Jiri, is another term for the token an NTLM hash? Just curious.
Shawn, unless I have this wrong, in the context of Remedy authentication, I
belive what you are getting from your SSO in the AuthString parameter would
correspond to the 4th field on the OOB login screen ("Authentication").
Typically this is unused, except in cases where it might be needed to specify a
domain or other information when configuring AREA LDAP login. In the AREA LDAP
Configuration form, the contents of AuthString can be passed into the LDAP
search base using the syntax $\AUTHSTRING$, for example. I don't know why you
have data there, but you can probably ignore it.
In your case, how is authentication supposed to be handled on the server? In
the context of Midtier using IWA, normally you would not then go to the AD/LDAP
server, because a valid IWA login is implicity trusted, so instead you would
simply connect the user using a server side AREA plugin.
When you ran plugin logging did you see the failed authentication attempt
there? Does that shed any light?
Hope that helps,
Davin
-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED]
On Behalf Of Jiri Pospisil
Sent: Tuesday, April 29, 2008 10:10 AM
To: arslist@ARSLIST.ORG
Subject: Re: IIS remoteuser for Single-Sign On
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Please Read The Disclaimer At The Bottom Of This Email
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Shawn,
the authentication string is a token generated for the user session when the
user originally authenticates to the domain.
The token is then passed around rather than user password.
>From my experience when I was setting this up, the authentication string was
>much much longer, something like this:
NTLM
HTCNTVNTUAADAAAAGAAYAHAAAAAYABgAiAAAAAgACABAAAAAGgAaAEYYYYAOAA4AYgAAAAAAAAXXXXAABQKAAEMATwBSAFAASgBpAHIAaQAuAFAAbwBzAHAAaQBzAGkAbABXADIAVwAxADIAOAAzAE0g14rtdJfdVeO6oYXVB1nz9SPr3lERvY/snjit2PixS+1HSCrHd8UuoXHIdUCR5E==
As you can see, the string is also prefixed by the type of the authentication
method.
What you are getting looks more like encrypted password, but that is just a
wild guess.
I know that tomcat has some sample servlets that can be accessed through
http://server_name/servlets-examples/
One of them prints all headers of the request including the authorization
string. You can amend it so that it also prints the user name.
Hope this helps.
Jiri
-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED]
Behalf Of Pierson, Shawn
Sent: 29 April 2008 16:48
To: arslist@ARSLIST.ORG
Subject: Re: IIS remoteuser for Single-Sign On
Jiri,
I can see the user name coming across successfully, but the authentication
string is basically nonsense. I assume it is some sort of encrypted value, but
without really understanding what it should look like, I'm not sure of what to
make of it. For example, I see it coming across like this in the Tomcat logs:
SSO: Remote User Name (including domain): energy\spierson
SSO: Remote User Name (no domain): spierson
SSO: Setting username to lower case...
SSO: Authenticating with username: spierson
SSO: Using AuthString: Qk1DIFJlbWVkeSBBUlN5c3RlbQ==
It appears to be working, except that the AuthString value I guess doesn't
work. When I look in my browser, it's giving me the standard ARERR 8908
"Unknown User or Invalid Password" error message.
-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED]
On Behalf Of Jiri Pospisil
Sent: Tuesday, April 29, 2008 10:23 AM
To: arslist@ARSLIST.ORG
Subject: Re: IIS remoteuser for Single-Sign On
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Please Read The Disclaimer At The Bottom Of This Email
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Shawn,
we are on version 7.0.1 and I managed to configure SSO authentication on the
mid-tier without changing/setting any configuration on the Remedy server side.
I would look at your code which interrogates the HTTP request for the user name
and authentication string.
You can add some debugging messages there that would write into a file on the
mid-tier server to see what is actually being passed to the Remedy
authenticator.
Regards
Jiri Pospisil
Remedy Administrator
LCH.Clearnet
-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED]
Behalf Of Pierson, Shawn
Sent: 29 April 2008 16:10
To: arslist@ARSLIST.ORG
Subject: Re: IIS remoteuser for Single-Sign On
Actually there everything seems to be working ok. In the areasso.cfg file I
also have DEBUG-LOGGING: 1 so it will show everything, but I don't see where
it's even trying to use the sso plugin there after it loads areasso.cfg. It
does, however, show that it is trying to log me onto the system in the Tomcat
logs.
Any other suggestions?
Thanks,
Shawn Pierson
-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED]
On Behalf Of Roney Varghese
Sent: Tuesday, April 29, 2008 9:24 AM
To: arslist@ARSLIST.ORG
Subject: Re: IIS remoteuser for Single-Sign On
Turn on ur plugin logs(fine) and let me know what auth error u see in there?
Regards,
Roney Varghese
Sent from my iPhone
On Apr 29, 2008, at 7:12 AM, "Pierson, Shawn" <[EMAIL PROTECTED]>
wrote:
> I added the mid tier ip address as well as 127.0.0.1 just in case.
>
> -----Original Message-----
> From: Action Request System discussion list(ARSList)
> [mailto:arslist@ARSLIST.ORG ] On Behalf Of Roney Varghese
> Sent: Monday, April 28, 2008 4:18 PM
> To: arslist@ARSLIST.ORG
> Subject: Re: IIS remoteuser for Single-Sign On
>
> Dear Shawn,
>
> Have you added the midtier ip address to the areasso.cfg file in the
> AR Server/conf folder?
