Forum Discussion

  • Harry1's avatar
    Harry1
    Icon for Nimbostratus rankNimbostratus
    Jan 01, 2018

    i have configured a IIS server with windows authentication option. can i configure SSO here ? at present it is asking password once i click on published link under webtop link. i have configured kerberos sso but still web page is asking credential after entering with successful AD login in APM policy page..

     

    anyone can help me out ?

     

  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus
    Jan 01, 2018

    Kerberos SSO can be a bit fiddly to get working.

     

    Something that helped me out last time I worked with Kerberos SSO was chapter Kerberos Authentication with End-User Logons from the APM Authentication and SSO guide.

     

    Also, check out this article here on DC, APM Cookbook: Single Sign On (SSO) using Kerberos

     

    Verify that SPNs are configured correctly for your web servers. This Microsoft KB might have a few tips, How to use SPNs when you configure Web applications that are hosted on Internet Information Services

     

    /Andreas

     

  • kolom_265617's avatar
    kolom_265617
    Icon for Cirrostratus rankCirrostratus
    Jan 02, 2018

    You can use Auction Site , which is being used as a testing server for ASM Labs. Doing so you can test form based SSO.You can also setup a Lab exchange server to test NTLM + Kerberos SSO.

     

    • Harry1's avatar
      Harry1
      Icon for Nimbostratus rankNimbostratus
      Jan 02, 2018

      Exchange setup is very lengthy procedure that is why i chose IIS server.

       

  • kolom's avatar
    kolom
    Icon for Altostratus rankAltostratus
    Jan 02, 2018

    You can use Auction Site , which is being used as a testing server for ASM Labs. Doing so you can test form based SSO.You can also setup a Lab exchange server to test NTLM + Kerberos SSO.

     

    • Harry1's avatar
      Harry1
      Icon for Nimbostratus rankNimbostratus
      Jan 02, 2018

      Exchange setup is very lengthy procedure that is why i chose IIS server.

       

  • Nicolas_Destor's avatar
    Nicolas_Destor
    Icon for Cirrostratus rankCirrostratus
    Jan 02, 2018

    Check the 401 HTTP request message send by your IIS server, what is the value for WWW-authenticate attribute? Should be "Negociate" for Kerberos. For basic's authenticiation the value is "Basic", seems to be the case here for you.

     

    If ok i advise you to activate debug mode for APM, and check if SSO profile is well invoke when you access your website in /var/log/apm.

     

  • Harry1's avatar
    Harry1
    Icon for Nimbostratus rankNimbostratus
    Jan 02, 2018

    i tried to activate debug logs but not getting kerberos related logs here.

     

  • Nicolas_Destor's avatar
    Nicolas_Destor
    Icon for Cirrostratus rankCirrostratus
    Jan 03, 2018

    You SSO profile seems not invoked in that case. Never tried Keberos sso, but for other sso method i always saw logs. For example for HTTP-form sso:

     

    Jan 3 15:59:21 FW-xxx debug websso.1[15127]: 014d0001:7: constructor Jan 3 15:59:21 FW-xxx debug websso.1[15127]: 014d0001:7: webssoContext constructor ... Jan 3 15:59:21 FW-xxx debug websso.1[15127]: 014d0001:7: ssoMethod: form-based usernameSource:

     

    Check your Access profile configuration, make sure your sso profile is well applied.