Hey, all. I'm hoping someone can help me here. I'm trying to setup SSO so that my end users don't have to login to the portal every time they browse to the page. Unfortunately, my authentication test returns this:
allowed_login_types set to 'external|form|basic'
Ok, external authentication is enabled by allowed_login_type.
Okay, I actually figured that part out. I had to disable Anonymous Authentication in IIS and enable Windows Authentication. Now my problem is that the REMOTE_USER is displayed as 'DOMAIN\user', but my iTop server only accepts 'user'. Where can I find the ['REMOTE_USER'] variable to grab only the user substring?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
-Inside iTop, create your accounts as 'External' instead of 'LDAP' (I was using LDAP which is why it didn't work initially)
-The accounts need to be setup as DOMAIN\username format
-Disable Anonymous Authentication in IIS
-Enable Windows Authentication in IIS
(Note: I found out that the REMOTE_USER variable is actually set when authentication is done against your web server. That being said, unless you're fluent in PHP (I'm not), it's going to be tough getting the username substring out of the variable. In an ideal situation we'd do single sign on with LDAP authentication instead of single sign on with Windows-based authentication through IIS, but we can't ask for too much out of a free product.)
Last edit: Luke Bowen 2014-04-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I successfully tested it but I cannot login now using admin account (OR not part of DOMAIN). Reason is, we have to disable Anonymous Authentication in IIS.
Is it possible to have mix authentication?
Based on the documentation, it seems possible to have mix by setting 'allowed_login_types' => 'external|form|basic' then automatically jump to the next login type if external fails.
Did not work in my case.
Any help please.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
in your case since you only want user out of DOMAIN\user you can either:
use explode, to divide the string into an array by the \character
or if you are only having 1 domain use the function substr.
explode:
$REMOTEUSER= explode('\',$_SERVER[REMOTE_USER]);
a var_dump($REMOTEUSER) will output this: array=> string()=DOMAIN , string()=USER
then just do
$user=$REMOTEUSER[1];
if you are only working in 1 domain or all your domain names have the same amount of letters you can also use:
$user=substr($_SERVER[REMOTE_USER],7);
where the number 7 is the starting point of the new string. So if you want the String to start with the letter D startingpoint should be 0. If it should start with O starting point would be 1 and so on. We do let out the $lenght definition for substring, since usernames might not all have the same length. With no length set it will just take everything after the starting point(7 in this case).
Hope this helps
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi, did anybody make the SSO authentication on Apache on RHEL?
In browser on itop site i enter login and password in authentication window, but authentication doesn't pass. I get errors in httpd logs:
- cannot find key for HTTP/site.example.com@EXAMPLE.COM kvno 16 in keytab
- failed to verify krb5 credentials: Key version is not available
What is wrong? Can u help? i use Apache 2.4.6 on RHEL7. I created the keytab on WS2012.
I created an external user.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hey, all. I'm hoping someone can help me here. I'm trying to setup SSO so that my end users don't have to login to the portal every time they browse to the page. Unfortunately, my authentication test returns this:
allowed_login_types set to 'external|form|basic'
Ok, external authentication is enabled by allowed_login_type.
External Authentication Variable: '$_SERVER['REMOTE_USER']'
External Authentication Variable set to: ''
Empty user information passed by the web server.
[REMOTE_USER] =>
Is there something I'm missing?
Okay, I actually figured that part out. I had to disable Anonymous Authentication in IIS and enable Windows Authentication. Now my problem is that the REMOTE_USER is displayed as 'DOMAIN\user', but my iTop server only accepts 'user'. Where can I find the ['REMOTE_USER'] variable to grab only the user substring?
we have totally the same situation.
Got it to work with the below settings:
-Inside iTop, create your accounts as 'External' instead of 'LDAP' (I was using LDAP which is why it didn't work initially)
-The accounts need to be setup as DOMAIN\username format
-Disable Anonymous Authentication in IIS
-Enable Windows Authentication in IIS
(Note: I found out that the REMOTE_USER variable is actually set when authentication is done against your web server. That being said, unless you're fluent in PHP (I'm not), it's going to be tough getting the username substring out of the variable. In an ideal situation we'd do single sign on with LDAP authentication instead of single sign on with Windows-based authentication through IIS, but we can't ask for too much out of a free product.)
Last edit: Luke Bowen 2014-04-24
https://wiki.openitop.org/doku.php?id=2_0_2:admin:user_authentication_options#integrating_with_an_external_authentication
I successfully tested it but I cannot login now using admin account (OR not part of DOMAIN). Reason is, we have to disable Anonymous Authentication in IIS.
Is it possible to have mix authentication?
Based on the documentation, it seems possible to have mix by setting 'allowed_login_types' => 'external|form|basic' then automatically jump to the next login type if external fails.
Did not work in my case.
Any help please.
Internet Explorer and Chrome use IIS Authentication.
Buy firefox doesn't, and when you open the itop site with firefox will use form authentication.
@Luke Bowen:
the [REMOTE_USER] is in the $_SERVER variable.
$user=$_SERVER[REMOTE_USER];
in your case since you only want user out of DOMAIN\user you can either:
use explode, to divide the string into an array by the \character
or if you are only having 1 domain use the function substr.
explode:
$REMOTEUSER= explode('\',$_SERVER[REMOTE_USER]);
a var_dump($REMOTEUSER) will output this: array=> string()=DOMAIN , string()=USER
then just do
$user=$REMOTEUSER[1];
if you are only working in 1 domain or all your domain names have the same amount of letters you can also use:
$user=substr($_SERVER[REMOTE_USER],7);
where the number 7 is the starting point of the new string. So if you want the String to start with the letter D startingpoint should be 0. If it should start with O starting point would be 1 and so on. We do let out the $lenght definition for substring, since usernames might not all have the same length. With no length set it will just take everything after the starting point(7 in this case).
Hope this helps
Hi, did anybody make the SSO authentication on Apache on RHEL?
In browser on itop site i enter login and password in authentication window, but authentication doesn't pass. I get errors in httpd logs:
- cannot find key for HTTP/site.example.com@EXAMPLE.COM kvno 16 in keytab
- failed to verify krb5 credentials: Key version is not available
What is wrong? Can u help? i use Apache 2.4.6 on RHEL7. I created the keytab on WS2012.
I created an external user.