How to Enable Active Directory Automatic Passthrough Authentication to Work with ServiceDesk and Workflow on Windows 2003

Article Id: 179627
Status: Published
Updated On: 03-06-2011 10:33
Legacy Id: HOWTO21512
Products:
Workflow Solution , ServiceDesk
Issue/Introduction:

 

Resolution:

Issue

When opening Process Manager for ServiceDesk 7 or Workflow 7, with Active Directory login enabled, the expectation is that the user will automatically be logged in without having to provide credentials. In some cases this fails to accept the passthrough authentication and stops at the login screen. If the user types their credentials manually, however, the login works.

Environment

ServiceDesk 7.0 or Workflow 7.0 installed on Windows 2003 Server.
ServiceDesk 7.1 or Workflow 7.1 installed on Windows 2003 Server.

Ensure that the following has been set up in ServiceDesk to enable automatic passthrough authentication to work:

  • The user is logging in through Internet Explorer to Process Manager. All non-IE browsers are not supported for automatic login, such as Firefox, Chrome, and Safari as these browsers do not perform automatic login using windows/AD credentials
  • Active Directory user accounts have been synced into Process Manager.
  • Active Directory Authentication has been enabled in Process Manager under the Admin menu > Portal > Master Settings > Process Manager Active Directory Settings.

Cause

This is not a ServiceDesk/Workflow known issue but an Active Directory configuration that needs to be addressed through Active Directory tools. Complications may exist if there is more than one domain involved.

The root of the cause is a configuration problem with Kerberos authentication. The system needs to have certain settings setup in order for this process to work correctly. 

Resolution

Note: The instructions below are for the versions of ServiceDesk/Workflow listed in the Environment section above installed on Windows 2003 Server.  For ServiceDesk and Workflow 7.1 installed on Windows 2008 Server, please see HOWTO53270.  All of the below instructions are required unless otherwise specified. If any cannot be performed due to policy or security reasons, this may result in automatic passthrough authentication failing to work.

  1. If ServiceDesk is being used, ensure that the ServiceDesk installation was performed using the following article. If not, a reinstall may be necessary:

    How to Install and run ServiceDesk 7.0 MR2 with a domain account instead of
    local system account
    http://www.symantec.com/business/support/index?page=content&id=HOWTO31346
     

  2. Run the Microsoft command SetSPN against the domain(s). The user account used to run the IIS DefaultAppPool in KB HOWTO3136, the Service Account, is the account that SetSPN needs to be ran on. SetSPN can be ran from any Windows Server 2003 server on the domain. This makes changes to the Active Directory environment and not the Locasl System Environment.

    SetSPN can be downloaded from Microsoft's website:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

    Note: If the the ServiceDesk/Workflow server has multiple DNS names, SetSPN must be ran against each one (its FQDN).

    setspn -A http/<NetBIOS_server_name> <domain_name>\<service_account>
    Where <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <service_account> is the name of the Service Account. For example: setspn -a http//servicedsk symantec\jsmith

    setspn -A http/<FQDN_server_name> <domain_name>\<service_account>
    Where <FQDN_server_name> is the FQDN name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <service_account> is the name of the Service Account. For example: setspn -a http//servicedsk.symantec.com symantec\jsmith

    The following additional SetSPN commands may or may not be needed:

    setspn -A http/<NetBIOS_server_name> <domain_name>\<NetBIOS_server_name>
    Where <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server. For example: setspn -a http//servicedsk symantec\servicedesk

    setspn -A http/<FQDN_server_name> <domain_name>\<NetBIOS_server_name>
    Where <FQDN_server_name> is the FQDN name of the ServiceDesk/Workflow server, <domain_name> is the domain name, and <NetBIOS_server_name> is the NetBIOS name of the ServiceDesk/Workflow server. For example: setspn -a http//servicedsk.symantec.com symantec\servicedesk.

