Hi DirtySouth,
before testing EOC drilldown to the Orion, I would try to connect to the Orion directly, from the machine, you will be using EOC web console. Are you able to get there some credentials ?
EOC drilldown to Orion uses credentials, that are set for Orion under Manage Account, (unless you are using AD credentials, these are not passed anywhere for security reasons, but you can configure Windows NTLM to autologin you in intranet).
If you will be able to login to Orion without EOC, I would try to set these credentials under Manage Account.
Usually, when there is some credentials problem with orion, you should get back Login form when some message like Login failure, so the 403: Unauthorised looks like some environmental problem and I would start with the check if you are really able to reach Orion server directly without EOC, first from the client machine that open EOC console and then from the EOC server, which does the redirection to Orion.
My DMZ Orion box is in a seperate domain with it's on Active Directory and uses pass-through authentication. My EOC server is in our internal domain with a seperate Active Directory and uses pass-through authentcation. Since users are being authenticated against two seperate AD's, will they ever be able to be tied together?
Also, I cannot test access to the DMZ Orion server from the EOC server because they are seperated by a firewall and HTTPS is not allowed.
Hi,
you can set up the Orion Accounts instead of AD accounts to access the Orion Server detail and drilldown (click on node detail) will then use the Orion Account to authenticate you in Orion. This should solve the crossdomain scenario with authentication. For example you can try to setup the Orion Admin account under your Manage Accounts for the Orion.
Are you able to access the Orion server without EOC using Orion account, or it is also blocked by fw ?
If I understand your question correctly, I cannot browse to the DMZ Orion web-interface from the EOC server due to the firewall. We are only allowing port 1777.
As far as the ID's go, how do you tie the DMZ pass-through authentication to a local account? If EOC users are accessing the EOC web-interface using pass-through authentication, how does that get tied to a specific local account?
Hi again, yes, it is not possible to click-throught from EOC to Orion if you dont allow HTTP/S traffic over there.
This is the part where I would start, I would allow some HTTP/S traffic to Orion to see if you are able to reach Orion Site properly.
I am maybe not getting the second part of your post clearly. You can set up EOC account to be authenticated to Orion using one of these:
- Orion Accounts (best for cross domain and credentials are passed to the Orion)
- Using local computer account or member of local group that you added to Orion
- Using AD account, or member of an AD group that you added to Orion
Last two possibilities are not passing the credentials directly, so you need to configure intranet settings to take advantage of NTLM authentication, but this also requires some level of trust in between of domains.
When you choose Orion Accounts, credentials are passed as part of HTTP request. This is why this mode should take the advantage of HTTPS to secure the channel.
All the credentials under which a user is authenticated to Orion can be adjusted in EOC Settings page, when you click on Manage Account.