>
> Regards,
> Roney Varghese
>
> Sent from my iPhone
>
> On Apr 28, 2008, at 3:34 PM, "Pierson, Shawn" <[EMAIL PROTECTED]>
> wrote:
>
>> Thanks Jarl,
>>
>> That got me much further, and I can see that my login name is being
>> passed now. However, I'm still having issues which I'll bring up
>> below.
>>
>> The output log says:
>> SSO: Remote User Name (including domain): energy\spierson
>> SSO: Remote User Name (no domain): spierson
>> SSO: Setting username to lower case...
>> SSO: Authenticating with username: spierson
>> SSO: Using AuthString: Qk1DIFJlbWVkeSBBUlN5c3RlbQ== ARERR [623]
>> Authentication failed
>>
>> So now it's clear that it is trying to pass my information, but for
>> some reason the authentication is still failing. Any ideas on what
>> the next step in troubleshooting this should be?
>>
>> Thanks again,
>>
>> Shawn Pierson
>>
>>
>>
>> -----Original Message-----
>> From: Action Request System discussion list(ARSList)
>> [mailto:arslist@ARSLIST.ORG ] On Behalf Of Jarl Grøneng
>> Sent: Monday, April 28, 2008 3:10 PM
>> To: arslist@ARSLIST.ORG
>> Subject: Re: IIS remoteuser for Single-Sign On
>>
>> Try change this in ..\Tomcat 5.5\conf\server.xml to this:
>> <Connector port="8009" tomcatAuthentication="false"
>> enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
>>
>> The one you change is:
>> tomcatAuthentication="true" to tomcatAuthentication="false"
>>
>> --
>> Jarl
>>
>>
>> On Mon, Apr 28, 2008 at 8:33 PM, Pierson, Shawn
>> <[EMAIL PROTECTED]> wrote:
>>> **
>>>
>>>
>>> Good afternoon,
>>>
>>> I'm trying to set up single sign on for the mid tier and have almost
>>> everything working. The one thing that still seems to be a problem
>>> is getting IIS to pass the authenticated user to Jakarta. When I
>>> try to log into Remedy, I get the following in my tomcat logs:
>>>
>>>
>>> SSO: Initialization: Version 2.04
>>>
>>> SSO: Property values were loaded.
>>>
>>> usermethod:remoteuser
>>>
>>> usercase:lower
>>>
>>> removedomain:T
>>>
>>> headername:
>>>
>>> attname:
>>>
>>> authmethod:default
>>>
>>> authcustom:
>>>
>>> debuglogging:T
>>>
>>> SSO ERROR: RemoteUser name is null or empty. Using default login
>>> page
>>>
>>> This doesn't really help explain why it's happening, so in the debug
>>> log file but it does at least show that the sso.properties file is
>>> being read correctly.
>>>
>>> Within IIS I have it set only to Integrated Windows Authentication
>>> and nothing else on the Authentication Methods form. I think IIS
>>> isn't passing the Remote_User variable over to Jakarta, but I'm not
>>> really sure where I can verify that. Does anyone else have any
>>> suggestions for me to try?
>>>
>>> I'm on Mid Tier 7.0.1 p6 with Apache Tomcat and IIS authenticating
>>> against Active Directory.
>>>
>>> Thanks,
>>>
>>> Shawn Pierson Private and confidential as detailed here. If you
>>> cannot access hyperlink, please e-mail sender. __Platinum Sponsor:
>>> www.rmsportal.com ARSlist: "Where the Answers Are" html___
>>
>> _____________________________________________________________________
>> __________
>
>
>> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum
>> Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
>>
>> Private and confidential as detailed here:
>> http://www.sug.com/disclaimers/default.htm#Mail
>> . If you cannot access the link, please e-mail sender.
>>
>> _____________________________________________________________________
>> __________
>
>
>> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum
>> Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
>
> ______________________________________________________________________
> _________
> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum
> Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
>
> Private and confidential as detailed here:
> http://www.sug.com/disclaimers/default.htm#Mail
> . If you cannot access the link, please e-mail sender.
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:
www.rmsportal.com ARSlist: "Where the Answers Are"
Private and confidential as detailed here:
http://www.sug.com/disclaimers/default.htm#Mail . If you cannot access the
link, please e-mail sender.
*************************************************************************************************
This email is intended for the named recipient(s) only. Its contents are
confidential and may only be retained by the named recipient(s) and may only be
copied or disclosed with the consent of LCH.Clearnet Limited. If you are not
an intended recipient please delete this e-mail and notify [EMAIL PROTECTED]
The contents of this email are subject to contract in all cases, and
LCH.Clearnet Limited makes no contractual commitment save where confirmed by
hard copy. LCH.Clearnet Limited accepts no liability, including liability for
negligence, in respect of any statement in this email.
LCH.Clearnet Limited, Registered Office: Aldgate House, 33 Aldgate High Street,
London EC3N 1EA. Recognised as a Clearing House under the Financial Services
& Markets Act 2000. Reg in England No.25932
Telephone: +44 20 7426 7000 Internet: http://www.lchclearnet.com
*************************************************************************************************
Private and confidential as detailed here:
http://www.sug.com/disclaimers/default.htm#Mail . If you cannot access the
link, please e-mail sender.
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
