cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2942
Views
0
Helpful
11
Replies

Active Directory external authentication

davidregourd
Level 1
Level 1

Hello,

I try to implement the Cisco Portal beside an Active Directory.

I created the datasource to the AD : OK

I created the mappings to the fields: tested and OK

When I set events to logon the users, it fails.

I checked the connections to the AD server: no connection is etablished from the portal server.

Here is my questions:

1: is there a best practice or another information source then the PDF documentation about integration?

2: can I login with an AD user who does not exist yet in the Portal Database? Will he be imported after the first login?

Any help welcome.

Best regards,

David

11 Replies 11

mike_jones
Level 1
Level 1

If this is an installation using IIS:

On your Web Server check the configuration for the actual site and ensure that "Integrated Windows Authentication IS checked" and that enable anonymous access is NOT checked. You may also need to ensure that the DNS name for your site shows up in the intranet or trusted sites zone for the browser (usually required for the browser to pass AD credentials).

The SSO event typically requires that the user's AD credentials be populated as the REMOTE_USER header within the request, which requires IWA at the Web Server. You might also need to check the Options for the SSO event to make sure that Remote User is selected and that Login ID Mapping isn't restricting access. To allow access for all domains and users you would want to see an entry of #AnyDomain#\#LoginId# there.

Hope this helps.

Hello Michael,

Thank you for your answer.

Actually, I do not use any SSO.

I just want to use my AD as my main directory and use it to authenticate and import my users with their organization data.

I am using the 9.3.1 on windows 2008 R2 and IIS7.5 + JBOSS installation.

Now "windows authentication" is an optional service for the IIS role, so I added it and turned off the anonymous authentication. But I still have the issue.

I suspect that something is going wrong in my Cisco server and I will confirm that with a network capture.

Another point is that when I enable the Login event, I cannot log anymore with the local admin/admin account, which means I am locked outside.

I continue my tests.

Best regards,

David

Hello,

I have captured packets between portal and AD and there is some LDAPS trafic so the portal connects the AD.

I focused on the EUABindDN field and entered a fixed value in it instead of a variable: I get interesting results:

- when I try to log with an existing AD user, I get a "Directory Integration Failed" message that tells me that info could not be imported (none of my AD users exists yet in the Portal Database)

- when I try to log with admin/admin, I get a "Authentication Failed" message.

I continue my tests to:

- be able to import new users in my portal database

- be able to have a mixt authentication, local and AD

David

Hi,

I focused on the EUABindDN field and get some results:

- I forced it to a fixed value with the CN attribute : the authentication AND import worked fine for the user.

But, as you know, the CN in Active Directory is made of a given name and a space and a surname, and this string is not accepted as a login, and thus cannot be used as the #LoginID# variable.

So the question is now: is there a handy attribute I can use to bind my active directory? sAMAccountName is refused.

Any suggestion welcome.

David

davidregourd
Level 1
Level 1

Hi,

So my troubles came from the space in the Active Directory DN. It prevents to pass the #LoginId# variable to the bind mechanism.

I have opened another thread focused on that point.

Thank you

Hi David Regourd

i want to intergrate with AD server.

May i ask for how did you configure password item of Mapping and how to configure events.

i got the same problem,when I try to log with an existing AD user, I get a "Directory Integration Failed" and

with admin/admin, I got a "Authentication Failed" message.

So what configration did you set in Events, how many steps i have to set?

Thanks

Hello

There is another thread where a lot of problems for AD have been solved.

You should check it:

https://supportforums.cisco.com/message/3609732#3609732

Concerning the password, you can map the field on any AD field, as the stored password is not used during the login (the password typed in the portal is directly checked against the AD, based on the "bind" field that is used as a key.

Best regards,

Hello david regourd

Very grateful for your reply.

Now i can login with ad account, but I login with admin/admin, I stall get a "Authentication Failed" message.

So do i have to do some configuration ?

thank you

Hello,

As far as I know there is a "restrict site administrator url" option in the settings that you have to turn off so admins can bypass the SSO mechanisms.

David

Once AD has been enabled, you cannot use internal users defined to CCP anymore.

However, there is a backdoor to allow internal user authentication. Append "?Astalavista=true" to the end of the logon URL. This can be restricted using the option David mentioned above "Restrict Site Administrator URL" in Administration settings.

Hello

Ok, I understand, and thank you for your comment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: