How to Enable NTLM Authentication for CA SDM Tomcat Using WAFFLE

book

Article ID: 72484

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service CA Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

Out of the box SDM does not support NTLM Authentication on Tomcat. We can enable this with a third party library called WAFFLE. While this is not officially supported, it is a known workaround.

Environment

Release: 12.x / 14.1 / 17.x
Component: USRD

Resolution

Download the latest version (As of writing 1.8.3) of the WAFFLE zip from https://github.com/dblock/waffle/releases

Extract the file to a temporary directory (ex: c:\UNZIPPED_DIRECTORY) on the SDM server

Copy the files waffle-jna-1.8.1.jar, guava-19.0.jar, jna-4.2.2.jar, jna-platform-4.2.2.jar and slf4j-1.7.21.jar from the zip directory in step #2 above to the '%NX_ROOT%\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\lib' directory on the SDM server

NOTE: %NX_ROOT% refers to the Installation directory of CA SDM. For example, the default location is 'C:\Program Files (x86)\CA\Service Desk Manager' on a Windows 64-bit OS.

NOTE: Copying commons-logging-1.1.1.jar is optional as it is already present in another Tomcat directory.

Backup the current '%NX_ROOT%\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\web.xml' file. Open the file with a text editor and add the following content to the bottom of the file:

NOTE: All of the following lines have to be placed BEFORE the </web-app> HTML tag

<filter>
  <filter-name>SecurityFilter</filter-name>
  <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SecurityFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Stop and start the SDM Tomcat process by running the following commands:

pdm_tomcat_nxd -c stop
Wait for 10 seconds
pdm_tomcat_nxd -c start

Check off "External Authentication" for the contact's Access Type.

Assuming that the SDM Contact record has External Authentication type enabled and O/S authentication enabled, the SDM Tomcat engine should now let you authenticate users for that access type without prompting you for the SDM logon screen.

The procedure above is not yet formally certified, but is a known workaround.

If there are any problems starting the SDM Tomcat process, review the '%NX_ROOT%\log\pdm_tomcat.log' file.

Additional Information

For corresponding instructions to run SSO (Single Sign On) in IIS, please view:
Single Sign On relies on NTLM based Windows Authentication being enabled in your browser.  This is a setting that is usually active automatically in Internet Explorer.  For information on this setting as it applies to Chrome and Firefox, please see: