SSO has incorrect nt4User

Hello,

I am having the exact same issue as documented in this post:

http://metastorm.processmapping.com.au/post/SSO-has-incorrect-nt4User-3831222

When I open the URL for Metastorm SSO, it is always authenticating me as the 'trusted user'.

I have tried to follow the following solution posted in that discussion:

I assume that this setting applies to the BPMEngine.NET directory, as in the SSO Configuration instructions in the Administration Guide it says that ASP.NET Impersonation should be disabled.

This however did not resolve the problem.

Any other ideas?

Thanks in advance.

Find more posts tagged with

BPM

Comments

Xavier Garcia

I managed to resolve the problem. It was related to a setting in the IIS Manager.

In the Advanced Settings of my SSO application, I noticed that the attribute Physical Path Credentials was set to the trusted account.
After I set this field to Application User, the single sign on functionality started working.

Liam_Hogan

Xavi,

Good news that you've solved this. We're trying to understand how your fix works in order to update our documentation .

We think the Web SSO application pool identity should be the trusted account instead of the “Application User”. If you have time, can you please check the “ASP.NET Impersonation” setting. It should be “Enabled”, see attached “Web SSO.jpg” file. The “ASP.NET Impersonation” setting is controlled by the following configuration setting in the web.config:

We're surprised that you managed to resolve the problem using the “Application User” account. The only way we think that would work is if the current user is also the ‘trusted account’ user.

Xavier Garcia

Hello lhogan,

Thanks for the post. I would like to confirm that the "ASP.NET Impersonation" setting is set to true in IIS.

Please note that I created a support ticket with Metastorm as I did not get any replies to my post. If you wish to have a look at it, the reference number is SR-06052012-0004.

If yu have any other questions let me know.

Jeff Vila

So just to confirm in IIS everything should be disabled except for "windows authentication". Then, the SSO virtual directory should connect as the "Application user (pass-through authentication)" under the Advanced Setting - Physical Path Credentials. Is this correct?

I have it setup this way but every user is still being authenticated as the trusted account. On the client side I will see the correct NT account at the top right had corner but in the eSession table I see every session belongs to "corp\metastorm" (the trusted account).

As an aside, when I add ASP.NET impersonation in addition to windows authentication in IIS I get a "no engines available" error. When I check the IIS post log (C:\inetpub\logs\LogFiles\W3SVC1) on the engine server I can see that the user is not being passed - I get a blank cs-username and there is a authorization 401 error logged. If I just use windows (no impersonation) I get in but as the trusted account which doesn't really help me.

The documentation seems to be missing something. Any ideas?

achopra

My suggestion would be to contact the help desk and have them help you via a webex support session. They are very experienced in configuring and debugging SSO-related issues. They've helped me with several environments.

Jacob_Eastman

.NET Impersonation should be set on only the SSO web directory in IIS (default /Metastorm) along with Windows.

The BPMEngine.NET directory should have only Windows auth. If Impersonation is set on this directory, all users will be logged in as the app pool user as you are seeing.