Single Sign On
 
Author
Message
SysAider
1
 
Hi all.

SSO wont work on my sistem. I am currently running 30 day trial version.
Have to get this working before we buy this for our company.

The problem is i followed this guide but i still get login screen in IE and Win7.

My serverConf.xml (LDAP configuration is already OK and all users from AD can login through username and pass on login page)



Thank you for the help!
SysAider
20
 
A tip I've found useful is to force the computer to send LM & NTLM responses via Group Policy...

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: LAN Manager authentication level set to "Send LM & NTLM responses".

This fixed my issue with SSO not working correctly on Windows 7 Professional 32-bit / Internet Explorer 8 and SysAid 7.0.04 with tomcat, Microsoft SQL Server and the jcifs single sign-on module.
SysAider
18
 
Hi,

SSO is working but for some users of other domains I need different login credentials. How to manage this? In the entry post there's something about disable NTLM in IE. How to do that?
SysAider
1
 
Hi All

Exists other way to single sign on without input password network user in serverConf.xml ?

thanks in advance

This message was edited 1 time. Last update was at Jul. 15, 2010 11:18 AM

SysAid Customer Relations
1092
 
Hi Wilson,

Welcome to our community, I hope you will find all the help you need here.

Currently there is no way, but usually no one except admins can enter and open files on the server so it's not a big issue. You can create new user that have only read option and set it in the serverconf.xml just for the SSO if you don't' want the other admins to see your pass. Also make sure that the password is never expired.
Best Regards,
Itay
SysAider
1
 
It seems that from version 7, the DB password is encrypted in the ServerConf.xml file. It now contains something similar to <dbPassword>crypt:####</dbPassword>, where #### is the encrypted password.
We are using MS SQL as the DB, with Windows Authentication. So, that DB user is actually an ActiveDirectory (AD) user that can be used for SSO.

To test SSO, I used this same AD user in <ntlmParamValue>password</ntlmParamValue>, but I copied/pasted the crypt:#### there. And it works fine !
That's great, because it means you actually don't need to save the SSO information in clear text.

Of course, this worked because I knew the encrypted version of the password that the installation program generated for me in the <dbPassword> key.

My question : how can we generate an encrypted version of a password ourselves.... I mean how can we obtain the encrypted string to put behind "crypt:" starting from the clear text version ?
We could of course install a new version of SysAid somewhere and faking the DB password to get it... But it would probably be easier if Ilient provided a tool for this (a system web page for example ?).
SysAider
5
 
Thanks copied & paste from old server.xml file and works like a charm
wka
Elite SysAider
140
 
I've tried to implement this myself.

But I get an issue where the webbrowser window tries to prompt for a logon, which you can do. But I just want the sysaid to go straight in.

Our SysAid system is in a DMZ, I configured it as described.
Our users mostly log on from a Citrix System.
They all log on as AD users.
But when you click on sysaid it prompts for a user/name password, I thought it would just go straight into sysaid as the logged on user..

SysAid Customer Relations
40
 
Hey guys.

wka, you answer will follow, but first, we'll start with the new, correct SSO tags for versions above version 7 (CliGil please update your initial post).

************************************************************************************************************************
Once LDAP integration has been configured to import user accounts from your Active Directory domain, you can configure single sign-on to automatically authenticate users using the NTLM protocol according to the credentials they used to login to the domain.

To configure single sign-on using the built-in Tomcat web-server, please edit the serverConf.xml file located at ...\SysAidServer\root\WEB-INF\conf. Add the following lines after the line <externalLoginClass>none</externalLoginClass>:
<ntlmAuth>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.domain</ntlmParamName>
<ntlmParamValue>ACME</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.http.domainController</ntlmParamName>
<ntlmParamValue>DC1.acme.com</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.username</ntlmParamName>
<ntlmParamValue>username_on_AD</ntlmParamValue>
</ntlmParam>
<ntlmParam>
<ntlmParamName>jcifs.smb.client.password</ntlmParamName>
<ntlmParamValue>password_of_the_above_username</ntlmParamValue>
</ntlmParam>
</ntlmAuth>

Make sure to replace:
1. ACME with the NetBIOS domain name (pre-Windows 2000)
2. DC1.acme.com with the hostname or IP address of your domain controller.
3. username_on_AD with a user-name on Active Directory (Any domain user should be fine; no administrative permissions are necessary. Make sure to set “password never expires” so that the integration will not break whenever the password expires.)
4. password_of_the_above_username with the password of the mentioned user account.

After saving these changes, please restart the SysAid Server service to apply the new integration.

****************************************************************************************

WKA, and anyone who still get a prompt requesting you input login credentials, please use the following:

Since it probably means that the browser (IE) is not passing the credentials to the SysAid server.

Here is how to set IE to pass credentials to the SysAid server.

1. In Internet Explorer, please go to the Tools -> Internet Options -> Advanced tab and check the “Enable Integrated Windows Authentication” check-box.

2. Next, switch to the security tab and click Local Intranet -> Custom Level and select “Automatic log-on with current user name and password” (under User Authentication, Log-on).

3. Do the same to; 'Internet' and 'Trusted Sites'

4. Click OK on all windows and restart Internet Explorer (close all IE windows and open it again).

SysAider
2
 
When will Sysaid support ADFS for SSO?