[SOLVED] Single Sign On with IIS

Moderator: crythias

Locked
HervE
Znuny wizard
Posts: 391
Joined: 03 Jan 2011, 17:15
Znuny Version: 3.3.8
Location: France

[SOLVED] Single Sign On with IIS

Post by HervE »

Hello,

I'm currently about to deploy OTRS to a new customer.
A prerequisite of this customer is, the user mustn't have to log in since he is already logged in Windows.
This means I have to set Single Sign On (SSO) for both OTRS portals (agent and customer interfaces).

Through SysConfig I modified Customer::AuthModule to "HTTPBasicAuth" (not LDAP).
And naturally I modified the settings in IIS thanks to this. (Basically, I enabled Windows authentication and disabled anonymous authentication.)

But I'm getting this error:
[Thu Jul 24 10:42:07 2014][Notice][Kernel::System::CustomerAuth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 127.0.0.1).

I've read carefully the OTRS forum here and there, but most of you seem to use SSO with Apache or LDAP. I don't.
I've read many other pages on the web, tried several things, but REMOTE_USER is still missing.

To see the environment variables, I've added this code in HTTPBasicAuth.pm:

Code: Select all

foreach my $var (sort keys %ENV) {
$Self->{LogObject}->Log(
	Priority => 'notice',
	Message =>	$var . "=" . $ENV{$var},
);
}
As a result, I've got a list of all the known environment variables, but neither REMOTE_USER nor HTTP_REMOTE_USER are here.

What did I do wrong?
Am I missing anything in OTRS or in IIS?

Regards,
HervE
Last edited by HervE on 12 Sep 2014, 14:27, edited 1 time in total.
OTRS 3.3.8 - Windows 7 - IIS7 - SQL Server - Firefox 30
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Single Sign On with IIS

Post by crythias »

OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
HervE
Znuny wizard
Posts: 391
Joined: 03 Jan 2011, 17:15
Znuny Version: 3.3.8
Location: France

Re: Single Sign On with IIS

Post by HervE »

Thanks for your answer.
I already had a look at many of these. No help, since most of them use SSO with LDAP, whereas I'd like Windows (i.e. HTTPBasicAuth, if I understand correctly).
crythias wrote:Some have used Shibboleth to handle this.
So I decided to give Shibboleth a try.
I installed it, and managed (I think) to configure IIS for it, thanks to https://wiki.shibboleth.net/confluence/ ... 7Installer
But now?
I have to configure it for OTRS, so that OTRS both portals are 'protected' by Shibboleth - if I still understand correctly.
Unfortunately, Peggy's blog doesn't explain it. Its "Configuring Shibboleth service provider daemon" section seems to be directed to people who already know Shibboleth. Which is obviously not my case.
Can anybody help?

Other question: Do all users (agents and customers) need to have Shibboleth installed on their computer too?

Found this also, which puzzled me. Doesn't Shibboleth fill the REMOTE_USER environment variable? Does it fill another variable? Which one?

Regards,
HervE
OTRS 3.3.8 - Windows 7 - IIS7 - SQL Server - Firefox 30
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Single Sign On with IIS

Post by crythias »

HervE wrote:Do all users (agents and customers) need to have Shibboleth installed on their computer too?
No. This is a handler for the client browser to announce to (Shibboleth web site) the current user, at which point, Shibboleth talks to IIS and says, "the browser says the user is x and I believe him".
HervE wrote:Doesn't Shibboleth fill the REMOTE_USER environment variable? Does it fill another variable? Which one?
Why not create a page that shows the environment variables.
https://it.uoregon.edu/idm/services/shi ... on-windows shows an asp page to do that.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Single Sign On with IIS

Post by crythias »

note also that ldap is probably preferred unless you don't have a domain.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
HervE
Znuny wizard
Posts: 391
Joined: 03 Jan 2011, 17:15
Znuny Version: 3.3.8
Location: France

Re: Single Sign On with IIS

Post by HervE »

Hello,

I'm back from holidays.

I reinstalled all OTRS and tried again SSO with HTTPBasicAuth.
With the same result: User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 127.0.0.1).

Like I said in my first message, I added Perl code to list environment variables, and as a result it appears that neither REMOTE_USER nor HTTP_REMOTE_USER are here. I still don't know why.

However, if I add the following in sub Auth of HTTPBasicAuth.pm, to enforce the variable, just for testing purpose,

Code: Select all

$ENV{REMOTE_USER} = "<my Windows login>";
it works fine!

What should I do?

Best regards,
HervE
OTRS 3.3.8 - Windows 7 - IIS7 - SQL Server - Firefox 30
dnmvisser
Znuny newbie
Posts: 12
Joined: 19 Aug 2014, 18:21
Znuny Version: 3.3.8

Re: Single Sign On with IIS

Post by dnmvisser »

I have seen similar stuff in the past with Perl apps, whereby the web server setting REMOTE_USER would not work.
The variable that I needed was available though, so I fixed worked around it by changing the code to use that variable name instead.
In the OTRS case it meant changing Kernel/System/Auth/HTTPBasicAuth.pm and Kernel/System/CustomerAuth/HTTPBasicAuth.pm

Code: Select all

sub Auth {
    my ( $Self, %Param ) = @_;

    # get params
    # my $User       = $ENV{REMOTE_USER} || $ENV{HTTP_REMOTE_USER};
    my $User       = $ENV{MELLON_CONF_USER};
HervE
Znuny wizard
Posts: 391
Joined: 03 Jan 2011, 17:15
Znuny Version: 3.3.8
Location: France

Re: Single Sign On with IIS

Post by HervE »

Hello,

Thanks for your answer.
Indeed I've got a problem prior to SSO: my IIS configuration is wrong, probably due to wrong version of Perl (?)
Hope solving the issue with IIS configuration will solve the SSO issue too...

Regards,
HervE
OTRS 3.3.8 - Windows 7 - IIS7 - SQL Server - Firefox 30
HervE
Znuny wizard
Posts: 391
Joined: 03 Jan 2011, 17:15
Znuny Version: 3.3.8
Location: France

Re: Single Sign On with IIS

Post by HervE »

Since I solved my IIS configuration issues (see this topic and this topic), Single Sign On naturally followed (provided of course that Windows Authentication is enabled in IIS).

At least with Internet Explorer.
With Firefox I still have an authentication popup for some reason, but never mind since my customer uses IE.

Regards,
HervE
OTRS 3.3.8 - Windows 7 - IIS7 - SQL Server - Firefox 30
Locked