Customer SSO not working, Kerberos works

Moderator: crythias

Post Reply
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Customer SSO not working, Kerberos works

Post by timo2k »

Hello Board,

I tried all weekend to get SSO with at least customer backend working, but no chance.

I'm using OTRS 4.0.5 ov CentOS. LDAP-Auth with Active Directory is working, as well as Kerberos auth (as shell-user and in Browser with my Kerberos test-script).
Edit: I set up Kerberos according to the wiki-entry.

Only little customer login will not take the SSO.

Here is the relevant part of my zzz_otrs.conf from Apache

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
   AllowOverride None
   AuthType Kerberos
   AuthName "OTRS"
   Krb5Keytab /opt/keytabs/vserv072.mydomain.loc.keytab
   KrbAuthRealms MYDOMAIN.LOC
   KrbMethodNegotiate on
   KrbSaveCredentials off
   Require valid-user
   Options +ExecCGI -Includes
   Order allow,deny
   Allow from all
</Directory>
the Customer-part of Config.pm

Code: Select all

#
# Bonn Mitarbeiter Start
#
$Self->{'AuthModule1'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp1'} ='@MYDOMAIN.LOC';
#$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'vserv001.mydomain.loc';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} ='OU=Users,DC=mydomain,DC=loc'; # hier die DN
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN1'} = 'CN=Gruppe-otrscustomers,OU=Groups,DC=mydomain,DC=loc'; #
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS,OU=Users,DC=mydomain,DC=loc';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = '123456789';
$Self->{'Customer::AuthModule::LDAP::Params1'} = {
  'async' => '0',
  'timeout' => '120',
  'version' => '3',
  'port' => '389',
  'inet4' => '1'
  };
	
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} =  'vserv001.mydomain.loc';
$Self->{'AuthModule::LDAP::BaseDN1'} =  'DC=mydomain,DC=loc';
$Self->{'AuthModule::LDAP::UID1'} =  'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN1'} =  'CN=OTRS,OU=Users,DC=mydomain,DC=loc';
$Self->{'AuthModule::LDAP::SearchUserPw1'} =  '123456789';
$Self->{'AuthModule::LDAP::Params1'} =  {
  'async' => '0',
  'timeout' => '120',
  'version' => '3',
  'port' => '389',
  'inet4' => '1'
  };

$Self->{'AuthModule::LDAP::Die1'} = 1;
	

$Self->{'UserSyncLDAPMap1'} =  {
  'UserEmail' => 'mail',
  'UserFirstname' => 'givenName',
  'UserLastname' => 'sn',
  'UserLogin' => 'sAMAccountName'
  };      

$Self->{CustomerUser1} = {
  Name => 'Mitarbeiter Bonn',
  Module => 'Kernel::System::CustomerUser::LDAP',
  Params => {
    Host => 'vserv001.mydomain.loc',
    BaseDN => 'OU=Users, DC=mydomain,DC=loc', 
    SSCOPE => 'sub',
    UserDN => 'CN=OTRS,OU=Users,DC=mydomain,DC=loc',
    UserPw => '123456789',
    SourceCharset => 'utf-8',
    DestCharset => 'iso-8859-1',
    AlwaysFilter =>  '(&(objectclass=user)(mail=*@ymdomain.loc)(memberOf=CN=Gruppe-otrscustomers,OU=Groups,DC=mydomain,DC=loc))',
    },
  CustomerKey => 'sAMAccountName',
  CustomerID => 'mail',
  CustomerUserListFields => ['sAMAccountName', 'cn',  'mail'],
  CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
	CustomerUserPostMasterSearchFields => ['mail'],
  CustomerUserNameFields => ['givenname', 'sn'],
	CustomerUserSearchListLimit => 1000,

  Map => [
    #  [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var', '' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '' ],
    #  [ 'UserCustomerID', 'CustomerID', 'extensionAttribute9', 0, 1, 'var', '' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', 'dialto:$Data{"UserPhone"}' ],
    [ 'UserMobile', 'Mobile', 'mobile', 1, 0, 'var', 'dialto:$Data{"UserMobile"}' ],
    [ 'UserTitle', 'Position', 'title', 0, 0, 'var', '' ],
    [ 'UserComment',      'Comment',     'extensionAttribute9',     1, 0, 'var', '', 0 ],
  ],
};
#
# Bonn Mitarbeiter Ende
#
I can't find any records in my logs (Kerberos, Apache Error or OTRS log). I have absolutely no clue why it won't work as my Kerberos- testpage shows all info I need.

Any help would be appreciated.

