IIS and single sign on

[spiderpig]

Hi,

is it possible to have single sign on with iis and otrs ?
i havent see any post here on sso and iis, whould i use ntlm or kerberos ?
i'm always getting an error

(error in otrs.log)
[Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'DOMAIN\user'!

(the line in config.pm)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';

[crythias]

$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'mydomain\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'example_domain\\';

read more in Defaults.pm

[spiderpig]

hi,
thank you for reply
it do not seem to work, here's my config.pm
the a.d. sync works fine and i can log in a.d. users, but i'm trying to let autologin work with iis.

#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Otrs';

# ---------------------------------------------------- #
# OTRS Active Directory Integration Backed DB Customers #
# ---------------------------------------------------- #

$Self->{CustomerUser} = {
Name => 'somename',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc',
BaseDN => 'dc=domain,dc=local',
SSCOPE => 'sub',
UserDN => 'otrs',
UserPw => 'Otrs',
AlwaysFilter => '(mail=*)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchListLimit => 900,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

## The above is the LDAP Customer Sync module

# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
# Note:
# If you use this module, you should use the following
# config settings as fallback, if user isn't login through
# apache ($ENV{REMOTE_USER})
#$Self->{CustomerPanelLoginURL} = 'http://someaddress?';
#$Self->{CustomerPanelLogoutURL} = 'http://someaddress';

[crythias]

Auth is for agents, CustomerAuth is for Customers.
If you multiple authorization back ends for customers, you will need to have an index number at the end of each entry that applies to the additional back ends.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace1'} = 'domain\\';

$Self->{CustomerUser} = {
...
}

$Self->{CustomerUser1} = {
...
}
CustomerUser1 should have some type of information that applies to the method of authentication. Specifically, what is passed to map the required information from httpbasicauth.

now, if you're assuming that httpauth will gather information from the existing ldap connection, that's fine, but you will need to be certain that the username as passed through single sign on matches something usable in CustomerUser (or CustomerUser1).

Your previous error "No such user 'DOMAIN\user'" indicates that ldap can't find "DOMAIN\user", which is why the replace is necessary.

[spiderpig]

i have not try this with apache, but i'm trying this on iis 7 now without a luck
maybe :HTTPBasicAuth dosent work at all with iis ?

[crythias]

I don't know if it works or doesn't with IIS.
The fact you got an error seems to indicate you might have been close, but I can't troubleshoot it further.

[spiderpig]

ok, thank you for the time, i appreciate it.

[spiderpig]

i get the [Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'DOMAIN\user'! error, so like you say, i'm not far away
the authentication seem to work, but i need to get rid of "domain\" in front of the username.
the replace auth line dosen't seem to do the magic

any other ideas ?

[petiserk]

Hi spiderpig

Check this: http://www.infobook.hu/Pages/en_iisotrssso.aspx

Best Regards
Peter

[spiderpig]

thanks Peter.

[waikiki83]

were you able to resolve your issue?

im having issue also implementing SSO with 3.2.8 with the latest installer

any help is greatly appreciated.