Description:

CA Service Desk Manager (SDM) can be configured to allow users to be authenticated via external authentication methods. If you choose to allow external authentication, users are validated by the appropriate external method configured within their environment. One of the most recognized authentication methods today is to use Integrated Windows Authentication (IWA) to automatically authenticate with Microsoft's Active Directory.

This document provides step by step instructions on how to configure Service Desk to use IIS 6.0 for Integrated Windows Authentication.

Solution:

The pre-requisites for this solution are:

1. IIS 6.0 has been installed on the server where Service Desk is installed.
   
   
2. CA Service Desk has been successfully configured to use IIS 6.0.

Step 1 - Configure IIS to perform Integrated Windows Authentication

1. Open the Internet Information Services (IIS) Manager from the Administrative Tools menu. In the left hand pane, expand the <ServerName> (local computer) node, where <ServerName> is the name of the Service Desk server. Expand the Web Sites node. Expand the Default Web Site node. Right click on the CAisd node and select Properties.
   
   

   <Please see attached file for image>

   
   
   
2. The CAisd Properties dialog box will be displayed. Click on the Directory Security tab. In the Directory Security Filters tab, click on Edit within the Authentication and access control group box.
   
   

   <Please see attached file for image>

   
   
   
3. The Authentication Methods dialog box will be displayed. De-select the Enable anonymous access check box and select the Integrated Windows authentication check box. Click on OK to continue.
   
   

   <Please see attached file for image>

   
   
   
4. Click on OK to close the CAisd Properties dialog box.
   
   
5. Restart IIS to apply the changes.

Step 2 - Configure External Authentication in Service Desk

1. Login to Service Desk with an account that has Administrator privileges. The Service Desk home page will be displayed.
   
   

   <Please see attached file for image>

   
   
   
2. Select the Administration Tab, expand the Security and Role Management node and select the Access Types node.
   
   

   <Please see attached file for image>

   
   
   
3. Click on the first Access Type that you wish to allow External Authentication for. The Update Access Type form will be displayed. Select the Web Authentication tab if it is not already displayed. Click on the Edit button to edit the Access Type.
   
   

   <Please see attached file for image>

   
   
   
4. Select the Allow External Authentication checkbox. Also select the appropriate Validation Type for the Access Type from the Validation Type dropdown.
   
   NB - The Validation Type is not used for External Authentication validation. It is used when users login through the Service Desk login form. When External Authentication is enabled the login page will only be displayed if Service Desk fails to find a Contact record that matches the credentials supplied by IIS (this includes the scenario where IIS does not supply any credentials), or if a user clicks on the logout link in Service Desk and the LogoutURL parameter has not been set in the web.cfg file.
   
   Any of the Validation Types can be selected, but generally only the "No Access" and "OS - Use Operating System authentication" methods are used with External Authentication. The "No Access" option should be selected if you want to ensure that users can only use their own windows credentials to access Service Desk.
   
   Click on the Save button to save the changes.
   
   

   <Please see attached file for image>

   
   
   
5. Repeat steps 2.3 and 2.4 for each remaining Access Type that you wish to allow External Authentication for.
   
   NB - In addition, ensure that a suitable Access Type is defined as the Default Access Type - this will be used when the External Authentication finds a Contact record that matches the credentials supplied by IIS but the Contact does not have an Access Type defined. Out of the box the Administration Access Type is defined as the Default Access Type which is unlikely to be appropriate in a Production environment. To set the Default Access Type, edit the appropriate Access Type and select the Default? Checkbox.

Step 3 - Test the External Authentication

1. Login to windows using a userid which has an associated Contact record defined in Service Desk.
   
   
2. Launch a new Browser window. Navigate to the Service Desk url (http://<servername>/CAisd/pdmweb.exe). The Service Desk home page should be displayed.
   
   

   <Please see attached file for image>

   
   
   
3. If a browser login prompt is displayed, work through the following troubleshooting step:
   
   For Windows 2003 servers and above, Internet Explorer Enhanced Security Configuration disables the automatic detection of intranet sites. In order for credentials to automatically be passed to an intranet site, the site needs to be manually added to the Local intranet zone. Microsoft Knowledge Base Article 815141 describes how Internet Explorer Enhanced Security Configuration changes the browsing experience. The Add sites to the Local Intranet zone section describes how to manually add a site to the Local intranet zone:
   
   http://support.microsoft.com/kb/815141#62
   
   
4. If the Service Desk login page is displayed, work through the following troubleshooting steps:
   
   
   1. Confirm that the Enable anonymous access check box has been de-selected in IIS.
      
      
   2. Confirm that a Contact record exists with the System Login field set to the userid used to login to Windows.
      
      
   3. Confirm that the System Login field is the same case as the userid used to login to Windows. NB - There is an Option Manager setting called Security - ignore_security_case which can be used to avoid issues with case sensitivity in userids.
      
      
   4. Confirm that the Access Type assigned to the Contact record has had External Authentication enabled.