Issue
When opening Process Manager for ServiceDesk 7 or Workflow 7, with Active Directory login enabled, the expectation is that the user will automatically be logged in without having to provide credentials. In some cases this fails to accept the passthrough authentication and stops at the login screen. If the user types their credentials manually, however, the login works.
Environment
ServiceDesk 7.0 or Workflow 7.0 installed on Windows 2003 Server.
ServiceDesk 7.1 or Workflow 7.1 installed on Windows 2003 Server.
Ensure that the following has been set up in ServiceDesk to enable automatic passthrough authentication to work:
Cause
This is not a ServiceDesk/Workflow known issue but an Active Directory configuration that needs to be addressed through Active Directory tools. Complications may exist if there is more than one domain involved.
The root of the cause is a configuration problem with Kerberos authentication. The system needs to have certain settings setup in order for this process to work correctly.
Resolution
Note: The instructions below are for the versions of ServiceDesk/Workflow listed in the Environment section above installed on Windows 2003 Server. For ServiceDesk and Workflow 7.1 installed on Windows 2008 Server, please see HOWTO53270. All of the below instructions are required unless otherwise specified. If any cannot be performed due to policy or security reasons, this may result in automatic passthrough authentication failing to work.
Run the Microsoft command SetSPN against the domain(s). The user account used to run the IIS DefaultAppPool in KB HOWTO3136, the Service Account, is the account that SetSPN needs to be ran on. SetSPN can be ran from any Windows Server 2003 server on the domain. This makes changes to the Active Directory environment and not the Locasl System Environment.
SetSPN can be downloaded from Microsoft's website:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
Note: If the the ServiceDesk/Workflow server has multiple DNS names, SetSPN must be ran against each one (its FQDN).
setspn -A http/<NetBIOS_server_name> <domain_name>\<service_account>
Where <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <service_account> is the name of the Service Account. For example: setspn -a http//servicedsk symantec\jsmith
setspn -A http/<FQDN_server_name> <domain_name>\<service_account>
Where <FQDN_server_name> is the FQDN name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <service_account> is the name of the Service Account. For example: setspn -a http//servicedsk.symantec.com symantec\jsmith
The following additional SetSPN commands may or may not be needed:
setspn -A http/<NetBIOS_server_name> <domain_name>\<NetBIOS_server_name>
Where <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server. For example: setspn -a http//servicedsk symantec\servicedesk
setspn -A http/<FQDN_server_name> <domain_name>\<NetBIOS_server_name>
Where <FQDN_server_name> is the FQDN name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server. For example: setspn -a http//servicedsk.symantec.com symantec\servicedesk.
Example:
Domain: Test
DefaultAppPool User: AppPoolUser
NetBIOS Name of the server: SDServer
FQDN Name of the server: SDServer.SomeCompany.com
setspn -A http/SDServer Test\AppPoolUser
setspn -A http/SDServer.SomeCompany.com Test\AppPoolUser
setspn -A http/SDServer Test\SDServer
setspn -A http/SDServer.SomeCompany.com Test\SDServer
Important Note: Automatic passthrough authentication does not work from a URL from an email. This will always require the user manually authenticate. There is no out of box method to work around this. This has been submitted as a product feature request and may be included in the next version of ServiceDesk and Workflow. Refer to the following article for more information:
Additional Troubleshooting
When setting up an Active Directory server item in ServiceDesk, do not specify the FQDN for the AD Server Name unless absolutely necessary. This may result in automatic passthrough failing. If this has already been specified, any users that have the FQDN specified for their ADLoginName field in SQL may not be able to automatically log in. To check this, do the following:
For further information on setting up the AD Server, please refer to the Implementation Guide for ServiceDesk.
Active Directory automatic passthrough authentication fails to work with ServiceDesk when a link in email is used
http://www.symantec.com/business/support/index?page=content&id=TECH143379