Kerberos and SSO

 
Author
Message
Elite SysAider
237
 
Hi,

has anybody manged to enable SSO with Kerberos yet?

/Michael
SysAider
2
 
hello,
Im working on the same problem, followed the given instructions but SSO is not working ..

LDAP is working,
2008 R2 servers / Win7 clients / IE8

/Andreas
Super SysAider
62
 
Hi MichaelZ, Awsh, did you guys follow instructions similar to these?

If so, it appears like the param names are all misspelt.

I noticed that the class names are all "spnego" - whereas the params in the instructions all read "spengo".
[https://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html - paragraph 4.2]

I am unsure as to whether the param names even matter, nor I have not contacted SysAid Support to confirm this, however, if you have followed those instructions word for word as well as upgraded SysAid to Version 9 and are running Tomcat 7, then I suggest trying at least to rename each param and see if this works.


I would like to know if this does resolve the issue, so please let me know what you think and how you go.

Cheers,
Cael
Elite SysAider
237
 
After renaming the variables the server won't start.

/Michael
Elite SysAider
237
 
I have had a nice session with SysAid support.

We tried several things but were unable to get Kerberos and SSO to work.

The things we discovered were that
- one file referred to from server.conf was missing -> 'logon.conf'.
- Our AD is based on 2003 servers and there may be some restrictions on which encryption methods can be used.

The errors related to the last issue were about AES encryption and downgrading to NTLM both displayed when you try to open the sysaid homepage.

This message was edited 1 time. Last update was at Nov. 23, 2012 07:48 AM

SysAider
2
 
Hello
Changing the Conf to spengo instead of spnego didnt make much difference for us.
we still just get the logon screen when accessing the website.

first we had problems with the site saying that we didnt have the right encryption configured this was solved by Checking "this account supports Kerberos AES 256bit encryption" on the service account in the Account tap in AD.
after this was done we got past the error and just got the normal logon screen. so no SSO working.

/Andreas
Elite SysAider
237
 
Any news on this?
SysAider
30
 
I am starting to work on this as well. I found the following login.conf file and saved it under ../tomcat/conf directory

https://spnego.sourceforge.net/login.conf

When I access the login page, all I get is a blank page without any other error. I probably contact support next to find out if anything we are missing.
SysAider
16
 
Has this been flagged for a fix yet?

We have spent multiple days attempting to implement Kerberos SSO and have had to resort to manual username and password entry as Sysaid's implementation appears to be incomplete (to put it politely).

This message was edited 1 time. Last update was at Apr. 02, 2013 06:54 AM

SysAid VP Customer Relations
604
 
If anyone still wants to try that, please let me know. We believe to have found the problem we had with our instruction set and want to try this with customers over remote control session before releasing the corrected instructions.

Thanks,
Joseph
Elite SysAider
237
 
Hi,

would love to test this. This friday or mon-fri next week would be possible for me to ttest.

/Michael

This message was edited 1 time. Last update was at Jul. 10, 2013 06:13 AM

SysAid VP Customer Relations
604
 
Hi Michael,
I will ask your account manager to arrange the remote control session so we could test the configuration.

Thanks,
Joseph.
SysAider
3
 
I am using LDAP right now and it works for the most part....

I can log into the helpdesk as an administrator just fine but end users attempting to complete the survey or open a new incident are being asked to login.

I would like to know if Kerberos is working as I will try that setup.

We are running in windows 2003 functional mode.

Thank You.

SysAid VP Customer Relations
604
 
Hi rmiiokte,
SSO was configured with Kerberos on a few customer environments, but not enough to say it we got it figured out. Please contact your account manager and we'll try the setup with your environment as well.

Thanks,
Joseph.
SysAid Wiz
318
 
Hi all,
here are my five cents

I've tried to config kerberos on our client test environment and it works fine, but when we have tried it on the production server it gives an error:

2013-12-04 10:21:05,755 [http-80-101] ERROR com.sysaid - SysAid Error Number#0 in account accvensia: Error while processing SysAid request.
javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

We are currently working to check what is wrong, it is possible that some windows updates are missing so we are working on it.

I'll update you soon (or we'll call SysAid Support )

Bye!