    Example:
    Domain:      Test
    DefaultAppPool User:  AppPoolUser
    NetBIOS Name of the server:  SDServer
    FQDN Name of the server:   SDServer.SomeCompany.com

    setspn -A http/SDServer Test\AppPoolUser
    setspn -A http/SDServer.SomeCompany.com Test\AppPoolUser
    setspn -A http/SDServer Test\SDServer
    setspn -A http/SDServer.SomeCompany.com Test\SDServer

  3. The ServiceDesk computer account and the Service Account user account must be set in Active Directory as trusted for delegation.
  4. The Service Account must be added to the local IIS_WPG user group.
  5. For each workstation that will be using ServiceDesk, and on the ServiceDesk server itself, Internet Explorer must be set to passthrough the login name and password. The default is set only to do this when the site is Local Intranet. Add the ServiceDesk server to the Local Intranet to change this. This is in Tools > Internet Options > Security > Local Intranet > Sites > Advanced > Add the URL to this zone. Also,  on the Security tab, go to Local Intranet > Select Custom Level, scroll to the bottom and look under User Authentication > Automatic Logon only in Intranet Zone must be selected. After making changes, the browser will need to be closed and restarted. Note: These settings could be configured using a group policy.
  6. Check the following in IIS on the ServiceDesk server:
    • In IIS, go to Web Sites > Default Web Site > ProcessManager.
    • Right click on WindowsAuthentication.aspx and choose Properties.
    • Click on the File Security tab and then click on the Edit button for Authentication and access control.
    • Verify that Enable anonymous is not enabled and that only Integrated Windows authentication is. There should be nothing else enabled on this tab. If there is, this may result in automatic passthrough authentication failing to work. If any change are made, restart IIS by issuing an IISRESET command from a Command Prompt or the Windows Run box.
  7. Test ServiceDesk to see if this now can use automatic passthrough authentication. The user may need to log in once first. Close the browser, then go to Process Manager. The automatic passthrough authentication should then work.

Important Note: Automatic passthrough authentication does not work from a URL from an email. This will always require the user manually authenticate. There is no out of box method to work around this. This has been submitted as a product feature request and may be included in the next version of ServiceDesk and Workflow. Refer to the following article for more information:

 

 

 Additional Troubleshooting

When setting up an Active Directory server item in ServiceDesk, do not specify the FQDN for the AD Server Name unless absolutely necessary. This may result in automatic passthrough failing. If this has already been specified, any users that have the FQDN specified for their ADLoginName field in SQL may not be able to automatically log in. To check this, do the following:

  1. In the AD Server in ServiceDesk, change the AD Server Name to the NetBIOS name in ServiceDesk.
  2. Review the ServiceDesk logs from the <ServiceDesk_installation_drive>:\Program Files (x86)\Altiris\Workflow Designer\Logs folder. Look at the ensemble2006 logs. There may be entries similar to:

    [userman service] LogicBase.Framework.DataLayer.DataLayerException: Could not find [UserInfo]  where [ADLoginName] Equal [<domain>\<user_name>]

    This indicates that the domain or user name was not found.
     
  3. Run the following SQL query against the Ensemble database:

    USE Ensemble
    SELECT * FROM [user] WHERE ADLoginName = '<domain_name>\<user_name>'

    Where the "<domain_name>\<user_name>" is the domain name and user name found in the log error.
     
  4. Once this user is verified, back up the Ensemble database before continuing.
  5. Run a SQL query to change the affected user. For example:

    USE Ensemble
    UPDATE [user]
    SET ADLoginName = '<new_domain>\<user_name>"
    WHERE ADLoginName = '<old_domain>\<user_name>"

For further information on setting up the AD Server, please refer to the Implementation Guide for ServiceDesk.

 

Active Directory automatic passthrough authentication fails to work with ServiceDesk when a link in email is used
http://www.symantec.com/business/support/index?page=content&id=TECH143379