Difference between revisions of "Setting Up Single Sign-On for the Web Client v8.x"
(9 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
|applicableto=Supportworks ESP Version 8.0 and later, Web Client Version 2.2 and later | |applicableto=Supportworks ESP Version 8.0 and later, Web Client Version 2.2 and later | ||
}} | }} | ||
+ | |||
===Setting Up Single Sign-On for the Web Client=== | ===Setting Up Single Sign-On for the Web Client=== | ||
Line 31: | Line 32: | ||
adjustments performed in three separate areas of the system: | adjustments performed in three separate areas of the system: | ||
− | + | ||
− | + | * Web server configuration | |
− | + | * One of the Web Client PHP files | |
+ | * Main server configuration | ||
+ | |||
In addition, it is worthwhile checking that certain local-intranet security options are set on any Web | In addition, it is worthwhile checking that certain local-intranet security options are set on any Web | ||
Line 45: | Line 48: | ||
1. Open the text file ...\Hornbill\Core Services\Apache\conf\cs\httpd.conf for editing. | 1. Open the text file ...\Hornbill\Core Services\Apache\conf\cs\httpd.conf for editing. | ||
+ | |||
2. Locate the line:#Include conf/extra/httpd-default.conf and remove the leading # character | 2. Locate the line:#Include conf/extra/httpd-default.conf and remove the leading # character | ||
+ | |||
3. Locate the following lines, and remove the leading # (if required): | 3. Locate the following lines, and remove the leading # (if required): | ||
− | LoadModule authn_core_module modules/mod_authn_core.so | + | LoadModule authn_core_module modules/mod_authn_core.so |
− | LoadModule authz_core_module modules/mod_authz_core.so | + | LoadModule authz_core_module modules/mod_authz_core.so |
− | LoadModule authz_user_module modules/mod_authz_user.so | + | LoadModule authz_user_module modules/mod_authz_user.so |
4. Add the following entry at the end of the LoadModule list: | 4. Add the following entry at the end of the LoadModule list: | ||
− | LoadModule auth_ntlm_module modules/mod_authn_ntlm.so | + | LoadModule auth_ntlm_module modules/mod_authn_ntlm.so |
5. Save and Close the file | 5. Save and Close the file | ||
+ | |||
6. Open the text file ...\Hornbill\Core Services\Apache\conf\extra\httpd-default.conf for editing. | 6. Open the text file ...\Hornbill\Core Services\Apache\conf\extra\httpd-default.conf for editing. | ||
+ | |||
7. Locate the following lines and change the values as given below: | 7. Locate the following lines and change the values as given below: | ||
− | Timeout 300 | + | Timeout 300 |
− | KeepAlive On | + | KeepAlive On |
− | MaxKeepAliveRequests 100 | + | MaxKeepAliveRequests 100 |
− | KeepAliveTimeout 1 | + | KeepAliveTimeout 1 |
8. Save and Close the file | 8. Save and Close the file | ||
+ | |||
9. Create a new file located: ...\Hornbill\Core Services\Apache\conf\cs\core\ called | 9. Create a new file located: ...\Hornbill\Core Services\Apache\conf\cs\core\ called | ||
− | 503_vhost.sw.conf | + | 503_vhost.sw.conf |
10. Add the following: | 10. Add the following: | ||
− | # Webclient single sign on configuration | + | # Webclient single sign on configuration |
− | <Directory "C:\Program Files\Hornbill\Supportworks Server\html\webclient\sspi"> | + | <Directory "C:\Program Files\Hornbill\Supportworks Server\html\webclient\sspi"> |
− | AllowOverride None | + | AllowOverride None |
− | AuthType SSPI | + | AuthType SSPI |
− | AuthName "Company-name" | + | AuthName "Company-name" |
− | NTLMAuth On | + | NTLMAuth On |
− | NTLMAuthoritative On | + | NTLMAuthoritative On |
− | NTLMPerRequestAuth On | + | NTLMPerRequestAuth On |
− | NTLMOfferBasic On | + | NTLMOfferBasic On |
− | NTLMDomain top-level-domain-name | + | NTLMDomain top-level-domain-name |
− | require valid-user | + | require valid-user |
− | </Directory> | + | </Directory> |
11. Save the file | 11. Save the file | ||
Line 103: | Line 111: | ||
