9 Replies Latest reply on Aug 27, 2010 3:56 PM by jkeller

    Problem with Windows Pass-Through Security


      I am trying to setup Windows Pass-Through Security and it seems to be working fine but there are few issue that I want to resolve before I put that in production.

      1) Whenever I go to webpage http://servername it pops up a window for authentication whereas I was looking for default login page of NPM because it has some custom messages on the login screen.

      2) On the authentication pop up window, I type my domainname/username with domain password and it authenticates and takes me to the first page. When I click logout it takes me back to login page. So far it is looking good but problem is that I cannot use this page for Windows authentication ... It fails ... However, if I type http://servername in the URL address bar again and press return it takes me to the first page without prompting for username and password. Remember, I had logged out before ... The only way to solve this is to close and open the browser again.

      3) In the previous step, when I logged out and got the login page, I can login with my domainname/username and password set during the account creation in solarwinds NPM.

      I am not a windows authentication expert therefore i might be completely wrong but it looks like there are several security issues here. So my question are ...

      1) Is it possible to use default login page for domain authentication rather than popup ?

      2) How to prevent automatic login even after the user has logged out before ?

      3) How to prevent people from using local domainname/username and password combination configured during the initial step of creating username in Admin section of NPM ?



        • Re: Problem with Windows Pass-Through Security

          Any suggestions !!! Don't we have lot of people using windows authentication for their solarwinds :(

          • Re: Problem with Windows Pass-Through Security

            1) Are you using Firefox or IE? With Firefox you have to go to the about:config url and add your http://servername to the network.automatic-ntlm-auth.trusted-uris

            If configured properly, it shouldn't pop up anything, it should just log you in directly to the home page. With pass-through authentication, I'm not sure if it's possible to change it go to the default login screen, for us it always authenticates in the background and goes straight to the homepage.


            2) When you created your user accounts to be used with pass-through authentication, did you go back and clear out the passwords in orion? For me, if I try to put my domain account password into the main login screen it will not login, because in Orion my user account password is blank.


            I'm not an expert with any of this, I can just tell you how ours is setup and works.

              • Re: Problem with Windows Pass-Through Security

                We are using IE 7 or 8 depending on the user and I want to use the default login page for authentication because our management won't accept automatic logins. Secondly, I did remove the passwords from the username and it lets me log in without password now.

                Thanks for the response ..

                  • Re: Problem with Windows Pass-Through Security

                    Somebody please correct me if I'm wrong, but I believe pass through authentication is automatic once you configure it. From what I read in the documentation it didn't really seem to give you the option of not automatically passing through your credentials.

                    If you don't clear the passwords in orion, you must set them up to match the domain/local account credentials.

                      • Re: Problem with Windows Pass-Through Security

                        Is the TC confusing WPTA vs. AD Integration?

                        I have WPTA setup and it is working just as advertised.  Users no longer need to 'login', as long as they are at a PC that they have logged into with Domain accounts. 
                        Users click on Orion quick links, and they are brought to thier home pages logged into Orion as Domain\user.

                        Why create WPTA if you still want users to log in using a ID / PW?

                        Kind of defeats the purpose.

                          • Re: Problem with Windows Pass-Through Security

                            you are right .. I was confused with AD integration. Is that possible ? I wanted to use AD accounts on the login page.

                            Regarding WPTA, it is working as advertised right now. I was getting popup's because I was not logged into domain on the PC. However, as stated earlier, I am able to login again from the login page after logging out using the password(or no password) set during the initial stage of creating the account on solarwinds admin page. Is it the normal behavior ?

                              • Re: Problem with Windows Pass-Through Security

                                AD integration is not supported in Orion.  The behavior you described sounds normal for WPTA.

                                Here are my experiences with WPTA:

                                I set up accounts in the DOMAIN/User format with dummy passwords.

                                If you want anyone in the domain to be able to use WPTA you can create a DOMAIN/Everyone account, if one exists in your AD enviroment.

                                After these accounts are created, a domain user who logs into thier PC can then access Orion directly and not have to bother to "log in".

                                Once inside Orion, they should see in the upper right hand, who they are logged in as.

                                WPTA is not the most secure.  For instance, if I click on log out, I get directed to a login page. 
                                At the login page, I can type in someone elses DOMAIN/username and enter the dummy password I created, and I am then logged in as Domain/username.
                                This is nothing like AD intergration, in which you can point a login to AD server, and use AD user names and PWs.

                                All WPTA does is remove the login portion of Orion.

                      • Re: Problem with Windows Pass-Through Security

                        To correct this issue if you are on Windows 2008 using IIS 7 is to go into IIS and highlight the NPM website. Click on Authentication. If Forms Authentication is enabled with Windows Authentication, this is the issue. You will also see an error on the right top side of the IIS window stating you can not have both of these types of authentication enabled at the same time. Disable Forms Authentication and this should fix the issue.