Enabling Single Sign-on with Active Directory

 

Table of Contents

 

    Introduction
    Enabling Single Sign-on Using NTLMv1
    Enabling Single Sign-on Using Kerberos
    Contact Us

 

 

 

Introduction

 

If you have integrated SysAid with Microsoft Active Directory (AD) for user management and authentication, you can enable Single Sign-on (SSO) so that users are automatically logged into SysAid at the same time that they log into their computer. If you have not yet integrated SysAid with AD but would like to, please go here.

 

SysAid supports NTLM or Kerberos authentication when enabling Single Sign-on with Active Directory. The following help file explains how to set up this authentication.

 

Terms in orange are variables that you must replace with the appropriate values for your network.

 

Note: The contents of this page are only relevant for On-Premise accounts. Cloud customers can set up SSO through one SysAid's available Third Party Integrations.

 

 

 

 

Enabling Single Sign-on Using NTLMv1

 

To configure single sign-on using NTLM authentication for SysAid In-House Edition:

  1. Open the serverConf.xml file located at ...\SysAidServer\root\WEB-INF\conf.
  2. Search for the line with the tag <serverURL> and insert the following lines immediately below it (copy and paste from here):
  3.  

    <ntlmAuth>

    <ntlmParam>

    <ntlmParamName>jcifs.smb.client.domain</ntlmParamName>

    <ntlmParamValue>ACME</ntlmParamValue>

    </ntlmParam>

    <ntlmParam>

    <ntlmParamName>jcifs.http.domainController</ntlmParamName>

    <ntlmParamValue>DC1.acme.com</ntlmParamValue>

    </ntlmParam>

    <ntlmParam>

    <ntlmParamName>jcifs.smb.client.username</ntlmParamName>

    <ntlmParamValue>username_on_AD</ntlmParamValue>

    </ntlmParam>

    <ntlmParam>

    <ntlmParamName>jcifs.smb.client.password</ntlmParamName>

    <ntlmParamValue>password_of_the_above_username</ntlmParamValue>

    </ntlmParam>

    </ntlmAuth>

     

  4. Make sure to replace the following four variables. Replace:
  5. Save changes to serverConf.xml.
  6. Restart the SysAid Server service. SSO is now enabled throughout your network.

 

If SSO is still not enabled after following the above instructions, there is an additional change that must be made in the Domain Controller Security Settings for each of your computers. Open Local Policies\Security Options and then set the Network Security > LAN Manger Authentication Level to LM and NTLM responses. Test this change on one computer, and if it works, make this change for all of your computers using a group policy.

 

 

 

Enabling Single Sign-on Using Kerberos

 

SysAid Kerberos authentication uses the following configuration file: http://www.unix.com/man-page/opensolaris/4/krb5.conf/

 

To set up SSO using Kerberos Authentication:

  1. Create an Active Directory user for use in the integration. This user does not need any special permissions. For the purposes of these instructions, the AD user we've created is ldapuser in the sysaidtest.local domain.
  2. Log in to your Key Distribution Center (KDC) Server with a user who has the "Domain Admin" permission for your domain.
      1. Ping your domain (Example: ping sysaidtest.local)
      2. Ping the result IP address with reverse-DNS Lookup (Example: ping -a 10.0.0.100)
      3. The result computer name is your KDC Server.
  3. Open a command prompt and run the following command:
    setspn -A HTTP/SysAidServerHostname sysaidtest\ldapuser
    SysAidServerHostname is the FQDN (full DNS hostname) of the server hosting SysAid (e.g. helpdesk.mydomain.local) This command allows Kerberos to use ldapuser for authentication. More information about the setspn command can be found here.
  4. Log in to the computer that hosts the SysAid Server.
  5. Open the file krb5.conf under ..\SysAidServer\tomcat\conf.
  6. Make the following changes (highlighted in orange, below):
    1. Replace DNS_DOMAIN_NAME with your full DNS domain name (e.g. sysaidtest.local). This appears twice.
    2. Replace KDC_HOSTNAME with your full DNS domain name (e.g. DC01.sysaidtest.local)
    3. Replace NETBIOS_DOMAIN_NAME with your NetBIOS domain name (e.g. sysaidtest)
       
    4. [libdefaults]
      default_realm = DNS_DOMAIN_NAME
      dns_lookup_kdc = no
      proxiable = yes
      forwardable=true

      [realms]
      DNS_DOMAIN_NAME = {
      kdc = KDC_HOSTNAME
      default_domain = NETBIOS_DOMAIN_NAME
      }


  7. Open the file ServerConf.xml under ...\SysAidServer\root\WEB-INF\conf.
  8. Search for the line with the tag <serverURL> and insert the following lines immediately below it (copy and paste from here):
     

    <spengoAuth>
        <spengoParam>
            <spengoParamName>spnego.allow.basic</spengoParamName>
            <spengoParamValue>false</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.allow.localhost</spengoParamName>
            <spengoParamValue>false</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.allow.unsecure.basic</spengoParamName>
            <spengoParamValue>false</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.login.client.module</spengoParamName>
            <spengoParamValue>spnego-client</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.login.server.module</spengoParamName>
            <spengoParamValue>spnego-server</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.krb5.conf</spengoParamName>
            <spengoParamValue>..\SysAidServer\tomcat\conf\krb5.conf</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.login.conf</spengoParamName>
            <spengoParamValue>..\SysAidServer\tomcat\conf\login.conf</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.preauth.username</spengoParamName>
            <spengoParamValue>ldapuser</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.preauth.password</spengoParamName>
            <spengoParamValue>password</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.login.server.module</spengoParamName>
            <spengoParamValue>spnego-server</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.prompt.ntlm</spengoParamName>
            <spengoParamValue>false</spengoParamValue>
        </spengoParam>
        <spengoParam>
            <spengoParamName>spnego.logger.level</spengoParamName>
            <spengoParamValue>1</spengoParamValue>
        </spengoParam>
    </spengoAuth>


  9. Make the following changes (highlighted in orange, above) to the text you've just pasted:
    1. Replace ..\SysAidServer\tomcat\conf\krb5.conf with the full path to the krb5.conf file.
    2. Replace ..\SysAidServer\tomcat\conf\login.conf with the full path to the login.conf file.
    3. Replace ldapuser with the name of the AD user you created in Step 1.
    4. Replace password with the password of the AD user you created in Step 1.
  10. Restart the SysAid Server service.

 

SysAid now uses Kerberos authentication whenever any user logs into SysAid.

 

 

 

Contact Us

 

SysAid welcomes your questions and suggestions. We can be reached via phone and email:

Toll Free phone center (U.S): 800-686-7047

Tel (U.S): +1 617-231-0124

Fax (U.S): +1 617 507 2559

Tel (Israel): +972 3 533 3675

Fax (Israel): +972 3 761 7205

Email: helpdesk@sysaid.com

SysAid community: http://www.sysaid.com/Sysforums/forums/home.page

You can also view our full support page at http://www.sysaid.com/contact_support.htm.