24 Replies Latest reply on Jan 17, 2014 2:53 PM by carleyc

    Single signon options

    damien.solodow

      We're currently running webhelpdesk 11.2.1 in a limited trial and would like to see about having single signon enabled for our users to access the application.

       

      Our users authenticate using Active Directory, and we have Web Help Desk configured to use it for authentication.

       

      From what I'm seeing, ADFS is the route we'd need to take, but we don't currently have it implemented in our environment. It looks like quite a bit of overhead for login.

        • Re: Single signon options
          jazzyolaa

          Would like to see another option other than using the ADFS myself..

            • Re: Single signon options
              damien.solodow

              We were able to get single-signon working using HTTP Headers and Apache.

               

              This required Apache and WebHelpDesk on Windows.

               

              I used the info here: Help Desk Software Forums by Web Help Desk - Single Sign On Setup

                • Re: Single signon options
                  carleyc

                  I'm trying to get this working but having some trouble. Would you be willing to share your config so I can compare to mine?

                   

                  I'm getting

                   

                  Service Temporarily Unavailable

                  The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

                   

                  Apache log

                  [Tue Jan 14 15:29:39 2014] [error] ajp_check_msg_header() got bad signature 4854

                  [Tue Jan 14 15:29:39 2014] [error] ajp_ilink_receive() received bad header

                  [Tue Jan 14 15:29:39 2014] [error] ajp_read_header: ajp_ilink_receive failed

                  [Tue Jan 14 15:29:39 2014] [error] (120007)APR does not understand this error code: proxy: read response failed from (null) (localhost)

                    • Re: Single signon options
                      damien.solodow

                      Sure.

                      In the httpd.conf here's what I added after the various module enables:

                       

                      <Location /helpdesk>

                      AuthName "Helpdesk"

                      AuthType SSPI

                      NTLMAuth On

                      NTLMAuthoritative On

                      NTLMOfferBasic On

                      NTLMDomain DOMAINNAME

                      NTLMOmitDomain On

                      <RequireAll>

                        <RequireAny>

                        Require valid-user

                        </RequireAny>

                        <RequireNone>

                        Require user "ANONYMOUS LOGON"

                        </RequireNone>

                      </RequireAll>

                       

                       

                      ## returns domain\name

                      RewriteEngine On

                      RewriteCond %{LA-U:REMOTE_USER} (.+)

                      RewriteRule . - [E=RU:%1]

                      RequestHeader set REMOTE_USER %{RU}e

                       

                       

                      Proxypass ajp://localhost:8009/helpdesk

                      ProxyPassReverse ajp://localhost:8009/

                      </Location>

                       

                       

                      <Location /whd-web>

                      Proxypass ajp://localhost:8009/whd-web

                      ProxyPassReverse ajp://localhost:8009/

                      </Location>

                        • Re: Single signon options
                          carleyc

                          Didn't you have to edit config files such as whd.conf or the XLM files in C:\Program Files\WebHelpDesk\conf

                            • Re: Single signon options
                              damien.solodow

                              I don't recall editing anything in the WebHelpDesk\conf folder, and for whd.conf it was just adjusting some of the memory settings for performance.

                               

                              Here's what I changed in httpd.conf (aside from adding the section I sent before):

                              Set these variables:

                              ServerRoot

                              ServerName

                               

                              Commented in these modules:

                              LoadModule headers_module modules/mod_headers.so

                              LoadModule proxy_module modules/mod_proxy.so

                              LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

                              LoadModule ldap_module modules/mod_ldap.so

                              LoadModule auth_ntlm_module modules/mod_authn_ntlm.so

                              LoadModule remoteip_module modules/mod_remoteip.so

                              LoadModule rewrite_module modules/mod_rewrite.so

                                • Re: Single signon options
                                  carleyc

                                  Thanks so much for your help.

                                   

                                  I'm using this version of Apache httpd-2.2.25-win32-x86-openssl-0.9.8y which won't start now

                                   

                                  C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin>httpd.exe

                                  Syntax error on line 503 of C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/httpd.conf: Invalid command 'NTLMAuth', perhaps misspelled or defined by a module not included in the server configuration

                                   

                                  I have downloaded the mod_auth_sspi but I don't have remoteip or mod_authn_ntlm modules. Do you know where I can download compiled binaries for these?

                                   

                                  Thanks

                                    • Re: Single signon options
                                      damien.solodow

                                      I'm using Apache 2.4 from Apache Haus and they have the module on their page. http://www.apachehaus.com/cgi-bin/download.plx

                                       

                                      I'm not sure on the module for 2.2

                                        • Re: Single signon options
                                          carleyc

                                          Ok this makes sense. It's running now but still can't SSO. What are your settings in the WHD "Authentication Settings" page please and thanks.

                                          HTTP Header and REMOTE_USER

                                           

                                          I'm getting this error now if you have any other ideas let me know.

                                          [Wed Jan 15 10:51:16.040232 2014] [auth_ntlm:error] [pid 2664:tid 1104] (OS 1326)Logon failure: unknown user name or bad password.  : [client 172.21.9.247:61940] authentication failure for "/helpdesk/": user unknown

                                            • Re: Single signon options
                                              damien.solodow

                                              Authentication method: HTTP Header

                                              Username parameter: REMOTE_USER

                                               

                                              Do you have an AD/LDAP connection created for your domain under Clients > AD/LDAP Connections?