Best regards
Timo

Edit:
Increased Apache-LogLevel to Debug and got this:

Code: Select all

[Mon Feb 16 09:02:12.181067 2015] [authz_core:debug] [pid 2562] mod_authz_core.c(802): [client 10.0.4.235:54014] AH01626: authorization result of Require
all granted: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.181259 2015] [authz_core:debug] [pid 2562] mod_authz_core.c(802): [client 10.0.4.235:54014] AH01626: authorization result of <RequireAny>: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.186543 2015] [deflate:debug] [pid 2562] mod_deflate.c(849): [client 10.0.4.235:54014] AH01384: Zlib: Compressed 51326 to 11764 : URL
/otrs-web/skins/Customer/default/css-cache/CommonCSS_875a22a8a011425e29aa5409283129bf.css, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.186641 2015] [headers:debug] [pid 2562] mod_headers.c(823): AH01502: headers: ap_headers_output_filter()
[Mon Feb 16 09:02:12.191239 2015] [authz_core:debug] [pid 2561] mod_authz_core.c(802): [client 10.0.4.235:54015] AH01626: authorization result of Require
all granted: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.191343 2015] [authz_core:debug] [pid 2561] mod_authz_core.c(802): [client 10.0.4.235:54015] AH01626: authorization result of <RequireAny>: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.191761 2015] [authz_core:debug] [pid 2560] mod_authz_core.c(802): [client 10.0.4.235:54016] AH01626: authorization result of Require
all granted: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.191831 2015] [authz_core:debug] [pid 2560] mod_authz_core.c(802): [client 10.0.4.235:54016] AH01626: authorization result of <RequireAny>: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.193343 2015] [deflate:debug] [pid 2560] mod_deflate.c(849): [client 10.0.4.235:54016] AH01384: Zlib: Compressed 4723 to 1007 : URL /otrs-web/skins/Customer/default/css/thirdparty/jstree-theme/default/style.css, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.193409 2015] [headers:debug] [pid 2560] mod_headers.c(823): AH01502: headers: ap_headers_output_filter()
[Mon Feb 16 09:02:12.193717 2015] [deflate:debug] [pid 2561] mod_deflate.c(849): [client 10.0.4.235:54015] AH01384: Zlib: Compressed 20677 to 4044 : URL /otrs-web/skins/Customer/default/css/thirdparty/ui-theme/jquery-ui.css, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.193762 2015] [headers:debug] [pid 2561] mod_headers.c(823): AH01502: headers: ap_headers_output_filter()
[Mon Feb 16 09:02:12.214090 2015] [authz_core:debug] [pid 2562] mod_authz_core.c(802): [client 10.0.4.235:54014] AH01626: authorization result of Require
all granted: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.214170 2015] [authz_core:debug] [pid 2562] mod_authz_core.c(802): [client 10.0.4.235:54014] AH01626: authorization result of <RequireAny>: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.214306 2015] [headers:debug] [pid 2562] mod_headers.c(823): AH01502: headers: ap_headers_output_filter()
[Mon Feb 16 09:02:12.214507 2015] [authz_core:debug] [pid 2561] mod_authz_core.c(802): [client 10.0.4.235:54015] AH01626: authorization result of Require
all granted: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.214544 2015] [authz_core:debug] [pid 2561] mod_authz_core.c(802): [client 10.0.4.235:54015] AH01626: authorization result of <RequireAny>: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:12.214703 2015] [headers:debug] [pid 2561] mod_headers.c(823): AH01502: headers: ap_headers_output_filter()
[Mon Feb 16 09:02:15.599840 2015] [authz_core:debug] [pid 2562] mod_authz_core.c(802): [client 10.0.4.235:54014] AH01626: authorization result of Require
all granted: granted, referer: http://vserv072/otrs/customer.pl
[Mon Feb 16 09:02:15.599902 2015] [authz_core:debug] [pid 2562] mod_authz_core.c(802): [client 10.0.4.235:54014] AH01626: authorization result of <RequireAny>: granted, referer: http://vserv072/otrs/customer.pl
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Customer SSO not working, Kerberos works

Post by crythias »

It would be useful to know what *doesn't* work. Everything here says granted, so what does OTRS log say? (Explain steps to reproduce customer experience, and messages on screen.)
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Re: Customer SSO not working, Kerberos works

Post by timo2k »

OK, here are my steps:
1. Logged on a Windows 7-machine as AD-user ranseier karl.
2. Opend Internet Explorer as the same user, opening customer.pl
3. Nothing happens automatically.
4. Trying to auth with my credentials as ranseier karl and the AD-password.
5. Login says "Login failed! Your user name or password was entered incorrectly."
6. otrs.log says:

