How to configure and/or troubleshoot Passthrough Authentication in ServiceDesk 7.5 SP1

book

Article ID: 181850

calendar_today

Updated On:

Products

ServiceDesk

Issue/Introduction

 

Resolution

I. URLs pointing to the ServiceDesk server must match (http://<SN/FQDN>, no port numbers) in all following locations. The same URL will also have to be used to access Portal.
Note: most, if not all, of these settings are based on the Base URL value entered at ServiceDesk/Workflow install.

  1. ServiceDeskSettings - Login to the portal. Admin > Data > Application Properties > ServiceDeskSettings
    All URL values that point to ServiceDesk Server should start with the same URL (with the exception of GroupActionsExchange setting that should be left to default value of localhost).
  2. Master Settings - Login to the portal. Admin > Portal > Master Settings
    Minimize the Account Management section that is open by default, and expand the Notifications section. Confirm the 'Base URL To Process Manager' value matches what is in the other locations. There should be no :80 (port number) in the URL.
  3. LocalMachineInfo Editor - Start > All Programs > Symantec > Workflow Designer > Tools > LocalMachineInfo Editor
    Scroll down and confirm the 'Integrated Authentication URL' matches the other locations. There should be no :80 (port number) in the URL.
    URL should be set to: http://<SN/FQDN>/ProcessManager/WindowsAuthentication.aspx
  4. Properties.config of the problematic project - %\Program Files\Symantec\Workflow\WorkflowDeploy\Release\<Project_Name>\Properties.config
    Note: This needs to be confirmed in all projects that are having problems with pass-through authentication.
    Open Properties.config in Notepad, and search for <PropertyName>BaseURLToProject</PropertyName>. Just under BaseURLToProject there will be a URL value. Ensure the http://<SN/FQDN>/ portion of the URL matches what is in the other locations.
    If you have ${DEPLOYMENTROOTURL.EN_US} listed in Properties.config, ensure the (local) server contained in LocalMachineInfo Editor has the same URL set as Deployment Root URL.

II. On client (browser) side, passthrough authentication must be configured correctly:

  1. 1. IE (and Chrome, that uses same Internet Settings) relies on zone security configuration - Internet Options > Security > zone settings > User Authentication > Logon
    By default this is set to 'Automatic logon only in Intranet zone' which will work fine if ServiceDesk server is in the Intranet zone. If not, it needs to be added to Intranet zone. Alternatively, server URL can be added to Trusted zone and User Authentication setting in zone settings configured accordingly.
  2. Firefox users must add the http://<SN/FQDN> to the network.automatic-ntlm-auth.trusted-uris setting:
    - Open Firefox
    - In the Address bar type about:config. If you get the warning box about voiding your warranty click the 'I'll be careful, I promise!' button.
    - In the Search box type: network.automatic-ntlm-auth.trusted-uris
    - Edit the network.automatic-ntlm-auth.trusted-uris setting to include the netbios address of your server  (http://<SN/FQDN>).

III.  Windows Authentication module needs to be installed on SD/WF server among IIS security features.

IV. There have been known issues:

  • With ProcessManager Login component not being able to passthrough login in Chrome and Firefox. Note that this issue does not apply to portal login page, only login pages in projects based on ProcessManager Login component.
  • With how authentication cookies were being created and stored. This issue is evident where portal login with email address allows access to all forms (for example, Service Catalog items or Process Actions) without prompt or delay but using passthrough or domain\user format for logging in has a login prompt or delay opening forms.

These issues are fixed in the 7.5.3001.43 WFSD Rollup (or newer). If you encounter these issues, please contact Symantec Technical Support and reference this KB article.