Single Sign On

 
Author
Message
Super SysAider
64
 
Here's the instructions on how to define single sign on:

These instructions are relevant only if you have LDAP integration with an Active Directory domain. You can configure single sign-on to automatically authenticate the users using the NTLM protocol (according to the credentials they used to login to the domain)

It is also possible to configure SysAid to use Integrated Windows Authentication (single signon) by integrating with IIS, and then letting the IIS handle the SSO authentication. For more information on this, please contact us.

To configure single sign-on using the built-in tomcat webserver please edit the ...\SysAidServer\root\WEB-INF\conf\serverConf.xml file and add the following lines after the <externalLoginClass>none</externalLoginClass> line:

<ntlmAuth>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.domain</ntlmParamName>
<ntlmParamValue>ACME</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.http.domainController</ntlmParamName>
<ntlmParamValue>DC1.acme.com</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.username</ntlmParamName>
<ntlmParamValue>username_on_AD</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.password</ntlmParamName>
<ntlmParamValue>password_of_the_above_username</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.smb.lmCompatibility</ntlmParamName>
<ntlmParamValue>3</ntlmParamValue>
</ntlmParam>
</ntlmAuth>


make sure to replace:
1. ACME – with the NetBIOS domain name (pre-Windows 2000).
2. DC1.acme.com – with the hostname or IP address of your domain controller.
3. username_on_AD – with a username on Active Directory (any domain user should be fine. No administrative permissions needed. Make sure to set the Password never expires, so that the integration won't break whenever the password expires).
4. password_of_the_above_username – the password of the mentioned user account.

After saving these changes, please restart the SysAid Server service to apply the new integration.

If all of the above doesn't help, there's an additional change that has to be made in the Domain Controller Security Settings.
Find Local Policies\Security Options and then set the Network Security: LAN Manger Authentication Level to “Send LM & NTLM responses”. Other values may have apply as well. This is the one that worked for us.

Please let me know if that answers your question. If not, or you need further assistance, please don't hesitate to contact us. Your response will be highly appreciated.
SysAid Wiz
915
 
What happen to the existing user if I apply SSO later on ?
Will it be duplicated ?
SysAid CEO
62
 


Obelix wrote:What happen to the existing user if I apply SSO later on ?
Will it be duplicated ?


SSO does not import user details to database it just handle the authentication of the users. LDAP integration will continue to import the users but will not handle the authentication.

Let me describe more about idea and details of the Single Sign On:

If you already logged in with a trusted source why you need to login again to other systems -- the other systems should check with the trusted source that you already logged in and then let you in.

In the above details the trusted source is the Windows Domain Controller (aka Active Directory) and if you already logged in to your machine you will not need to login to SysAid. The web browser will do the authentication for you using the NTLM protocol (in similar method you do not need to enter user/password for each network resource you use). The Sysaid Login page will be disappearing and you will automatically log in if you have valid user in SysAid and you already logged in to the domain.

SysAid also support other methods of SSO (E.g. CAS). However if you have windows domain the most simple configuration is to use this "Integrated Windows Authentication"

One issue that can arise if you enable the SSO is that you will not able to login with a different user name then the user logged in to the windows. A simple workaround is to temporary disable NTLM in your web browser when you need to login as different user.


Super SysAider
64
 
I activated mine when I switch to a new installation on a new server so I did not create users on the new server. I let the LDAP integration pull them all into SysAid
Super SysAider
64
 
Excellent suggestion regarding logging in as other users. I have had the need a couple times in the past to do just that.

Thanks for the tip!
SysAid Wiz
915
 
Israel..
Ok... I thought ldap integration and SSO is interchangeable... my bad.
I'm not interested in SSO... another layer of security is always good especially as it got more and more powerful feature.

Let me rephrase my question... what happened to the existing users if I activate ldap integration later ?
Will the users be duplicated ?

