Active Directory external authentication

davidregourd · ‎03-30-2012

Hello,

I try to implement the Cisco Portal beside an Active Directory.

I created the datasource to the AD : OK

I created the mappings to the fields: tested and OK

When I set events to logon the users, it fails.

I checked the connections to the AD server: no connection is etablished from the portal server.

Here is my questions:

1: is there a best practice or another information source then the PDF documentation about integration?

2: can I login with an AD user who does not exist yet in the Portal Database? Will he be imported after the first login?

Any help welcome.

Best regards,

David

mike_jones · ‎04-04-2012

If this is an installation using IIS:

On your Web Server check the configuration for the actual site and ensure that "Integrated Windows Authentication IS checked" and that enable anonymous access is NOT checked. You may also need to ensure that the DNS name for your site shows up in the intranet or trusted sites zone for the browser (usually required for the browser to pass AD credentials).

The SSO event typically requires that the user's AD credentials be populated as the REMOTE_USER header within the request, which requires IWA at the Web Server. You might also need to check the Options for the SSO event to make sure that Remote User is selected and that Login ID Mapping isn't restricting access. To allow access for all domains and users you would want to see an entry of #AnyDomain#\#LoginId# there.

Hope this helps.

davidregourd · ‎04-09-2012

Hello Michael,

Thank you for your answer.

Actually, I do not use any SSO.

I just want to use my AD as my main directory and use it to authenticate and import my users with their organization data.

I am using the 9.3.1 on windows 2008 R2 and IIS7.5 + JBOSS installation.

Now "windows authentication" is an optional service for the IIS role, so I added it and turned off the anonymous authentication. But I still have the issue.

I suspect that something is going wrong in my Cisco server and I will confirm that with a network capture.

Another point is that when I enable the Login event, I cannot log anymore with the local admin/admin account, which means I am locked outside.

I continue my tests.

Best regards,

David

davidregourd · ‎04-09-2012

Hello,

I have captured packets between portal and AD and there is some LDAPS trafic so the portal connects the AD.

I focused on the EUABindDN field and entered a fixed value in it instead of a variable: I get interesting results:

- when I try to log with an existing AD user, I get a "Directory Integration Failed" message that tells me that info could not be imported (none of my AD users exists yet in the Portal Database)

- when I try to log with admin/admin, I get a "Authentication Failed" message.

I continue my tests to:

- be able to import new users in my portal database

- be able to have a mixt authentication, local and AD

David

davidregourd · ‎04-09-2012

Hi,

I focused on the EUABindDN field and get some results:

- I forced it to a fixed value with the CN attribute : the authentication AND import worked fine for the user.

But, as you know, the CN in Active Directory is made of a given name and a space and a surname, and this string is not accepted as a login, and thus cannot be used as the #LoginID# variable.

So the question is now: is there a handy attribute I can use to bind my active directory? sAMAccountName is refused.

Any suggestion welcome.

David

davidregourd · ‎04-10-2012

Hi,

So my troubles came from the space in the Active Directory DN. It prevents to pass the #LoginId# variable to the bind mechanism.

I have opened another thread focused on that point.

Thank you

WEI CHENG CHEN · ‎10-30-2012

Hi David Regourd

i want to intergrate with AD server.

May i ask for how did you configure password item of Mapping and how to configure events.

i got the same problem,when I try to log with an existing AD user, I get a "Directory Integration Failed" and

with admin/admin, I got a "Authentication Failed" message.

So what configration did you set in Events, how many steps i have to set?

Thanks

davidregourd · ‎10-30-2012

Hello

There is another thread where a lot of problems for AD have been solved.

You should check it:

https://supportforums.cisco.com/message/3609732#3609732

Concerning the password, you can map the field on any AD field, as the stored password is not used during the login (the password typed in the portal is directly checked against the AD, based on the "bind" field that is used as a key.

Best regards,

WEI CHENG CHEN · ‎10-31-2012

Hello david regourd

Very grateful for your reply.

Now i can login with ad account, but I login with admin/admin, I stall get a "Authentication Failed" message.

So do i have to do some configuration ?

thank you

davidregourd · ‎10-31-2012

Hello,

As far as I know there is a "restrict site administrator url" option in the settings that you have to turn off so admins can bypass the SSO mechanisms.

David

derevan · ‎10-31-2012

Once AD has been enabled, you cannot use internal users defined to CCP anymore.

However, there is a backdoor to allow internal user authentication. Append "?Astalavista=true" to the end of the logon URL. This can be restricted using the option David mentioned above "Restrict Site Administrator URL" in Administration settings.

WEI CHENG CHEN · ‎11-01-2012

Hello

Ok, I understand, and thank you for your comment.