uncomment the following line: | uncomment the following line: | ||
− | define("_WC_TRUSTEDLOGON",true); | + | define("_WC_TRUSTEDLOGON",true); |
2. If your Windows network is set up to use Active Directory for authentication and the User Principle | 2. If your Windows network is set up to use Active Directory for authentication and the User Principle | ||
Line 109: | Line 117: | ||
identical to the corresponding analyst ID, then uncomment the following lines as well: | identical to the corresponding analyst ID, then uncomment the following lines as well: | ||
− | define("_WC_UPN_SUPPORT",true); | + | define("_WC_UPN_SUPPORT",true); |
− | define("_WC_TOPLEVEL_DOMAIN","top-level-domain-name"); | + | define("_WC_TOPLEVEL_DOMAIN","top-level-domain-name"); |
(where top-level-domain-name comprises the last two components of the domain name - for | (where top-level-domain-name comprises the last two components of the domain name - for | ||
Line 136: | Line 144: | ||
The Internet options you will be checking here would normally have been set as defaults in your | The Internet options you will be checking here would normally have been set as defaults in your | ||
domain policy. Follow these instructions on an individual Web browser: | domain policy. Follow these instructions on an individual Web browser: | ||
+ | |||
1. Select Tools > Internet Options and click the Security tab. | 1. Select Tools > Internet Options and click the Security tab. | ||
+ | |||
2. Select the "Local intranet" zone. | 2. Select the "Local intranet" zone. | ||
+ | |||
3. Click the Sites button, followed by Advanced. | 3. Click the Sites button, followed by Advanced. | ||
− | 4. In the list of websites, ensure that you can see the DNS name or IP address of the Supportworks | + | |
− | Web server. If not, then add it to the zone. | + | 4. In the list of websites, ensure that you can see the DNS name or IP address of the Supportworks Web server. If not, then add it to the zone. |
+ | |||
5. Click Close and then OK. | 5. Click Close and then OK. | ||
+ | |||
6. With "Local intranet" still selected, click the "Custom level" button. | 6. With "Local intranet" still selected, click the "Custom level" button. | ||
+ | |||
7. Scroll down to the User Authentication > Logon section. | 7. Scroll down to the User Authentication > Logon section. | ||
+ | |||
8. Ensure that "Automatic logon only in Intranet zone" is selected. | 8. Ensure that "Automatic logon only in Intranet zone" is selected. | ||
+ | |||
9. Click OK and then OK again. | 9. Click OK and then OK again. | ||
+ | |||
10. Restart the Web browser. | 10. Restart the Web browser. | ||
If there are still problems after this, please contact the Support Team for assistance. | If there are still problems after this, please contact the Support Team for assistance. |
Latest revision as of 16:30, 18 January 2018
Status: | Published |
---|---|
Version: | 2.0 |
Authors: | HTL QA |
Applies to: | Supportworks ESP Version 8.0 and later, Web Client Version 2.2 and later |
Setting Up Single Sign-On for the Web Client
It is possible to set up a Web Client single-sign-on mechanism that will allow analysts in one or more domains of an organisation to access the Web Client without having to explicitly enter their login credentials. Instead of displaying the login page at the Web Client URL, the system authenticates transparently against the user's Windows network credentials and takes the user directly to the Web Client home page.
Note: It is assumed that each analyst who uses the Web Client and requires single sign-on has either the Active Directory or NT means of Windows authentication specified in their Supportworks analyst record. Other authentication options are not supported for single sign-on.
The key to single-sign-on capability is the Apache Web Server's SSPI module. This allows a Web-based application to authenticate using any of the authentication protocols built into the Windows Security Support Provider Interface.
