SSO troubleshooting

I have a server where I cannot make single sign on to work. In IIS I have a virtual directory, where the directory security is set for IWA. Anonymous is not checked. when I got to http://servername/livelink/llisapi i get prompted for a login. I don't think remote_user has any info cause when I do a http://servername/livelink/llisapi?func=admin.testargs I get another windows login prompt.

Find more posts tagged with

Comments

Kevin_Bailey

Message from Kevin Bailey <kbailey@opentext.com> via eLink

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">eLink

try this:

Check that your servername is in a trusted site in your browser. Then make sure your authentication settings are set for automatic logon

From: eLink Discussion: Open Text Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent: Thursday, October 15, 2009 3:53 PM
To: eLink Recipient
Subject: SSO troubleshooting

SSO troubleshooting

Posted by wmader@jeffco.us (Mader, Walt) on 2009/10/15 15:50

Appu_Nair

A livelink call that ends in livelink.exe or llisapi.dll has to get files in the support directory as well.Could it be that you are SSOing only the Livelink VD and not the support directory ,just a thought.I usually do add "authenticated users" to the specific livelink folders.As the other user just pointed out are you allowing your browser to log you in as well.Firefox never obeys what IE does.

wmader

I'll try that. Where are the authentication settings for automatic login ? is this on the server?

wmader

in internet explorer enable integrated windows authentication is checked. If this is what you're referring to.

wmader

I have added authenticated users permissions to the specific livelink folders. I have this working on one server but not the other. As far as i understand setting up Single sign-on is IIS shoulbe enabling the IWA in the directory security tab, and having the right permissions to the specific livelink folders.Is there anything else you can think of? Thanks

Appu_Nair

Tools->Internet Options->SecurityPick a zone ,scroll down and see if you have something checked next to like the screen shot

Kevin_Bailey

Message from Kevin Bailey <kbailey@opentext.com> via eLink

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">eLink

just being thorough... is the authentication method in the opentext.ini file set to NTLM?

From: eLink Discussion: Open Text Directory Services Discussion [mailto:directoryservices@elinkkc.opentext.com]
Sent: Thursday, October 15, 2009 4:45 PM
To: eLink Recipient
Subject: re sso

re sso		Posted by wmader@jeffco.us (Mader, Walt) on 2009/10/15 16:42
In reply to: re sso		Posted by wmader@jeffco.us (Mader, Walt) on 2009/10/15 16:39

in internet explorer enable integrated windows authentication is checked. If this is what you're referring to.

Tobias Müller

Message from Tobias Müller <tobias.mueller@doctra.de> via eLink

eLink

HelloWalt,

bothservers needs to be in the same domain (or at least they need a trust). Youraccount needs to be a domain account (not a local admin on the server).

Inthe opentext.ini you need to change the Authentication to NTLM. In Tomcat (ifinstalled) you need to specify the server.xml to <Connectorport="8009"
enableLookups="false" tomcatAuthentication="false"redirectPort="8443" protocol="AJP/1.3" />

InIIS you need to switch on WIA (Windows Integrated Authentication) only forWebDAV and the Livelink directory. Anonymous needs to be switched off. Thelivelinksupport (or img) should stay as Anonymous (no WIA necessary).

Onthe client in Internet Explorer (Tools -> Advanced) you need to enable “IntegratedWindows Authentication” in Security section. Furthermore you have tocheck, which IE zone the Livelink server is in. In IE you need to adjust in accordingtab security the user authentication. If you are in a local zone, it needs tobe “Automatic Authentication only in Intranet Zone” otherwise itneeds to be “Automatic Authentication using username and password.

Hopethat helps.

Tobias

DoctraGmbH

PS:The windows login prompt usually show up. If the current user in the client hasne windows permission to log in to the server hosting the IIS

Von: eLink Discussion:Open Text Directory Services Discussion[mailto:directoryservices@elinkkc.opentext.com]
Gesendet: Donnerstag, 15. Oktober 2009 21:53
An: eLink Recipient
Betreff: SSO troubleshooting

SSO troubleshooting

Posted by wmader@jeffco.us (Mader, Walt) on 2009/10/15 15:50

[To reply to this thread, use your normal E-mail reply function.]
Discussion:	Open Text Directory Services Discussion
Livelink Server:	knowledge-wlweb01

To Unsubscribe from this Discussion, send an e-mail to unsubscribe.directoryservices@elinkkc.opentext.com.

wmader

Tobias, that helps a lot. Thank you very much. Walt