This message was edited 1 time. Last update was at Jun. 21, 2008 12:05 AM

Super SysAider
64
 
Obelix,

When LDAP imports the user account into SysAid, the user account will look like this "DOMAIN\username"

Where right now you only have the username. SO the difference is that after LDAP is integrated the users accounts brought in from the domain will require the domain name as part of the login username.
So unless you already have an account like "DOMAIN\username" then it will recreate the users and both accounts will exist.

You can control which OU it pulls from, incase you do not want to create an account for all your users.

Using LDAP we do not need to require the users to login into the help desk because they have already logged into their computer. The computer will have access to information way more sensitive than anything that the help desk will have.

So I make it easy on them with SSO. They will log into the helpdesk with the exact same username and password that they used to get into their computer. Since they are already authenticated why not remove a step from the end user making it easier for them and by making it easier for them they are more likely to use it.

We do not have anyone outside of the comapny accessing the helpdesk.
SysAid CEO
62
 
CliGil wrote:
When LDAP imports the user account into SysAid, the user account will look like this "DOMAIN\username"



CliGil,

The user name looks like "DOMAIN\username" only if you have more then one domains.

In most cases ther user name is just "username". In such case migration to LDAP integration will be simple if the old usernames are the same names that listed in the A.D.

Super SysAider
64
 
Israel Lifshitz wrote:
The user name looks like "DOMAIN\username" only if you have more then one domains.

In most cases ther user name is just "username". In such case migration to LDAP integration will be simple if the old usernames are the same names that listed in the A.D.




Israel, thanks for clarifying that for me. We do have multiple domains in our forest.

in order to clarify, if we have an existing username in SysAid of "helix" and we have a single domain with a user account "helix", when we active the LDAP integration the domain useraccount "helix" will replace the one in SysAid?

This message was edited 1 time. Last update was at Jun. 22, 2008 07:37 PM

SysAid Wiz
915
 
Cligil...

If the user is duplicated what happened to the existing ?
Since we already got a new one (with domain) will the old account stil able to generate SR ?
If not can I safely delete the old account without losing any SR ?
Super SysAider
64
 
Obelix wrote:Cligil...

If the user is duplicated what happened to the existing ?
Since we already got a new one (with domain) will the old account stil able to generate SR ?
If not can I safely delete the old account without losing any SR ?


Obelix,

In my situation both user accounts existed, one with the domain name as part of the username and the original. Because I only have internal users I ended up deleteing all existing users and allowing the LDAP integration to pull in all the users.
The existing service requests remained open. They changed only in that it recongnized the user was no longer an existing account and you can change it or leave the user reference.

So yes, I have deleted user accounts without losing the SR.

As far as the old one being able to generate a SR, if the user account is a domain account when they try to access the helpdesk it should log the SR as that domain account, even if that domain name does not exist as a current user account in SysAid.

Hope this helps
SysAid Wiz
915
 
I don't know... it sounds messy.
But thanks for the info cligil...
*slight nod smile*
Much much appreciated...
Super SysAider
64
 
Not that you have this option but when I migrated SysAid to a new server I enabled LDAP right from the start and I do not have any none domain accounts.

For me everything works like a champ.

*shrug*

SysAid CEO
62
 
CliGil wrote:
in order to clarify, if we have an existing username in SysAid of "helix" and we have a single domain with a user account "helix", when we active the LDAP integration the domain useraccount "helix" will replace the one in SysAid?


Yes. The username "helix" will remain and SysAid just override the attributes from the A.D. (e.g. email, phone)
SysAid CEO
62
 
CilGil,

If you use the system with single domain (i.e. "username" users) for a while and then changed it to multiple domains (i.e. "DOMAIN\username" style) you will have the following issues:

1. Duplicates users in the database.
2. Users will not be able to view their old SRs created with the "username" style because SysAid consider them as different users.

The fix are simple:

1. Delete yourself the old users with the multiple record delete option in "End User Manager" page.
2. Contact SysAid support so we help you to changes the username in the old SRs directly in the database.

One note:
It’s better to contact support just after (or just before) you migrate to multiple domain because the database have SRs only with one style. Now your database has mixed record.