Single Sign On (SSO) OTRS version 5 with AD

Moderator: crythias

Post Reply
5of5
Znuny newbie
Posts: 24
Joined: 24 Feb 2017, 18:37
Znuny Version: 5.0.16
Real Name: Tom Stiffler
Company: Concurrent Technology Corp.

Single Sign On (SSO) OTRS version 5 with AD

Post by 5of5 »

Thanks in advance for any help on this topic.

Here’s what I’ve done so far to try to get single sign-on (SSO) working with OTRS.

1) Created an AD object for the system, added a Service Principal Name (SPN) to the object.
2) Joined the Linux system to the domain and created a keytab file.
3) Installed mod_auth_kerb and configured accordingly:
<IfModule auth_kerb_module>
<Location />
AuthType Kerberos
AuthName "Windows Login"
Krb5Keytab /etc/krb5.keytab
KrbAuthRealms DOMAIN
KrbMethodNegotiate On
KrbVerifyKDC On
KrbMethodK5Passwd On
KrbLocalUserMapping Off
Require valid-user
</Location>
</IfModule>
4) Modified Kernel/Config.pm accordingly:
# Enable SSO
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{LoginURL} = '/not_authenticated.html';
$Self->{LogoutURL} = '/not_authenticated.html';
5) Restarted both Apache and OTRS.

Unfortunately, these steps are not permitting SSO to work with OTRS. I have confirmed that SSO is working with Apache (meaning I’m able to hit non-OTRS areas of the web server by authenticating with my AD credential). We can also see the user that’s being used in Apache (via the access_log, which is determined by HTTP authentication, in this case, mod_auth_kerb).

At this point, we need some pointers on what else we can try.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by root »

Did you get any error message from the otrs log?
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
5of5
Znuny newbie
Posts: 24
Joined: 24 Feb 2017, 18:37
Znuny Version: 5.0.16
Real Name: Tom Stiffler
Company: Concurrent Technology Corp.

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by 5of5 »

The only logs we’ve been finding anything in is /var/log/httpd/{access_log,error_log}. So far, neither have pointed us in the right direction.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by root »

what's the output of

Code: Select all

klist -k -t /etc/krb5.keytab
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
5of5
Znuny newbie
Posts: 24
Joined: 24 Feb 2017, 18:37
Znuny Version: 5.0.16
Real Name: Tom Stiffler
Company: Concurrent Technology Corp.

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by 5of5 »

: s45 4#; klist -k -t /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   5 04/19/2017 17:16:58 HTTP/s45.ctc.com@OUR.DOMAIN..
   5 04/19/2017 17:16:58 HTTP/s45.ctc.com@OUR.DOMAIN..
   5 04/19/2017 17:16:58 HTTP/s45.ctc.com@OUR.DOMAIN..
   5 04/19/2017 17:16:58 HTTP/s45.ctc.com@OUR.DOMAIN..
   5 04/19/2017 17:16:58 HTTP/s45.ctc.com@OUR.DOMAIN..
   5 04/19/2017 17:16:58 HTTP/S45@OUR.DOMAIN
   5 04/19/2017 17:16:58 HTTP/S45@OUR.DOMAIN
   5 04/19/2017 17:16:58 HTTP/S45@OUR.DOMAIN
   5 04/19/2017 17:16:58 HTTP/S45@OUR.DOMAIN
   5 04/19/2017 17:16:58 HTTP/S45@OUR.DOMAIN
meduzalt
Znuny newbie
Posts: 1
Joined: 13 Apr 2017, 10:44
Znuny Version: 5.0.x
Real Name: Algimantas
Company: MSSL

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by meduzalt »

test_otrs_ad.zip
I have the same problem day before. And for me helped one advise to change Apache otrs site config:

Code: Select all

<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbAuthRealms REALM
        Krb5Keytab /etc/krb5.keytab
        KrbMethodNegotiate On
        KrbSaveCredentials Off
        KrbVerifyKDC Off
        Require valid-user
    </Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

