Problem with Windows Pass-Through Security

I am trying to setup Windows Pass-Through Security and it seems to be working fine but there are few issue that I want to resolve before I put that in production.

1) Whenever I go to webpage http://servername it pops up a window for authentication whereas I was looking for default login page of NPM because it has some custom messages on the login screen.

2) On the authentication pop up window, I type my domainname/username with domain password and it authenticates and takes me to the first page. When I click logout it takes me back to login page. So far it is looking good but problem is that I cannot use this page for Windows authentication ... It fails ... However, if I type http://servername in the URL address bar again and press return it takes me to the first page without prompting for username and password. Remember, I had logged out before ... The only way to solve this is to close and open the browser again.

3) In the previous step, when I logged out and got the login page, I can login with my domainname/username and password set during the account creation in solarwinds NPM.

I am not a windows authentication expert therefore i might be completely wrong but it looks like there are several security issues here. So my question are ...

1) Is it possible to use default login page for domain authentication rather than popup ?

2) How to prevent automatic login even after the user has logged out before ?

3) How to prevent people from using local domainname/username and password combination configured during the initial step of creating username in Admin section of NPM ?

Thanks

Avnish

Find more posts tagged with

web_console

passthrough_authentication

Accepted answers

jkeller

To correct this issue if you are on Windows 2008 using IIS 7 is to go into IIS and highlight the NPM website. Click on Authentication. If Forms Authentication is enabled with Windows Authentication, this is the issue. You will also see an error on the right top side of the IIS window stating you can not have both of these types of authentication enabled at the same time. Disable Forms Authentication and this should fix the issue.

All comments

avnishb

Any suggestions !!! Don't we have lot of people using windows authentication for their solarwinds

FormerMember

1) Are you using Firefox or IE? With Firefox you have to go to the about:config url and add your http://servername to the network.automatic-ntlm-auth.trusted-uris

If configured properly, it shouldn't pop up anything, it should just log you in directly to the home page. With pass-through authentication, I'm not sure if it's possible to change it go to the default login screen, for us it always authenticates in the background and goes straight to the homepage.

2) When you created your user accounts to be used with pass-through authentication, did you go back and clear out the passwords in orion? For me, if I try to put my domain account password into the main login screen it will not login, because in Orion my user account password is blank.

I'm not an expert with any of this, I can just tell you how ours is setup and works.

avnishb

We are using IE 7 or 8 depending on the user and I want to use the default login page for authentication because our management won't accept automatic logins. Secondly, I did remove the passwords from the username and it lets me log in without password now.

Thanks for the response ..

FormerMember

Somebody please correct me if I'm wrong, but I believe pass through authentication is automatic once you configure it. From what I read in the documentation it didn't really seem to give you the option of not automatically passing through your credentials.

If you don't clear the passwords in orion, you must set them up to match the domain/local account credentials.

AlbanyNYMike

Is the TC confusing WPTA vs. AD Integration?

I have WPTA setup and it is working just as advertised. Users no longer need to 'login', as long as they are at a PC that they have logged into with Domain accounts.
Users click on Orion quick links, and they are brought to thier home pages logged into Orion as Domain\user.

Why create WPTA if you still want users to log in using a ID / PW?

Kind of defeats the purpose.

jkeller