Code: Select all

[Mon Feb 16 19:22:10 2015][Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 10.0.2.77).
When disabling HTTPBasicAuth and enabling CustomerAuth::LDAP in Config.pm logging in is possible again, so credentials are working.
Logging in to my Kerberos-Test-Script is working fine, same Apache-settings as above, same keytab, same user.
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Re: Customer SSO not working, Kerberos works

Post by timo2k »

any further hints?
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
Linwood
Znuny newbie
Posts: 55
Joined: 10 Feb 2015, 15:30
Znuny Version: 4.0.6
Real Name: Linwood Ferguson
Company: LE Ferguson, LLC

Re: Customer SSO not working, Kerberos works

Post by Linwood »

I'm very new to OTRS so take this with a grain of salt, a large boulder of salt perhaps but...

Is this SUPPOSED to work? Specifically that the credentials are automatically passed and logged in (I'm assuming that is what you really want to work)

In the days I spent on delegation on windows, web servers and databases that passed integrated authentication credentials through to other servers had to be both part of the domain, and set up specifically to allow delegation, and the user ID's set up specific not to disallow delegation (at least I think it was a negative setting). But regardless had to be on the domain and thus trusted.

Can Apache even do that pass through?

I'm hoping you find an answer as I would like to use SSO, but had just assumed I could not by choosing linux.
Linwood Ferguson
OTRS 4.0 patch 6, ubuntu 14.04 on HyperV, MySql
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Customer SSO not working, Kerberos works

Post by crythias »

timo2k wrote:OK, here are my steps:
1. Logged on a Windows 7-machine as AD-user ranseier karl.
2. Opend Internet Explorer as the same user, opening customer.pl
3. Nothing happens automatically.
What does this mean? Nothing happens?
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Customer SSO not working, Kerberos works

Post by crythias »

Linwood wrote:Is this SUPPOSED to work?
Yes. And it works very nicely when it does. viewtopic.php?t=15422
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Linwood
Znuny newbie
Posts: 55
Joined: 10 Feb 2015, 15:30
Znuny Version: 4.0.6
Real Name: Linwood Ferguson
Company: LE Ferguson, LLC

Re: Customer SSO not working, Kerberos works

Post by Linwood »

crythias wrote:
Linwood wrote:Is this SUPPOSED to work?
Yes. And it works very nicely when it does. viewtopic.php?t=15422
That starts off with the apache server joining the AD domain, and so is consistent. To the OP, is that how you set it up?

But thanks for that pointer, I may well go down that path (or might not -- it's not my domain to manage) and that looks to be a nice summary.
Linwood Ferguson
OTRS 4.0 patch 6, ubuntu 14.04 on HyperV, MySql
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Re: Customer SSO not working, Kerberos works

Post by timo2k »

crythias wrote:What does this mean? Nothing happens?
I explained it a little bit better:
1. Logged on a Windows 7-machine as AD-user ranseier karl.
2. Opend Internet Explorer as the same user, opening customer.pl
3. No automatically login, the customer-login-screen appears.
4. Trying to auth with my credentials as ranseier karl and the AD-password.
5. Login says "Login failed! Your user name or password was entered incorrectly."
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Re: Customer SSO not working, Kerberos works

Post by timo2k »

Linwood wrote:To the OP, is that how you set it up?
I'll give a summary when it works well - at the moment it is not working at my side.
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Customer SSO not working, Kerberos works

Post by crythias »

CN=Gruppe-otrscustomers,OU=Groups,DC=mydomain,DC=loc

confirm user is a member of this.

make sure you have this line:

Code: Select all

    $Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';
also, you need to include HTTPBasicAuth in your Config.pm

Code: Select all

$Self->{LoginURL} = 'http://ticketing/otrs-web/notauthd.html';
$Self->{LogoutURL} = 'http://ticketing/otrs-web/goodbye.html';

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '@domain';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@domain';
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Re: Customer SSO not working, Kerberos works

Post by timo2k »

I changed this as suggested. But no change.

it seems not to work without hard knowlegde to Linux, Kerberos and OTRS.
I spend 18 hours until now, and it's enough. i give up.
Any sugestions for a ticketsystem with working SSO? SSO is the mainrequirement for us.
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Customer SSO not working, Kerberos works

Post by crythias »

I probably spent about 4 hours total, made it work, and explained in a post how I did it and problems I encountered. Your inability to make this work is not a function of OTRS. If you did make the http Auth changes you would be getting new and different errors.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Re: Customer SSO not working, Kerberos works

Post by timo2k »