<Directory "/opt/otrs/bin/cgi-bin/">
    #AllowOverride None
    AllowOverride All
    Options +ExecCGI -Includes
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbAuthRealms REALM
        Krb5Keytab /etc/krb5.keytab
        KrbMethodNegotiate On
        KrbSaveCredentials Off
        KrbVerifyKDC Off
        Require valid-user

</Directory>
And I first tested with two test files whoami.pl and test.pl (extract from zip) and copy them to /opt/otrs/bin/cgi-bin
What are results? And look at /etc/syslog (if Ubuntu)
You do not have the required permissions to view the files attached to this post.
OTRS 5.0.x with ITSM, FAQ on Ubuntu 16.04, SSO with MS AD;
Win2008, Active Directory, Ubuntu, Centos 6&7, Postgres, MSSQL, OTRS, ZABBIX
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by root »

5of5 wrote: I have confirmed that SSO is working with Apache (meaning I’m able to hit non-OTRS areas of the web server by authenticating with my AD credential). We can also see the user that’s being used in Apache (via the access_log, which is determined by HTTP authentication, in this case, mod_auth_kerb).
Sorry about that, I did not read this completely.

Please make sure that only /otrs/index.pl and customer.pl use Kerberos authentication - this will speed up everything.
The settings for Kernel/Config.pm are ok. What's the result in the browser if you try to open /otrs/index.pl? Did you see the request in the access_log?
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
5of5
Znuny newbie
Posts: 24
Joined: 24 Feb 2017, 18:37
Znuny Version: 5.0.16
Real Name: Tom Stiffler
Company: Concurrent Technology Corp.

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by 5of5 »

The browser takes us to the location defined in “$Self->{LoginURL}”.

The access_log is showing something interesting… Any request starting with “/otrs” is not authenticated, yet most requests outside of this path are authenticated. The error_log also contains the following:

ERROR: OTRS-CGI-66 Perl: 5.16.3 OS: linux Time: Mon Apr 24 09:02:06 2017

Message: Need UserLogin or UserID!

RemoteAddress: xx.xx.xx.xx
RequestURI: /otrs/index.pl

It’s almost as if something is configured that’s preventing the “/otrs” location from getting the authenticated request…
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by root »

Did you have 401 HTTP return codes for /otrs/index.pl in the log file?
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
5of5
Znuny newbie
Posts: 24
Joined: 24 Feb 2017, 18:37
Znuny Version: 5.0.16
Real Name: Tom Stiffler
Company: Concurrent Technology Corp.

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by 5of5 »

I’m not seeing a 401… This is the complete log from a browser that’s prompting me for my AD credentials when I hit the login page.

xx.xx.xx.xx - - [24/Apr/2017:13:20:42 -0400] "GET /otrs/index.pl HTTP/1.1" 302 78 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
xx.xx.xx.xx - - [24/Apr/2017:13:20:42 -0400] "GET /otrs/index.pl?Action=PreLogin&RequestedURL= HTTP/1.1" 200 5029 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
xx.xx.xx.xx - - [24/Apr/2017:13:20:42 -0400] "GET /otrs-web/skins/Agent/default/css/thirdparty/ui-theme/jquery-ui.css HTTP/1.1" 401 381 "http://s45.ctc.com/otrs/index.pl?Action ... uestedURL=" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
xx.xx.xx.xx - user@DOMAIN [24/Apr/2017:13:20:53 -0400] "GET /otrs-web/skins/Agent/default/css/thirdparty/ui-theme/jquery-ui.css HTTP/1.1" 200 4062 "http://s45.ctc.com/otrs/index.pl?Action ... uestedURL=" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
xx.xx.xx.xx - - [24/Apr/2017:13:20:54 -0400] "POST /otrs/index.pl HTTP/1.1" 302 125 "http://s45.ctc.com/otrs/index.pl?Action ... uestedURL=" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
xx.xx.xx.xx - - [24/Apr/2017:13:20:54 -0400] "GET /not_authenticated.html?Reason=LoginFailed&RequestedURL=Action%3DPreLogin%26RequestedURL%3D HTTP/1.1" 401 381 "http://s45.ctc.com/otrs/index.pl?Action ... uestedURL=" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
xx.xx.xx.xx - user@DOMAIN [24/Apr/2017:13:20:54 -0400] "GET /not_authenticated.html?Reason=LoginFailed&RequestedURL=Action%3DPreLogin%26RequestedURL%3D HTTP/1.1" 200 1053 "http://s45.ctc.com/otrs/index.pl?Action ... uestedURL=" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0"
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by root »

Ok, that's looking weird, I'll explain it below.

