Single Sign-on with Active Directory Intergration

[abailey]

After searching around for a while and not finding a solution I started digging into the code and figured out how to make it so that windows authentication will log a user into the site automatically. If you use the trusted sites feature of Internet Explorer your users won't need to login at all.

I attached the LoginShare script that I modified to make this happen. Basically what happens with this script is that it uses the current AUTH_USER from IIS and creates an account in SupportSuite if they don't exist already and then logs them in. It does no password validation because IIS has already done this previously.

This script also makes it so that only one Email address is pulled in to SupportSuite when you have multiple domain names registered within Exchange.


Installation Procedure

1. Backup your current /includes/LoginShare/ActiveDirectory.login.php file

2. Copy the attached ActiveDirectory.login.php LoginShare Script into your /includes/LoginShare folder

3. There are two variables that need to be modified for your specific domain information.

Line 23: replace with the primary email domain address for your users

Code:

$_emaildomain = "@yourdomain.com";

Line 252: replace with your unqualified / logon domain name. If your FQDN is CORP.DOMAIN.COM use CORP.

Code:

$DomainName = 'YourLogonDomainName';

4. Change the authentication method on the /index.php file to require Windows Authentication and disable Anonymous Authentication in IIS.

5. Change the permissions on the /index.php file to allow the user group that you want to give access to the SupportSuite site. You can add DomainName\Users if you wanted.

This is working great for us right now.

The only caveat with this is if someone sends an email to SupportSuite before they actually login for the first time it will cause a problem. I do have a fix for this but it is a hack to the mail parser script. I have seen some scripts on the forum that will import your AD into SupportSuite which would fix some of this. We just don't allow people to submit tickets via e-mail. Basically when the users sends the email to the system it will create a user account for them but it is invalid for domain login and causes issues when this user visits the site to follow up on their ticket. This thread "Active Directory User Import Script" explains how to import your users from AD.

Enjoy this little gem! We sure are!

[maguilj]

I have tried this and when i try to log in with an ID from my active directory it goes to a blank page? Well in Firefox it is blank in IE it is Error 500? I put it back to the Kayako lgoin and it works fine.

[abailey]

Quote:

Originally Posted by maguilj

I have tried this and when i try to log in with an ID from my active directory it goes to a blank page? Well in Firefox it is blank in IE it is Error 500? I put it back to the Kayako lgoin and it works fine.

Maguilj, Can you turn off custom errors and browse the site from the local server to give me the full error message? It should report what line the error message is in.

[maguilj]

bare with me I am new to this. I had someone setup my webserver for me. I Do not know how to turn off the custom errors. When I go to IIS properties and I see the customer error page but no way to turn it off.

EDIT I am running windows 2003 R2 SP2 PHP 5.26 Zend Opt 3.3 Kayako 3.30.02 SQL5

[abailey]

maguilj, can you private message your modified activedirectory.login.phpfile to me?