the SysAid server.

1. In Internet Explorer, please go to the Tools -> Internet Options -> Advanced tab and check the “Enable Integrated Windows Authentication” check-box.

2. Next, switch to the security tab and click Local Intranet -> Custom Level and select “Automatic log-on with current user name and password” (under User Authentication, Log-on).

3. Click OK on all windows and restart Internet Explorer (close all IE windows and open it again).

4. See if you can automatically login to SysAid. If not, perform step 2 on the Internet Zone as well and try again.

Re:Single Sign On

Haim — GMT

[quote=OCL]Has anyone managed to get SSO to work in a multi domain environment? We are rolling out sysaid to 7000 users aprox and teaching them to type their domain\username is becoming a pain!

Any help much appreciated

Thanks[/quote]

Hello OCL,

Configuring single sign-on (Integrated Windows Authentication) on SysAid when integrated with more than one Active Directory domain should work, but only if you have trust relationship between the domains. The instructions are similar to the standard SSO configuration. You only need to do the SSO configuration against one domain. If the authenticating user is from another domain, it will automatically be routed to the corresponding domain controller for authentication (thanks to the trust relationship).

If your multiple domains don't trust each-other, then SSO is not possible

Re:Single Sign On

Haim — GMT

[quote=argentieri]Dear Ilient I have a problem with Sigle Sign on.
I made the changes to the post
http://www.ilient.com/Sysforums/posts/list/277.page # 671
But it does not work correctly.
Some users (1 or 2) you connect, others do not connect.
Could you help me?[/quote]

Hello argentieri,
This issue might happen in several cases.
In order for us to further assist you, please open a service request on this issue by sending an email to helpdesk@ilient.com with a short description of your issue.

Best regards.
Haim

Re:Single Sign On-in version 6

scumgrief — GMT

After editing the xml file, the Sysaid service won't start. I am working with version 6. Does the file have to be edited differently in version 6?

I replaced the edited xml file with the original and the service started right up...

Single Sign On

Haim — GMT

Hello scumgrief,

There was probably an error in the syntax.
In order for us to further assist you, please send us an email to helpdesk@ilient.com with a short description of the issue and the serverconf.xml

Best regards.
Haim

Re:Single Sign On

AdamY — GMT

How do you modify the serverconf.xml if you are authenticating against more than one domain?

Single Sign On

Haim — GMT

Hello AdamY
Welcome to the SysAid community

Configuring single sign-on (Integrated Windows Authentication) on SysAid when integrated with more than one Active Directory domain should work, but only if you have trust relationship between the domains. The instructions are similar to the standard SSO configuration. You only need to do the SSO configuration against one domain. If the authenticating user is from another domain, it will automatically be routed to the corresponding domain controller for authentication (thanks to the trust relationship).

If your multiple domains don't trust each-other, then SSO is not possible

Best regards.
Haim

Re:Single Sign On

Jbenga — GMT

[b]Using SSO with Windows 7[/b]

I thought I would inform you guys what i have run into with windows 7(Yes I know Still in beta).

Though we have a few users in our company testing windows 7 and when they were going to our web page it was not logging them automatically(Everyone else in the company is fine). I found something online that states windows 7 using a different format, but its not an official Microsoft form. Has anyone else tried with Windows 7 and experience this same issue?

Re:Single Sign On

H0meys — GMT

I just found something out from one of our Senior Sys Admins. If you use ssl with port 3269 to only 1 server it will traverse parent and child domains as though it were one domain allowing SysAid to import the users from all the domains without the domain\username format. I hope this helps...

Re:Single Sign On

godlike — GMT

Hi all.

SSO wont work on my sistem. I am currently running 30 day trial version.
Have to get this working before we buy this for our company.

The problem is i followed this guide but i still get login screen in IE and Win7.

My serverConf.xml (LDAP configuration is already OK and all users from AD can login through username and pass on login page)

[code]

org.apache.derby.jdbc.ClientDriver
jdbc:derby:default;create=true
root
pass
derby
utf-8
false
ilient

error
false

192.168.8.99

novak.tomaz@adria-mobil.si

multi
godlike_trial
false

jcifs.smb.client.domain
MYCOMPANY

jcifs.http.domainController
192.168.8.89

jcifs.smb.client.username
ADUSERNAME

jcifs.smb.client.password
ADUSERPASS

jcifs.smb.lmCompatibility
3

http://server:8080
true

00
internal
d1efad72dc5b17dc66a46767c32fff40
com.ilient.util.SMSCenterProvider

cn
info

[/code]

Thank you for the help!

