IIS and single sign on
Moderator: crythias
IIS and single sign on
Hi,
is it possible to have single sign on with iis and otrs ?
i havent see any post here on sso and iis, whould i use ntlm or kerberos ?
i'm always getting an error
(error in otrs.log)
[Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'DOMAIN\user'!
(the line in config.pm)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
is it possible to have single sign on with iis and otrs ?
i havent see any post here on sso and iis, whould i use ntlm or kerberos ?
i'm always getting an error
(error in otrs.log)
[Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'DOMAIN\user'!
(the line in config.pm)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
OTRS 4.0 running on Centos 7
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: IIS and single sign on
$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'mydomain\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'example_domain\\';
read more in Defaults.pm
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'example_domain\\';
read more in Defaults.pm
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: IIS and single sign on
hi,
thank you for reply
it do not seem to work, here's my config.pm
the a.d. sync works fine and i can log in a.d. users, but i'm trying to let autologin work with iis.
#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Otrs';
# ---------------------------------------------------- #
# OTRS Active Directory Integration Backed DB Customers #
# ---------------------------------------------------- #
$Self->{CustomerUser} = {
Name => 'somename',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc',
BaseDN => 'dc=domain,dc=local',
SSCOPE => 'sub',
UserDN => 'otrs',
UserPw => 'Otrs',
AlwaysFilter => '(mail=*)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchListLimit => 900,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
## The above is the LDAP Customer Sync module
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
# Note:
# If you use this module, you should use the following
# config settings as fallback, if user isn't login through
# apache ($ENV{REMOTE_USER})
#$Self->{CustomerPanelLoginURL} = 'http://someaddress?';
#$Self->{CustomerPanelLogoutURL} = 'http://someaddress';
thank you for reply
it do not seem to work, here's my config.pm
the a.d. sync works fine and i can log in a.d. users, but i'm trying to let autologin work with iis.
#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Otrs';
# ---------------------------------------------------- #
# OTRS Active Directory Integration Backed DB Customers #
# ---------------------------------------------------- #
$Self->{CustomerUser} = {
Name => 'somename',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc',
BaseDN => 'dc=domain,dc=local',
SSCOPE => 'sub',
UserDN => 'otrs',
UserPw => 'Otrs',
AlwaysFilter => '(mail=*)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchListLimit => 900,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
## The above is the LDAP Customer Sync module
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'domain\\';
# Note:
# If you use this module, you should use the following
# config settings as fallback, if user isn't login through
# apache ($ENV{REMOTE_USER})
#$Self->{CustomerPanelLoginURL} = 'http://someaddress?';
#$Self->{CustomerPanelLogoutURL} = 'http://someaddress';
OTRS 4.0 running on Centos 7
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: IIS and single sign on
Auth is for agents, CustomerAuth is for Customers.
If you multiple authorization back ends for customers, you will need to have an index number at the end of each entry that applies to the additional back ends.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace1'} = 'domain\\';
$Self->{CustomerUser} = {
...
}
$Self->{CustomerUser1} = {
...
}
CustomerUser1 should have some type of information that applies to the method of authentication. Specifically, what is passed to map the required information from httpbasicauth.
now, if you're assuming that httpauth will gather information from the existing ldap connection, that's fine, but you will need to be certain that the username as passed through single sign on matches something usable in CustomerUser (or CustomerUser1).
Your previous error "No such user 'DOMAIN\user'" indicates that ldap can't find "DOMAIN\user", which is why the replace is necessary.
If you multiple authorization back ends for customers, you will need to have an index number at the end of each entry that applies to the additional back ends.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace1'} = 'domain\\';
$Self->{CustomerUser} = {
...
}
$Self->{CustomerUser1} = {
...
}
CustomerUser1 should have some type of information that applies to the method of authentication. Specifically, what is passed to map the required information from httpbasicauth.
now, if you're assuming that httpauth will gather information from the existing ldap connection, that's fine, but you will need to be certain that the username as passed through single sign on matches something usable in CustomerUser (or CustomerUser1).
Your previous error "No such user 'DOMAIN\user'" indicates that ldap can't find "DOMAIN\user", which is why the replace is necessary.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: IIS and single sign on
i have not try this with apache, but i'm trying this on iis 7 now without a luck
maybe :HTTPBasicAuth dosent work at all with iis ?
maybe :HTTPBasicAuth dosent work at all with iis ?
OTRS 4.0 running on Centos 7
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: IIS and single sign on
I don't know if it works or doesn't with IIS.
The fact you got an error seems to indicate you might have been close, but I can't troubleshoot it further.
The fact you got an error seems to indicate you might have been close, but I can't troubleshoot it further.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: IIS and single sign on
ok, thank you for the time, i appreciate it.
OTRS 4.0 running on Centos 7
Re: IIS and single sign on
i get the [Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'DOMAIN\user'! error, so like you say, i'm not far away
the authentication seem to work, but i need to get rid of "domain\" in front of the username.
the replace auth line dosen't seem to do the magic
any other ideas ?
the authentication seem to work, but i need to get rid of "domain\" in front of the username.
the replace auth line dosen't seem to do the magic
any other ideas ?
OTRS 4.0 running on Centos 7
Re: IIS and single sign on
were you able to resolve your issue?
im having issue also implementing SSO with 3.2.8 with the latest installer
any help is greatly appreciated.
im having issue also implementing SSO with 3.2.8 with the latest installer
any help is greatly appreciated.
OTRS 3.3.1 Windows Server 2008, Apache, MS SQL Server 2008