Example: Enabling trusted sign-on

Trusted sign-on allows users on trusted clients who have logged into a Windows domain to log on to Service Manager without providing a user name and password. Trusted sign-on requires the web application server to connect to a web server (such as Windows Internet Information Services (IIS) or Apache http server) for third-party authentication.

Notes:

  • Service Manager 9.30 or later only supports trusted sign-on with SSL enabled and the ssl_reqClientAuth parameter set to "2".
  • To use trusted sign-on, you must first add your web tier and Windows clients to a domain.

This example assumes that you are using Tomcat as the web application server and Apache or IIS as the web server.

To enable trusted sign-on, perform the following tasks:

Task 1: Enable required SSL encryption and trusted clients.

For detailed steps, see Example: Enabling required SSL encryption and trusted clients.

Task 2: Configure the web tier to use trusted sign-on.

  1. Stop the web application server running the web tier.
  2. In the web tier's web.xml file, set isCustomAuthenticationUsed to false.
  3. In the <Tomcat>/conf/server.xml file, insert tomcatAuthentication="false" in the following section as shown below.

    <Connector port=”8009” 
       enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />               
  4. Edit the web application server's application-context.xml file to enable pre-authentication.
    1. Open <web tier installation path>\WEB-INF\classes\application-context.xml in a text editor, and search for the following string:

      /**=httpSessionContextIntegrationFilter,anonymousProcessingFilter
    2. Replace the search string with the following text:

      /**=httpSessionContextIntegrationFilter,preAuthenticationFilter,anonymousProcessingFilter

      Note: If you need to enable trusted sign-on for your web client users and also enable web tier lightweight single sign-on (LW-SSO) for integrations, add lwSsoFilter followed by preAuthenticationFilter, as shown in the following: /**=httpSessionContextIntegrationFilter,lwSsoFilter,preAuthenticationFilter,anonymousProcessingFilter

      For information about how to enable LW-SSO in the web tier, see Configure LW-SSO in the Service Manager Web tier.

  5. Restart the web application server.

Task 3: Configure each Windows client to use trusted sign-on.

Do the following for each Windows client:

  1. Make sure SSL encryption is enabled for the Windows client. See task 1.
  2. Open a client connection, and on the Connection tab select Use Trusted Sign-on, and click Apply.

Task 4: Install and configure the web server (Apache or IIS) to use trusted sign-on.

Install and configure an external authentication source, such as Microsoft Integrated Windows Authentication (IIS) or Apache, to ensure that Service Manager can use your private certificates. When using IIS, you need to configure an ISAPI connector for your web application server, and you need to modify the virtual directory to use Integrated Windows Authentication. For details, see Example: Configuring the web server for trusted sign-on.

Task 5: Create an operator record for each Windows user.

Create an operator record for each Windows user you want to log in to Service Manager. The operator's login name must match the user's NT account username, but does not require a password.

Task 6: Configure web browsers to enable web client users to use trusted sign-on.

Configure the web browser's security settings on each web client host. The following steps use Internet Explorer as an example.

  1. Open Internet Explorer, and select Tools > Internet Options.

  2. On the Security tab, click Custom Level, scroll down to the User Authentication section at the bottom, and select Automatic logon with current username and password.
  3. On the Security tab, click Trusted Sites > Sites, and add the web tier's server address (FQDN) to the list of sites: http://<myWebtierHostName>.<myDomain>

    Note: On FDCC-compliant computers, the security settings of Internet Explorer are locked by default and you cannot change them. For a workaround for this issue, see Troubleshooting: web client fails to automatically log in to Service Manager.

Task 7: Test your trusted sign-on setup.

  1. Start the Service Manager server, the web server (Apache or IIS), and the web application server (in this example, Tomcat).
  2. Start a Windows client, and log in using trusted sign-on.

    Service Manager should automatically log you in with your NT account username.

  3. Start Internet Explorer, and open the web tier login URL: http://<myWebtierHostName>.<myDomain>:<port>/webtier-x.xx//index.do

    Service Manager should automatically log you in without displaying the login screen.