Hi everybody,
a few years ago I have configured my old OTRS 4 with single sign on using Apache and Kerberos ( followed this guide http://ingenious-excerpts.blogspot.com/ ... -with.html ). Everything worked without problems since then, but now I have a few users that need to connect from outside my internal network and have PCs not joined to my Active Directory domain.
Is it possible to combine AD single sign on AND classical username and password login? Now if users from outside internal network try to connect, they receive a 500 HTTP error from OTRS server.
Here is how AuthModule is configured at the moment:
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMAIN.LOCAL';
Login with single sign on AND username+password
Moderator: crythias
Login with single sign on AND username+password
OTRS 4.0.8-02 on CentOS 6 with MySQL.
-
- Administrator
- Posts: 3957
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: Login with single sign on AND username+password
HI,
I would like to see your Apache configuration which is used for the Kerberos SSO. And maybe the Apache error_log, there should be a hint about the Internal Server error.
- Roy
I would like to see your Apache configuration which is used for the Kerberos SSO. And maybe the Apache error_log, there should be a hint about the Internal Server error.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: Login with single sign on AND username+password
Hi,
sure, here is Apache configuration regarding kerberos:
here is Apache error.log:
and here Apache access.log
sure, here is Apache configuration regarding kerberos:
Code: Select all
# set mod_perl2 options
<Location /otrs>
## Strat - Add Configuration Kerberos OTRS ##
AuthType Kerberos
AuthName "Kerberos OTRS"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.LOCAL
Krb5KeyTab /etc/apache2/apache.keytab
require valid-user
## End - Add Configuration Kerberos OTRS ##
# ErrorDocument 403 /otrs/customer.pl
ErrorDocument 403 /otrs/index.pl
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
PerlOptions +SetupEnv
Order allow,deny
Allow from all
</Location>
here is Apache error.log:
Code: Select all
error.log.3.gz:[Thu Mar 25 13:09:43 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 13:10:50 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 13:12:12 2021] [error] [client 10.120.11.248] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:14:32 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:14:33 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:16:13 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:40:13 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
error.log.3.gz:[Thu Mar 25 14:41:08 2021] [error] [client 10.120.5.158] gss_acquire_cred() failed: An invalid name was supplied (, )
Code: Select all
10.120.5.158 - - [25/Mar/2021:13:04:44 +0100] "GET / HTTP/1.1" 200 483 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:04:44 +0100] "GET /favicon.ico HTTP/1.1" 404 502 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:09:34 +0100] "GET /otrs/customer.pl HTTP/1.1" 401 696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:09:43 +0100] "GET /otrs/customer.pl HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:13:10:50 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.11.248 - - [25/Mar/2021:13:11:44 +0100] "GET /otrs/index.pl?Action=AgentDashboard HTTP/1.1" 401 696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.11.248 - - [25/Mar/2021:13:12:12 +0100] "GET /otrs/index.pl?Action=AgentDashboard HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:14:32 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:14:33 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:16:13 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:40:13 +0100] "GET /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:41:08 +0100] "GET /otrs/customer.pl? HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.120.5.158 - - [25/Mar/2021:14:52:15 +0100] "GET /otrs/customer.pl? HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
OTRS 4.0.8-02 on CentOS 6 with MySQL.
-
- Administrator
- Posts: 3957
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: Login with single sign on AND username+password
Hi,
Please increase Apache's LogLevel to get a little bit more details out of it. I expect an HTTP Basic Auth box popping up with your configuration when a non domain member tries to login.
- Roy
Please increase Apache's LogLevel to get a little bit more details out of it. I expect an HTTP Basic Auth box popping up with your configuration when a non domain member tries to login.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: Login with single sign on AND username+password
Hi and sorry for the late response.
Yes, when an user that is connecting from outside the domain opens OTRS webpage, an HTTP Basic Auth box pops up, but the server gives an HTTP 500 error when the user enter his credentials.
In the last post I forgot to add a network detail about our setup. Non-domain users connect from a different subnet (10.120.x.x) that cannot directly communicate with our OTRS server (10.16.99.116), so they use a NATted IP to connect to OTRS server (10.135.1.116). Domain users, instead, connect from our internal LAN (10.135.x.x) that can directly communicate with OTRS server. To be more clear:
Non domain users use http://10.135.1.116 to connect to OTRS server, domain users use http://10.16.99.116 (or OTRS server FQDN).
Here are Apache debug log:
access.log:
error.log
Yes, when an user that is connecting from outside the domain opens OTRS webpage, an HTTP Basic Auth box pops up, but the server gives an HTTP 500 error when the user enter his credentials.
In the last post I forgot to add a network detail about our setup. Non-domain users connect from a different subnet (10.120.x.x) that cannot directly communicate with our OTRS server (10.16.99.116), so they use a NATted IP to connect to OTRS server (10.135.1.116). Domain users, instead, connect from our internal LAN (10.135.x.x) that can directly communicate with OTRS server. To be more clear:
Non domain users use http://10.135.1.116 to connect to OTRS server, domain users use http://10.16.99.116 (or OTRS server FQDN).
Here are Apache debug log:
access.log:
Code: Select all
10.120.20.178 - - [27/Apr/2021:13:55:02 +0200] "GET /otrs/customer.pl? HTTP/1.1" 500 639 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko"
Code: Select all
[Tue Apr 27 13:55:02 2021] [debug] src/mod_auth_kerb.c(1628): [client 10.120.20.178] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Apr 27 13:55:02 2021] [debug] src/mod_auth_kerb.c(1240): [client 10.120.20.178] Acquiring creds for HTTP@10.135.1.116
[Tue Apr 27 13:55:02 2021] [debug] src/mod_auth_kerb.c(1101): [client 10.120.20.178] GSS-API major_status:00020000, minor_status:000186a4
[Tue Apr 27 13:55:02 2021] [error] [client 10.120.20.178] gss_acquire_cred() failed: An invalid name was supplied (, )
[Tue Apr 27 13:55:02 2021] [debug] mod_deflate.c(615): [client 10.120.20.178] Zlib: Compressed 617 to 382 : URL /otrs/customer.pl
OTRS 4.0.8-02 on CentOS 6 with MySQL.
-
- Administrator
- Posts: 3957
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: Login with single sign on AND username+password
Hi,
Without knowing more details on your network, I would try to use two VirtualHosts and only the one for internal users with configured SSO.
- Roy
Without knowing more details on your network, I would try to use two VirtualHosts and only the one for internal users with configured SSO.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: Login with single sign on AND username+password
Thank you for the hint. I'll try with two virtual hosts then.
OTRS 4.0.8-02 on CentOS 6 with MySQL.