6 Replies Latest reply on Jul 26, 2016 10:06 AM by xyn99

    Orion Passthrough authentication, IIS settings

    rockridder

      We enabled passthrough authentication some time ago and it was working fine. At some point it stopped functioning correctly, it may have occured during one of the many patches and updates, but we aren't sure. I have revisited the instructions on how to set this up, but I ran into an odd situation. When I went into IIS to set verify and set the permissions, what i found was confusing and a possible problem. Within the Authentication screen of the "SolarWinds NetPerfMon" site I found the following:

       

      Name                                      Status                         Response Type

      Anonymous Authentication    Enabled                     

      ASP .NET Impersonation       Disabled                    

      Basic Authentication              Disabled                         HTTP 401 Challenge

      Forms Authentication            Enabled                          HTTP 302 Login/Redirect

      Windows Authentication        Enabled                          HTTP 401 Challenge

       

      Alerts: "Challenge-based and login redirect-based authentication cannot be used simultaneously."

       

      Now what should these settings be set to, to allow for Passthrough Authentication?

        • Re: Orion Passthrough authentication, IIS settings
          smilesp12

          We've ran into this same issue. After doing Windows updates, we are unable to log in into the website. We tried blanking out the admin account password but it still doesn't log in. We also have the same settings under IIS. I've tried disabling one or the other to see if it will let us in but so far no dice.

           

          Any users or admins have suggestions on this?

          • Re: Orion Passthrough authentication, IIS settings
            pparsaie

            I've found those same settings as the default settings, and, I've found that if I want my Windows Passthrough Authentication to work, the only one that needs to be enabled is Windows Authentication.

             

            Beyond that if I want my Solarwinds Report emails to attach XLS , PDF versions I need to make sure Forms Authentication and Anonymous Authentication are enabled as well (with the same error given).

             

            In my environment if I want Windows Passthrough to work, I need to make sure first my browser settings are correct, but, if I know those are correct and I know my AD groups are configured correctly, then within Solarwinds I make sure that the following is set up correctly:

             

            Make sure IIS Site ID matches w/ the information found in the SolarWindsOrion.Websites table.

            For me, running SSL/HTTPS with a URL name and cert loaded within IIS my table reads:

            Website ID: 1 (which matches IIS sites)

            Servername: mywebsiteurl.myworkdomain.com (this could be the server name as well)

            IPAddress: MyServerIP

            Port: 443 (this could be 80 ect)

            SSLEnabled: 1 (this can be 1 or 0 for none SSL)

            Type: Primary (this can be additional, if its not the URL/Address you want to use... so in this example you'd want it to be primary)

             

            Anytime I've had issues its mostly had to do with my IIS settings not matching the website table in the orion db. Hope that helps.

            • Re: Orion Passthrough authentication, IIS settings
              mharvey

              In addition, go into the Web Console Settings in Orion under /Orion/Admin/Settings.aspx and make sure Windows Automatic Login is set for "Enable Automatic Login". 

               

              Other things that may help depend on the browser.  For IE and Chrome, most often times if the site is not recognized as an intranet site, it will just prompt without passing through.  You've either got to identify the site as intranet, or set the options to pass the username and password.  Another option that's helped us recently was having user clear all cache from the browser (after we did an upgrade and migration of SolarWinds Orion) and that helped the autologin.

                • Re: Orion Passthrough authentication, IIS settings
                  pparsaie

                  Excellent point, and, a great place to look first.

                  • Re: Orion Passthrough authentication, IIS settings
                    sbukovic

                    This is pretty much correct, to add some detail...


                    The if the site is internal and not being recognized as the intranet zone then a GPO policy may need to be set to force Chrome to see it as a recognized intranet page. 

                     

                    However, if you want to test out the pass through in Chrome without  pushing GPO settings you can lookup the Chrome Registry Key  HKCU\Software\Policies\Google\Chrome\AuthServerWhitelist and add the sites you want to be able to pass through authenticate to.

                     

                    Basically add a REG_SZ value like the following for a single site

                     

                          *.mysite.local

                     

                    or for multiple sites

                     

                         *.mysite.local,anothersite,*internalserver*

                     

                    To verify that chrome recognizes those settings going to the chrome://policy page and reloading policies you should be able to see your settings change and then retest authentication with the site you are working with.

                  • Re: Orion Passthrough authentication, IIS settings
                    xyn99

                    I had this same problem.  I disabled Forms Authentication from IIS and the passthrough authentication then started to work for everyone.  No idea why it stopped working before but it was a fix for me.