Please try this configuration, you ca place it in an own file (I called it most of the times zzzz_auth_otrs.conf).

Code: Select all

<LocationMatch "/otrs/(customer|index).pl">
  #SSLRequireSSL
  AuthType Kerberos
  AuthName "OTRS"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms YOUR_KERBEROS_REALM
  KrbLocalUserMapping on
  KrbServiceName HTTP/fqdn@YOUR_KERBEROS_REALM
  #KrbServiceName Any
  Krb5KeyTab /etc/krb5.keytab
  Require valid-user
</LocationMatch>
  • The 2nd log line should have an 401 (Authentication required) to instruct the browser sending credentials.
  • The 2rd line has a 401, which leads to an authentication roundtrip whenever a css, javascript file or image is loaded. This impact your performance negative. (See next log entry, 200 response code for authenticated and delivered file jquery-ui.css
  • The post request "POST /otrs/index.pl" return a redirection because you're not authenticated to your configured login site. Reason: You enter credentials in the HTML form of OTRS but have setup HTTPBasicAuth, which delegates the authentication to the web server.
I recommend reset the value for the LoginURL to the default value and use Kerberos Authentication only on the location /otrs/. What should happen? Browsing to /otrs/index.pl should result in an successful login (maybe with panic no data found) without entering credentials or a basic authentication login window where you can enter your AD credentials.
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
5of5
Znuny newbie
Posts: 24
Joined: 24 Feb 2017, 18:37
Znuny Version: 5.0.16
Real Name: Tom Stiffler
Company: Concurrent Technology Corp.

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by 5of5 »

Your mention of using “zzzz_auth_otrs.conf” as the file name got me thinking…

I actually had things working yesterday afternoon, but couldn’t figure out exactly what the fix was. When I saw your post with the mention of the file name, it made me realize that was it. For whatever reason, I renamed the file such that it came after zzz_otrs.conf when Apache read it. I didn’t put things together until this morning when I read your post.

I tested this and found that if the mod_auth_kerb config comes before the config in zzz_otrs.conf, things break.

I also implemented your suggestion to only authenticate index.pl and customer.pl.

Thanks for your help and suggestions. I appreciate it.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by root »

You're welcome ;-) Good to hear that it works now
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
msnikose123
Znuny newbie
Posts: 1
Joined: 03 Jan 2019, 15:51
Znuny Version: VERSION = 3.1.4
Real Name: monish

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by msnikose123 »

Hi,

My otrs SSO is not working. The basic apache sso is working

otrs version 3.1.4

Gone through your article but didn't work out.


below is the only log i get when i hit the URL

==> /var/log/httpd/access_log <==
xx.xx.xx.xx - - [03/Jan/2019:19:54:14 +0530] "GET /helpdesk/index.pl HTTP/1.1" 401 381 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
xx.xx.xx.xx - msnikose [03/Jan/2019:19:54:14 +0530] "GET /helpdesk/index.pl HTTP/1.1" 200 8687 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by jojo »

Please don't hijack old threads. Also you OTRS version is outdated, not supported and extremly unsecure!
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
JazzMed13
Znuny newbie
Posts: 39
Joined: 06 Apr 2016, 17:18
Znuny Version: 6.0.4
Real Name: Jazmin Medina
Company: Private

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by JazzMed13 »

Can I use these same configurations version 6?

I need someone to guide me to connect SAML2 with OTRS 6
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Single Sign On (SSO) OTRS version 5 with AD

Post by root »

JazzMed13 wrote: 14 Jan 2022, 22:18 Can I use these same configurations version 6?

I need someone to guide me to connect SAML2 with OTRS 6
HI,

You're really desperate, right? This post is about Kerberos SSO and is slighly different from SAML.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Post Reply