Solarwinds Authentication with Common DoD Smart card and Common Access Card CAC Product Support

Smart Card Support. Sometimes is also referred to as PIV, PKI, CAC, as well as some USB Keys Like YubiKey. 

SolarWinds Current support documentation for Smart Cards:

As of 24 June 2020

SolarWinds Orion Product Family.

Smart Card Authentication Solarwinds Orion Platform

Orion Modules Include:

  • Network Performance Monitor
  • NetFlow Traffic Analyzer
  • Network Configuration Manager
  • User Device Tracker
  • Server & Application Manager
  • Server Configuration Monitor
  • Web Performance Monitor
  • VoIP & Network Quality Monitor
  • IP Address Manager
  • Storage Resource Manager
  • Virtualization Manager
  • Database Performance Analyzer (Orion Module Only)

DameWare Smart Card supported since version 5.5, Multiple Certificate Support v9+

Remote Smart Card Authentication and Interactive Smart Card Login using DameWare Development software

Web Help Desk:

This is the latest configuration documentation for Smart Card (CAC) authentication with WHD v12.2

SolarWinds Knowledge Base :: Configuring Web Help Desk 12.2 for Common Access Card (CAC) Systems

 

Security Event Manager has not been tested with Smart Card Authentication.

Parents
  • After several failed attempts with SSO sources, attempts to reconfigure WHD to use IIS, and other methods of integrated logon, here is the post that I used to for the bulk of the configuration information which got us working:

    http://forums.webhelpdesk.com/forums/comments.php?DiscussionID=138

    Update for WebHelpDesk and Single Sign On Functionality.

    Please note that it was originally attempted to use Apache 2.4 x64 to accomplish the steps in the article but to no avail.  Instead we used a preconfigured x86 version of Apache 2.2.25 from Apache Haus and modified as necessary.  Specific changes include downloading and installing the third-party MOD_AUTH_SSPI module and enabling some built-in modules such as MOD_HEADERS, MOD_PROXY, and MOD_PROXY_AJP.

    What is basically occurring right now is we are using apache on port 80 to get the "REMOTE_USER" header to determine the logged-in client, therefore authenticating them and negating the need for a user-inputted password.  This header is passed to Tomcat and WHD running on port 8081. I switched WHD's authentication method in its settings to authenticate users using headers and established an LDAP connection as a source for our clients list.  Users in the specific active directory OU are now automatically logged in (based on their user name matching up to the REMOTE_USER header) when they go to the URL we provide them.

    In addition to the steps in the article, the whd.conf file had to be altered to enable URL_DEFAULT_PORT=80.  This corrected an issue where links to FAQ articles and links in automated e-mails sent by WHD would not resolve.

    So far we have only noticed a few limitations:

    1) The browser must support passing the logged-in user's username.

         Internet Explorer you may need to have it send Username and Password Credentials on the page.

         Firefox needs some configuration change SolarWinds Knowledge Base :: How to configure Firefox to accept Active Directory credentials when logging in to the Web Console

    2) The Solarwinds Integration tab inside WHD setup now causes a 404 error to be displayed when clicked.

  • If the SolarWinds administrator has himself authenticated via CAC/ AD integration, what is the best way for him to add new users to NPM via the web?  The dialog boxes allow for his domain username and a password.

    I ended up using an existing AD service account and its password in lieu of my username/ CAC PIN as there is no way to query the domain for the desired user's name any other way (that I am aware of).

    Is there something I am missing?  Might this be a feature request?

Reply
  • If the SolarWinds administrator has himself authenticated via CAC/ AD integration, what is the best way for him to add new users to NPM via the web?  The dialog boxes allow for his domain username and a password.

    I ended up using an existing AD service account and its password in lieu of my username/ CAC PIN as there is no way to query the domain for the desired user's name any other way (that I am aware of).

    Is there something I am missing?  Might this be a feature request?

Children