As I described, I made your suggesstions - I wrote that ago.
INn OTRS 3.3 I got it working with I charme, but not in 4.0
Kerberos is working as I described above. This is still working with another app.
And no, there is no other error-message. If it was, I would have mentioned it.
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Customer SSO not working, Kerberos works

Post by crythias »

May we see a current Config.pm?
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
timo2k
Znuny newbie
Posts: 41
Joined: 16 Feb 2010, 21:00
Znuny Version: 4.0.16

Re: Customer SSO not working, Kerberos works

Post by timo2k »

Hello crythias,
sorry that I'm a little bit frustrated. But you keep asking the same questions every time, I answerd them in the thread.
You mentioned a howto you wrote. If you mean that crappy artice in in wiki, it is not really a help, as it is missing to much things.
In case you ment your post anywhere about Apache on Windows, this won't help me either, as it is missing the Linuxpart.

For my side its ok to close this tread, as I found a similar ticketsystem with similar range of function, and open source. And, what is best: a working support.
System: OTRS 4.0.16 | CentOS 7.2 | Apache 2.4.6 | MariaDB 5.5.44 | Perl 5.16.3 | PHP 5.4.16
schulmann
Znuny wizard
Posts: 470
Joined: 20 Nov 2011, 16:08
Znuny Version: 6.5.4
Real Name: Schulmann

Re: Customer SSO not working, Kerberos works

Post by schulmann »

timo2k wrote:For my side its ok to close this tread, as I found a similar ticketsystem with similar range of function, and open source. And, what is best: a working support.
Could you please tell me the name of this ticket system because I'd like to compare it with OTRS?
Thanks.
Znuny6/Debian/ESXi
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Customer SSO not working, Kerberos works

Post by jojo »

Timo this is not an offical support forum. If you need commercial support contact sales@otrs.com!
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Customer SSO not working, Kerberos works

Post by crythias »

For anyone else who reads this, please note that SSO does work, and if you are making changes to Config and "nothing changes" a request for current Config can help point out where typos or changes to fix can be made.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Linwood
Znuny newbie
Posts: 55
Joined: 10 Feb 2015, 15:30
Znuny Version: 4.0.6
Real Name: Linwood Ferguson
Company: LE Ferguson, LLC

Re: Customer SSO not working, Kerberos works

Post by Linwood »

crythias wrote:For anyone else who reads this, please note that SSO does work...
My apologies for suggesting otherwise, fairly new to unix, and I see at least two techniques to permit the apache server to do so. Sorry for the diversion.
Linwood Ferguson
OTRS 4.0 patch 6, ubuntu 14.04 on HyperV, MySql
alexawka
Znuny newbie
Posts: 6
Joined: 13 Mar 2015, 16:22
Znuny Version: 4.0.5
Real Name: Aleksandrs
Company: -

Re: Customer SSO not working, Kerberos works

Post by alexawka »

Hello,
I can confirm same issue - NTLM authentication working like a charm on OTRS 3.x and Centos 6.5. It still works like a charm after upgrading to 4.0.3
However when I install OTRS 4.0.5 on Centos 7 with MySQL Community release, same config as in OTRS mentioned above, httpd/conf.d/otrs.conf are same till a single character, NTLM is not working. Kerberos/NTLM Authentication Tester v0.9.3 for the first site (where sso works) says Authentication Type: NTLM
and the second site (where sso does not work) Authentication: None
httpd/conf.d/ntlm_auth.conf:

Code: Select all

LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so
<Location ~ "(otrs/index.pl)">
  AuthName "NTLM Authentication"
  AuthType NTLM
  Require valid-user
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
  NTLMBasicAuthoritative on
</Location>
I have created a dummy directory in /var/www/ntlm/ with some files (second site). Applied same httpd/conf.d/whatsoever.conf for this directory and Authentication Type: NTLM - works like a charm. So where is a catch? Why it refuses to work with OTRS?
alexawka
Znuny newbie
Posts: 6
Joined: 13 Mar 2015, 16:22
Znuny Version: 4.0.5
Real Name: Aleksandrs
Company: -

Re: Customer SSO not working, Kerberos works

Post by alexawka »

Installed OTRS latest version on Centos 6.6 - NTLM works like a charm!
I truly believe it is due Centos HTTPD service. Centos 6.6 - HTTPD 2.2.15, Centos 7 - 2.4.6
Those httpd servers have really different httpd.conf files. Something has changed. I have feeling, that it somehow does not allow .conf files to overlap same Directory or Location directives - No Proof about this, just thoughts.
Please someone confirm the issue and help resolve it!
Thank you!
wurzel
Znuny guru
Posts: 3224
Joined: 08 Jul 2010, 22:25
Znuny Version: x.x.x
Real Name: Florian