The procedure for setting up single sign-on for the Web Client comprises a series of checks and adjustments performed in three separate areas of the system:
- Web server configuration
- One of the Web Client PHP files
- Main server configuration
In addition, it is worthwhile checking that certain local-intranet security options are set on any Web
browsers that are expected to connect to the Web Client.
These sets of checks and adjustments are detailed in the following sections.
Checks/Adjustments to Perform in the Web Server Configuration
Carry out the actions relating to Web server configuration as follows:
1. Open the text file ...\Hornbill\Core Services\Apache\conf\cs\httpd.conf for editing.
2. Locate the line:#Include conf/extra/httpd-default.conf and remove the leading # character
3. Locate the following lines, and remove the leading # (if required):
LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_user_module modules/mod_authz_user.so
4. Add the following entry at the end of the LoadModule list:
LoadModule auth_ntlm_module modules/mod_authn_ntlm.so
5. Save and Close the file
6. Open the text file ...\Hornbill\Core Services\Apache\conf\extra\httpd-default.conf for editing.
7. Locate the following lines and change the values as given below:
Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 1
8. Save and Close the file
9. Create a new file located: ...\Hornbill\Core Services\Apache\conf\cs\core\ called
503_vhost.sw.conf
10. Add the following:
# Webclient single sign on configuration
<Directory "C:\Program Files\Hornbill\Supportworks Server\html\webclient\sspi"> AllowOverride None AuthType SSPI AuthName "Company-name" NTLMAuth On NTLMAuthoritative On NTLMPerRequestAuth On NTLMOfferBasic On NTLMDomain top-level-domain-name require valid-user </Directory>
11. Save the file
Note that you must use the directory path that applies to your Supportworks installation, the company name that applies in your case, and the network domain where the analysts' Windows accounts reside. The domain name should just be that of the lowest-level domain. For multipledomain support, your network administrator must ensure that the domains concerned have trust relationships with the domain you specify here.
12. Restart the Web server (ApacheServer).
Checks/Adjustments to Perform in the Relevant Web Client PHP File
Here is the procedure to carry out on the Web Client module itself (within the Supportworks server):
1. Open the text file ...\Hornbill\Supportworks Server\html\webclient\php\_wcconfig.php and uncomment the following line:
define("_WC_TRUSTEDLOGON",true);
2. If your Windows network is set up to use Active Directory for authentication and the User Principle Name (UPN - which may contain spaces and other characters not allowed in analyst IDs) is not identical to the corresponding analyst ID, then uncomment the following lines as well:
define("_WC_UPN_SUPPORT",true); define("_WC_TOPLEVEL_DOMAIN","top-level-domain-name");
(where top-level-domain-name comprises the last two components of the domain name - for example, hornbill.com)
Also, in this case, you must ensure that the Active Directory means of authentication and the relevant fully qualified User Principle Name (UPN) are specified in each of the Supportworks analyst records.
3. Save the _wcconfig.php file.
Adjustments to Perform in the Main Server Configuration
To allow trust checking to occur between the Supportworks main server and the Web server, you have to configure the main server for "trusted authentication". Instructions are given in the chapter of the Supportworks ESP Configuration Guide entitled Configuring the Server for Trusted Authentication.
Analysts in the relevant domains should now be able to access the Web Client transparently. However, a lot depends on your environment, security settings and so on, so the above as given may not necessarily work. If analysts are having problems, you should at least check the browser-based settings indicated in the following section.
Checks to Perform in a Web Browser's Internet Options
The Internet options you will be checking here would normally have been set as defaults in your domain policy. Follow these instructions on an individual Web browser:
1. Select Tools > Internet Options and click the Security tab.
2. Select the "Local intranet" zone.
3. Click the Sites button, followed by Advanced.
4. In the list of websites, ensure that you can see the DNS name or IP address of the Supportworks Web server. If not, then add it to the zone.
5. Click Close and then OK.
6. With "Local intranet" still selected, click the "Custom level" button.
7. Scroll down to the User Authentication > Logon section.
8. Ensure that "Automatic logon only in Intranet zone" is selected.
9. Click OK and then OK again.
10. Restart the Web browser.
If there are still problems after this, please contact the Support Team for assistance.