                                                • Re: Single signon options
                                                  carleyc

                                                  Yes we do and LDAP authentication works ok. I am also trying SSO as a existing account in WHD just in case.

                                                    • Re: Single signon options
                                                      damien.solodow

                                                      Ok.

                                                      In httpd.conf, NTLMDomain needs to be the NetBIOS domain name not the DNS name.

                                                        • Re: Single signon options
                                                          carleyc

                                                          Yes it is NetBIOS not FQDN

                                                           

                                                          I put debug logging on Apache and see this

                                                          [Wed Jan 15 13:49:45.287225 2014] [authz_user:debug] [pid 284:tid 1108] mod_authz_user.c(65): [client 172.21.144.126:19029] AH01663: access to /helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/ failed, reason: user 'carleyc' does not meet 'require'ments for user to be allowed access

                                                            • Re: Single signon options
                                                              damien.solodow

                                                              And user 'carlyc' can login to helpdesk directly with that username? Aka without adding a domain name, etc?

                                                                • Re: Single signon options
                                                                  carleyc

                                                                  Yes, with password of course.

                                                                  WHD authentication logs don't seem to have much info even set to TRACE.

                                                                    • Re: Single signon options
                                                                      carleyc

                                                                      I think it has something to do with this, maybe the rewrite rule

                                                                       

                                                                      [Wed Jan 15 14:17:12.386225 2014] [core:error] [pid 736:tid 1152] [client 172.21.144.126:19491] AH00125: Request exceeded the limit of 10 subrequest nesting levels due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

                                                                       

                                                                      I copied your config though, so strange it won't work for me.

                                                                       

                                                                      <Location /helpdesk>   

                                                                      AuthName "Helpdesk"

                                                                      AuthType SSPI

                                                                      NTLMAuth On

                                                                      NTLMAuthoritative On

                                                                      NTLMOfferBasic On

                                                                      NTLMDomain ONTARIOSHORES

                                                                      NTLMOmitDomain On

                                                                      <RequireAll>

                                                                        <RequireAny>

                                                                        Require valid-user

                                                                        </RequireAny>

                                                                        <RequireNone>

                                                                        Require user "ANONYMOUS LOGON"

                                                                        </RequireNone>

                                                                      </RequireAll>

                                                                       

                                                                       

                                                                      ## returns domain\name

                                                                      RewriteEngine On

                                                                      RewriteCond %{LA-U:REMOTE_USER} (.+)

                                                                      RewriteRule . - [E=RU:%1]

                                                                      RequestHeader set REMOTE_USER %{RU}e

                                                                       

                                                                       

                                                                      Proxypass ajp://localhost:8009/helpdesk

                                                                      ProxyPassReverse ajp://localhost:8009/

                                                                      </Location>

                                                                       

                                                                       

                                                                      <Location /whd-web>

                                                                      Proxypass ajp://localhost:8009/whd-web

                                                                      ProxyPassReverse ajp://localhost:8009/

                                                                      </Location>

                                                                        • Re: Single signon options
                                                                          damien.solodow

                                                                          Hmm. Only thing I see different is around some indentation/whitespace which shouldn't matter.

                                                                          Are you still running the 2.2.x Apache version or did you apply the 2.4?

                                                                           

                                                                          Any .htaccess files in the Apache path?

                                                                            • Re: Single signon options
                                                                              carleyc

                                                                              I'm using httpd-2.4.7-x64

                                                                              No .htaccess files

                                                                               

                                                                              This seems like it's stuck in a endless loop

                                                                               

                                                                              [Thu Jan 16 08:16:46.531152 2014] [authz_user:debug] [pid 736:tid 1156] mod_authz_user.c(65): [client 172.21.144.126:1659] AH01663: access to /helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/ failed, reason: user 'carleyc' does not meet 'require'ments for user to be allowed access

                                                                              [Thu Jan 16 08:16:46.531152 2014] [authz_core:debug] [pid 736:tid 1156] mod_authz_core.c(799): [client 172.21.144.126:1659] AH01626: authorization result of Require not user "ANONYMOUS LOGON": neutral

                                                                              [Thu Jan 16 08:16:46.531152 2014] [authz_core:debug] [pid 736:tid 1156] mod_authz_core.c(799): [client 172.21.144.126:1659] AH01626: authorization result of <RequireAll>: granted

                                                                              [Thu Jan 16 08:16:46.531152 2014] [authz_core:debug] [pid 736:tid 1156] mod_authz_core.c(799): [client 172.21.144.126:1659] AH01626: authorization result of <RequireAny>: granted

                                                                              [Thu Jan 16 08:16:46.531152 2014] [core:error] [pid 736:tid 1156] [client 172.21.144.126:1659] AH00125: Request exceeded the limit of 10 subrequest nesting levels due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

                                                                              [Thu Jan 16 08:16:46.531152 2014] [core:debug] [pid 736:tid 1156] core.c(3512): [client 172.21.144.126:1659] AH00121: r->uri = /helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/proxy:ajp://localhost:8009/helpdesk/

                                                        • Re: Single signon options
                                                          carleyc

                                                          Did you have to change the whd.conf file to change the port to 8009 from 80?