Re: Customer SSO not working, Kerberos works

Post by wurzel »

Hi,

you are using apache 2.4.6?

had a look here? viewtopic.php?f=35&t=28331
it is german quoted... perhaps it helps
Es lag an der Einstellung "Require all granted" im Location-Bereich. Dies darf bei SSO nicht gesetzt sein!
Florian
OTRS 8 SILVER (Prod)
OTRS 8 auf Debian 11 (Test)
Znuny 7.x latest version testing auf Debian 11

-- Ich beantworte keine Forums-Fragen PN - No PN please

I won't answer to unfriendly users any more. A greeting and regards are just polite.
alexawka
Znuny newbie
Posts: 6
Joined: 13 Mar 2015, 16:22
Znuny Version: 4.0.5
Real Name: Aleksandrs
Company: -

Re: Customer SSO not working, Kerberos works

Post by alexawka »

Thank you for your reply. This helped me a lot.
Now it is working. The only question why it has this code lines:

Code: Select all

 <IfVersion < 2.4>
                Order allow,deny
                Allow from all
</IfVersion>
 <IfVersion >= 2.4>
         Require all granted
</IfVersion>
Why versions above 2.4 require all granted, however versions below do not?
Can someone please explain this and what is the impact if I apply same config as in httpd version below 2.4? (Order allow, deny & Allow from all)
Thank you!
rajsardhara
Znuny newbie
Posts: 3
Joined: 05 Aug 2017, 00:41
Znuny Version: 6.0.7

Re: Customer SSO not working, Kerberos works

Post by rajsardhara »

After long testing this is worked for me and is working like charm:

1. First Create Keytab:
Make sure you're able to login using kinit username

Code: Select all

echo "HTTP/ad1.xyz.net@XYZ.NET" > /etc/httpd/conf.d/krb5.keytab
2. Config.pm

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@xyz.net';
No additional lines required (Tested for Agent only)

3. Apache Config:: zzz.otrs.conf

Code: Select all

<Location /otrs>
#        ErrorDocument 403 /opt/otrs/customer.pl
        ErrorDocument 403 /opt/otrs/index.pl
        AuthType Kerberos
        Krb5KeyTab /etc/httpd/conf.d/krb5.keytab
        KrbAuthRealms XYZ.NET
        KrbLocalUserMapping On
        KrbMethodK5Passwd On
        KrbMethodNegotiate Off
        KrbSaveCredentials Off
        KrbVerifyKDC Off
        require valid-user
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

#        <IfModule mod_version.c>
#            <IfVersion < 2.4>
#                Order allow,deny
#                Allow from all
#            </IfVersion>
#            <IfVersion >= 2.4>
#                Require all granted
#            </IfVersion>
#        </IfModule>
#        <IfModule !mod_version.c>
#            Order allow,deny
#            Allow from all
#        </IfModule>
    </Location>
:D
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Customer SSO not working, Kerberos works

Post by root »

rajsardhara wrote:After long testing this is worked for me and is working like charm:

1. First Create Keytab:
Make sure you're able to login using kinit username

Code: Select all

echo "HTTP/ad1.xyz.net@XYZ.NET" > /etc/httpd/conf.d/krb5.keytab
2. Config.pm

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@xyz.net';
No additional lines required (Tested for Agent only)

3. Apache Config:: zzz.otrs.conf

Code: Select all

<Location /otrs>
#        ErrorDocument 403 /opt/otrs/customer.pl
        ErrorDocument 403 /opt/otrs/index.pl
        AuthType Kerberos
        Krb5KeyTab /etc/httpd/conf.d/krb5.keytab
        KrbAuthRealms XYZ.NET
        KrbLocalUserMapping On
        KrbMethodK5Passwd On
        KrbMethodNegotiate Off
        KrbSaveCredentials Off
        KrbVerifyKDC Off
        require valid-user
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

#        <IfModule mod_version.c>
#            <IfVersion < 2.4>
#                Order allow,deny
#                Allow from all
#            </IfVersion>
#            <IfVersion >= 2.4>
#                Require all granted
#            </IfVersion>
#        </IfModule>
#        <IfModule !mod_version.c>
#            Order allow,deny
#            Allow from all
#        </IfModule>
    </Location>
:D
Hi.

The keytab is definitely not generated by echo'ing sth into a file. And if you use KrbLocalUserMapping On you don't need to configure AuthModule::HTTPBasicAuth::ReplaceRegExp.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Post Reply