NTLM-Authentication with trusted domains

Just for clarity, is this using an APM NTLMv2 SSO profile?

Hi Kevin,

yes, it is.

Regards, Alexander

Okay, good. Next set of questions:

1. How do you collect user credentials on the client side?

    

2. When SSO fails, you're saying the users are getting prompted repeatedly? Are they prompted the same way they initially pass credentials? And do they get in after a few tries?

    

Hi Kevin,

we collect the credentials using a login-Page. This is the Access policy:

In the Logon Page we collect windows username, windows password and rsa securid passcode. In the decision box the user decides which ad domain to logon to. The message box explains that sso is not working yet ;-)

The repeated credential box looks like the following:

This is after AD Auth has been successful.

Thanks for helping!

Regards, Alexander

Yes, but

1. Do they gain access after several attempts?

2. How are you actually assigning the domain from the decision box selection?

Please do this:

At the end of each allow branch, after SSO credential mapping, add a temporary message box that displays the following:

%{session.sso.token.last.username}
%{session.logon.last.domain}

What do you see?

Thank you for your assistance, Kevin. With your help the problem is resolved.

The field "Domain Source" in the SSO Configuration of the NTLM v2 object was empty.

So I filled it with the default value (session.logon.last.domain) and in the access policy I added a variable assignment where I fill in this field with the corresponding domain name. That was it! Now sso works for both domains.

Regards, Alexander

Dears,

I am also trying to configure SSO for my sharepoint application and and it is not working. I added the message Box as instructed by Kevin but when i added the message box i can only find the username but for domain it is empty.

Please anyone can help.

Thanks in Advance.

Dears,

i am receiving the following logs.

Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: http header [Server][Microsoft-IIS/8.5] (len=17) Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: http header [SPRequestDuration][6] (len=1) Oct 21 13:03:13 DRBIGIP1 info websso.0[18366]: 014d0014:6: 83197fe2: Found HTTP 401 response for SSO configuration '/Common/MOL_APM.app/MOL_APM_ntlm_sso' type:'ntlmv1' Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: www-authenticate header: Negotiate Oct 21 13:03:13 DRBIGIP1 err websso.0[18366]: 014d0005:3: Disabled the SSO for session: misconfiguration Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: ctx: 0x8e7ce18, CLIENT: TMEVT_RESPONSE Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: Looking for Set-Cookie headers to merge into client response. Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: ctx: 0x8e7ce18, CLIENT: TMEVT_RESPONSE_DONE Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: sso_disable: 1, _needAuth: 0 Oct 21 13:03:13 DRBIGIP1 debug websso.0[18366]: 014d0001:7: ctx: 0x8e7ce18, CLIENT: TMEVT_SESSION_RESULT Oct 21 13:03:23 DRBIGIP1 debug websso.1[18460]: 014d0001:7: Expire thread: TGTlist:0 TGTMap:0 UCClist:0 UCCmap:0 Oct 21 13:03:23 DRBIGIP1 debug websso.0[18366]: 014d0001:7: Expire thread: TGTlist:0 TGTMap:0 UCClist:0 UCCmap:0 Oct 21 13:03:24 DRBIGIP1 debug websso.3[18583]: 014d0001:7: Expire thread: TGTlist:0 TGTMap:0 UCClist:0 UCCmap:0 Oct 21 13:03:24 DRBIGIP1 debug websso.2[18531]: 014d0001:7: Expire thread: TGTlist:0 TGTMap:0 UCClist:0 UCCmap:0