IIS and single sign on

Moderator: crythias

Post Reply
spiderpig
OTRS wizard
Posts: 198
Joined: 15 Dec 2011, 02:26
OTRS Version?: OTRS 5

IIS and single sign on

Post by spiderpig » 29 Jan 2012, 16:15

Hi,

is it possible to have single sign on with iis and otrs ?
i havent see any post here on sso and iis, whould i use ntlm or kerberos ?
i'm always getting an error

(error in otrs.log)
[Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'DOMAIN\user'!

(the line in config.pm)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
OTRS 4.0 running on Centos 7

crythias
Moderator
Posts: 10109
Joined: 04 May 2010, 18:38
OTRS Version?: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: IIS and single sign on

Post by crythias » 29 Jan 2012, 17:33

$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'mydomain\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'example_domain\\';

read more in Defaults.pm
OTRS 5.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

spiderpig
OTRS wizard
Posts: 198
Joined: 15 Dec 2011, 02:26
OTRS Version?: OTRS 5

Re: IIS and single sign on

Post by spiderpig » 29 Jan 2012, 19:16

hi,
thank you for reply
it do not seem to work, here's my config.pm
the a.d. sync works fine and i can log in a.d. users, but i'm trying to let autologin work with iis.

#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Otrs';

# ---------------------------------------------------- #
# OTRS Active Directory Integration Backed DB Customers #
# ---------------------------------------------------- #

$Self->{CustomerUser} = {
Name => 'somename',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc',
BaseDN => 'dc=domain,dc=local',
SSCOPE => 'sub',
UserDN => 'otrs',
UserPw => 'Otrs',
AlwaysFilter => '(mail=*)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchListLimit => 900,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

## The above is the LDAP Customer Sync module

# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
# Note:
# If you use this module, you should use the following
# config settings as fallback, if user isn't login through
# apache ($ENV{REMOTE_USER})
#$Self->{CustomerPanelLoginURL} = 'http://someaddress?';
#$Self->{CustomerPanelLogoutURL} = 'http://someaddress';
OTRS 4.0 running on Centos 7

crythias
Moderator
Posts: 10109
Joined: 04 May 2010, 18:38
OTRS Version?: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: IIS and single sign on

Post by crythias » 29 Jan 2012, 19:57

Auth is for agents, CustomerAuth is for Customers.
If you multiple authorization back ends for customers, you will need to have an index number at the end of each entry that applies to the additional back ends.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace1'} = 'domain\\';

$Self->{CustomerUser} = {
...
}

$Self->{CustomerUser1} = {
...
}
CustomerUser1 should have some type of information that applies to the method of authentication. Specifically, what is passed to map the required information from httpbasicauth.

now, if you're assuming that httpauth will gather information from the existing ldap connection, that's fine, but you will need to be certain that the username as passed through single sign on matches something usable in CustomerUser (or CustomerUser1).

Your previous error "No such user 'DOMAIN\user'" indicates that ldap can't find "DOMAIN\user", which is why the replace is necessary.
OTRS 5.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

spiderpig
OTRS wizard
Posts: 198
Joined: 15 Dec 2011, 02:26
OTRS Version?: OTRS 5

Re: IIS and single sign on

Post by spiderpig » 29 Jan 2012, 23:36

i have not try this with apache, but i'm trying this on iis 7 now without a luck
maybe :HTTPBasicAuth dosent work at all with iis ?
OTRS 4.0 running on Centos 7

crythias
Moderator
Posts: 10109
Joined: 04 May 2010, 18:38
OTRS Version?: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: IIS and single sign on

Post by crythias » 30 Jan 2012, 01:54

I don't know if it works or doesn't with IIS.
The fact you got an error seems to indicate you might have been close, but I can't troubleshoot it further.
OTRS 5.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

spiderpig
OTRS wizard
Posts: 198
Joined: 15 Dec 2011, 02:26
OTRS Version?: OTRS 5

Re: IIS and single sign on

Post by spiderpig » 30 Jan 2012, 01:58

ok, thank you for the time, i appreciate it.
OTRS 4.0 running on Centos 7

spiderpig
OTRS wizard
Posts: 198
Joined: 15 Dec 2011, 02:26
OTRS Version?: OTRS 5

Re: IIS and single sign on

Post by spiderpig » 31 Jan 2012, 02:42

i get the [Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'DOMAIN\user'! error, so like you say, i'm not far away
the authentication seem to work, but i need to get rid of "domain\" in front of the username.
the replace auth line dosen't seem to do the magic :(

any other ideas ?
OTRS 4.0 running on Centos 7

petiserk
OTRS newbie
Posts: 3
Joined: 15 Feb 2013, 17:36
OTRS Version?: 3.2---
Real Name: Peter Jagasits
Company: Kurt Co.
Contact:

Re: IIS and single sign on

Post by petiserk » 17 Feb 2013, 15:05

Hi spiderpig

Check this: http://www.infobook.hu/Pages/en_iisotrssso.aspx

Best Regards
Peter

spiderpig
OTRS wizard
Posts: 198
Joined: 15 Dec 2011, 02:26
OTRS Version?: OTRS 5

Re: IIS and single sign on

Post by spiderpig » 28 Apr 2013, 15:13

thanks Peter.
OTRS 4.0 running on Centos 7

waikiki83
OTRS newbie
Posts: 28
Joined: 25 Jul 2011, 09:15
OTRS Version?: 3.0.9

Re: IIS and single sign on

Post by waikiki83 » 04 Jul 2013, 12:01

were you able to resolve your issue?

im having issue also implementing SSO with 3.2.8 with the latest installer :(

any help is greatly appreciated.
OTRS 3.3.1 Windows Server 2008, Apache, MS SQL Server 2008

Post Reply