Login with single sign on AND username+password

Moderator: crythias

Post Reply
jobe
Znuny newbie
Posts: 7
Joined: 22 Jun 2015, 17:33
Znuny Version: 4.0.8-02

Login with single sign on AND username+password

Post by jobe »

Hi everybody,
a few years ago I have configured my old OTRS 4 with single sign on using Apache and Kerberos ( followed this guide http://ingenious-excerpts.blogspot.com/ ... -with.html ). Everything worked without problems since then, but now I have a few users that need to connect from outside my internal network and have PCs not joined to my Active Directory domain.
Is it possible to combine AD single sign on AND classical username and password login? Now if users from outside internal network try to connect, they receive a 500 HTTP error from OTRS server.
Here is how AuthModule is configured at the moment:

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMAIN.LOCAL';
OTRS 4.0.8-02 on CentOS 6 with MySQL.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Login with single sign on AND username+password

Post by root »

HI,

I would like to see your Apache configuration which is used for the Kerberos SSO. And maybe the Apache error_log, there should be a hint about the Internal Server error.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jobe
Znuny newbie
Posts: 7
Joined: 22 Jun 2015, 17:33
Znuny Version: 4.0.8-02

Re: Login with single sign on AND username+password

Post by jobe »

Hi,
sure, here is Apache configuration regarding kerberos:

Code: Select all

    # set mod_perl2 options
    <Location /otrs>
        ## Strat - Add Configuration Kerberos OTRS ##
        AuthType Kerberos
        AuthName "Kerberos OTRS"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms DOMAIN.LOCAL
        Krb5KeyTab /etc/apache2/apache.keytab
        require valid-user
        ## End - Add Configuration Kerberos OTRS ##
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv
        Order allow,deny
        Allow from all
    </Location>

here is Apache error.log:

Code: Select all

error.log.3.gz:[Thu Mar 25 13:09:43 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 13:10:50 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 13:12:12 2021] [error] [client 10.120.11.248] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:14:32 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:14:33 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:16:13 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:40:13 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:41:08 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
and here Apache access.log

Code: Select all

10.120.5.158 - - [25/Mar/2021:13:04:44 +0100] "GET / HTTP/1.1" 200 483 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:04:44 +0100] "GET /favicon.ico HTTP/1.1" 404 502 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:09:34 +0100] "GET /otrs/customer.pl HTTP/1.1" 401 696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:09:43 +0100] "GET /otrs/customer.pl HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:10:50 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.11.248 - - [25/Mar/2021:13:11:44 +0100] "GET /otrs/index.pl?Action=AgentDashboard HTTP/1.1" 401 696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.11.248 - - [25/Mar/2021:13:12:12 +0100] "GET /otrs/index.pl?Action=AgentDashboard HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:14:32 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:14:33 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:16:13 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:40:13 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:41:08 +0100] "GET /otrs/customer.pl? HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:52:15 +0100] "GET /otrs/customer.pl? HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
OTRS 4.0.8-02 on CentOS 6 with MySQL.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Login with single sign on AND username+password

Post by root »

Hi,

Please increase Apache's LogLevel to get a little bit more details out of it. I expect an HTTP Basic Auth box popping up with your configuration when a non domain member tries to login.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jobe
Znuny newbie
Posts: 7
Joined: 22 Jun 2015, 17:33
Znuny Version: 4.0.8-02

Re: Login with single sign on AND username+password

Post by jobe »

Hi and sorry for the late response.
Yes, when an user that is connecting from outside the domain opens OTRS webpage, an HTTP Basic Auth box pops up, but the server gives an HTTP 500 error when the user enter his credentials.

In the last post I forgot to add a network detail about our setup. Non-domain users connect from a different subnet (10.120.x.x) that cannot directly communicate with our OTRS server (10.16.99.116), so they use a NATted IP to connect to OTRS server (10.135.1.116). Domain users, instead, connect from our internal LAN (10.135.x.x) that can directly communicate with OTRS server. To be more clear:
Non domain users use http://10.135.1.116 to connect to OTRS server, domain users use http://10.16.99.116 (or OTRS server FQDN).

Here are Apache debug log:
access.log:

Code: Select all

10.120.20.178 - - [27/Apr/2021:13:55:02 +0200] "GET /otrs/customer.pl? HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko"
error.log

Code: Select all

[Tue Apr 27 13:55:02 2021] [debug] src/mod_auth_kerb.c(1628): [client 10.120.20.178] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Apr 27 13:55:02 2021] [debug] src/mod_auth_kerb.c(1240): [client 10.120.20.178] Acquiring creds for HTTP@10.135.1.116
[Tue Apr 27 13:55:02 2021] [debug] src/mod_auth_kerb.c(1101): [client 10.120.20.178] GSS-API major_status:00020000, minor_status:000186a4
[Tue Apr 27 13:55:02 2021] [error] [client 10.120.20.178] gss_acquire_cred() failed: An invalid name was supplied (, )
[Tue Apr 27 13:55:02 2021] [debug] mod_deflate.c(615): [client 10.120.20.178] Zlib: Compressed 617 to 382 : URL /otrs/customer.pl
OTRS 4.0.8-02 on CentOS 6 with MySQL.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Login with single sign on AND username+password

Post by root »

Hi,

Without knowing more details on your network, I would try to use two VirtualHosts and only the one for internal users with configured SSO.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jobe
Znuny newbie
Posts: 7
Joined: 22 Jun 2015, 17:33
Znuny Version: 4.0.8-02

Re: Login with single sign on AND username+password

Post by jobe »

Thank you for the hint. I'll try with two virtual hosts then.
OTRS 4.0.8-02 on CentOS 6 with MySQL.
Post Reply