SSO has incorrect nt4User

Xavi,

Good news that you've solved this.  We're trying to understand how your fix works in order to update our documentation .

We think the Web SSO application pool identity should be the trusted account instead of the “Application User”.   If you have time, can you please check the “ASP.NET Impersonation” setting. It should be “Enabled”, see attached “Web SSO.jpg” file. The “ASP.NET Impersonation” setting is controlled by the following configuration setting in the web.config:

We're surprised that you managed to resolve the problem using the “Application User” account. The only way we think that would work is if the current user is also the ‘trusted account’ user.

So just to confirm in IIS everything should be disabled except for "windows authentication". Then, the SSO virtual directory should connect as the "Application user (pass-through authentication)" under the Advanced Setting - Physical Path Credentials. Is this correct?

I have it setup this way but every user is still being authenticated as the trusted account. On the client side I will see the correct NT account at the top right had corner but in the eSession table I see every session belongs to "corp\metastorm" (the trusted account).

As an aside, when I add ASP.NET impersonation in addition to windows authentication in IIS I get a "no engines available" error. When I check the IIS post log (C:\inetpub\logs\LogFiles\W3SVC1) on the engine server I can see that the user is not being passed - I get a blank cs-username and there is a authorization 401 error logged. If I just use windows (no impersonation) I get in but as the trusted account which doesn't really help me.

The documentation seems to be missing something. Any ideas?

.NET Impersonation should be set on only the SSO web directory in IIS (default /Metastorm) along with Windows.

The BPMEngine.NET directory should have only Windows auth. If Impersonation is set on this directory, all users will be logged in as the app pool user as you are seeing.