Re:Single Sign On

wbeers — GMT

A tip I've found useful is to force the computer to send LM & NTLM responses via Group Policy...

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: LAN Manager authentication level set to "Send LM & NTLM responses".

This fixed my issue with SSO not working correctly on Windows 7 Professional 32-bit / Internet Explorer 8 and SysAid 7.0.04 with tomcat, Microsoft SQL Server and the jcifs single sign-on module.

Re:Single Sign On

mszc — GMT

Hi,

SSO is working but for some users of other domains I need different login credentials. How to manage this? In the entry post there's something about disable NTLM in IE. How to do that?

Re:Single Sign On

Wilson — GMT

Hi All

Exists other way to single sign on without input password network user in serverConf.xml ?

thanks in advance

Single Sign On

itayH — GMT

Hi Wilson,

Welcome to our community, I hope you will find all the help you need here.

Currently there is no way, but usually no one except admins can enter and open files on the server so it's not a big issue. You can create new user that have only read option and set it in the serverconf.xml just for the SSO if you don't' want the other admins to see your pass. Also make sure that the password is never expired.

Re:Single Sign On

Cafe Delice — GMT

It seems that from version 7, the DB password is encrypted in the ServerConf.xml file. It now contains something similar to crypt:####, where #### is the encrypted password.
We are using MS SQL as the DB, with Windows Authentication. So, that DB user is actually an ActiveDirectory (AD) user that can be used for SSO.

To test SSO, I used this same AD user in password, but I copied/pasted the crypt:#### there. And it works fine !
That's great, because it means you actually don't need to save the SSO information in clear text.

Of course, this worked because I knew the encrypted version of the password that the installation program generated for me in the key.

My question : how can we generate an encrypted version of a password ourselves.... I mean how can we obtain the encrypted string to put behind "crypt:" starting from the clear text version ?
We could of course install a new version of SysAid somewhere and faking the DB password to get it... But it would probably be easier if Ilient provided a tool for this (a system web page for example ?).

Re:Single Sign On

Yasar72 — GMT

Thanks copied & paste from old server.xml file and works like a charm

Re:Single Sign On

wka — GMT

I've tried to implement this myself.

But I get an issue where the webbrowser window tries to prompt for a logon, which you can do. But I just want the sysaid to go straight in.

Our SysAid system is in a DMZ, I configured it as described.
Our users mostly log on from a Citrix System.
They all log on as AD users.
But when you click on sysaid it prompts for a user/name password, I thought it would just go straight into sysaid as the logged on user..

Re:Single Sign On

David Lee — GMT

Hey guys.

wka, you answer will follow, but first, we'll start with the new, correct SSO tags for versions above version 7 (CliGil please update your initial post).

************************************************************************************************************************
Once LDAP integration has been configured to import user accounts from your Active Directory domain, you can configure single sign-on to automatically authenticate users using the NTLM protocol according to the credentials they used to login to the domain.

To configure single sign-on using the built-in Tomcat web-server, please edit the serverConf.xml file located at ...\SysAidServer\root\WEB-INF\conf. Add the following lines after the line none:

jcifs.smb.client.domain
[b]ACME[/b]

jcifs.http.domainController
[b]DC1.acme.com[/b]

jcifs.smb.client.username
[b]username_on_AD[/b]

jcifs.smb.client.password
[b]password_of_the_above_username[/b]

Make sure to replace:
1. ACME with the NetBIOS domain name (pre-Windows 2000)
2. DC1.acme.com with the hostname or IP address of your domain controller.
3. username_on_AD with a user-name on Active Directory (Any domain user should be fine; no administrative permissions are necessary. Make sure to set “password never expires” so that the integration will not break whenever the password expires.)
4. password_of_the_above_username with the password of the mentioned user account.

After saving these changes, please restart the SysAid Server service to apply the new integration.

****************************************************************************************

WKA, and anyone who still get a prompt requesting you input login credentials, please use the following:

Since it probably means that the browser (IE) is not passing the credentials to the SysAid server.

Here is how to set IE to pass credentials to the SysAid server.

1. In Internet Explorer, please go to the Tools -> Internet Options -> Advanced tab and check the “Enable Integrated Windows Authentication” check-box.

2. Next, switch to the security tab and click Local Intranet -> Custom Level and select “Automatic log-on with current user name and password” (under User Authentication, Log-on).

3. Do the same to; 'Internet' and 'Trusted Sites'

4. Click OK on all windows and restart Internet Explorer (close all IE windows and open it again).