1. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  2. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

Active Directory SSO with Pass-Thru enabled

Discussion in 'LoginShare' started by chris88, Jan 11, 2012.

  1. chris88

    chris88 Established Member

    The last I heard, nobody had "real" SSO working with V4 yet. Anyway, I've hacked together a solution that's working in my environment, and figured I'd share it with the forum in case anyone else can use it, or improve upon it.

    My environment is running IIS 7.5 (Windows Server 2008 R2) and PHP 5.2.17. That's the extent of my testing, though I'd expect other versions of IIS and PHP to work. IIS is the only webserver this is going to work on, though.

    Setting this up should go something like this:
    1. Download and extract the attached ZIP file (custom.zip). The "custom" folder contained in the ZIP file needs to go in the root of your Kayako install (the same folder that has key.php). This can be changed, but the relative path ./custom/* is called by several of my modifications, so you'd have to search out these paths and update them if you were to place the files elsewhere.
    2. Download and extract adLDAP from the project's homepage. I used the latest version (4.0.3 as of this writing). Extract the adLDAP files into the "custom" folder that was created in step 1. Once done, the contents of your "custom" folder should look like this:
      Capture2.PNG
    3. Now open config.php and modify the configuration to suit your environment. This is the only file you should have to modify (there's no need to configure adLDAP.php separately, as our script will pass the required values for us).
    4. In IIS Manager, make sure to enable Windows Authentication for (at a minimum) the folder containing login.php ("custom" in my example). The web.config file in the "custom" folder will disable anonymous authentication for login.php, so we'll be relying on (pass-thru) Windows Auth at that point. Set permissions on login.php on your IIS server to include your helpdesk users (i.e., "Domain Users").
    5. Now, log into your Admin CP and find the "header" template for the template group you want to enable SSO on. Open the attached file "template_Default_General_header.zip" and take a look at the .htm file contained within. The modifications that need to be made to the "header" template start on line 74 of the attached file, and end on line 122. Simply ADD this content to your "header" template, in the same spot.
    6. Still in Admin CP, you need to enable LoginShare now. The URL will be something like this: http://your-iis-server/custom/ad-ldap-sso.php. Be sure that LoginShare is enabled for your template group as well.
    7. That's it. Fire up your browser, and open up your helpdesk as a valid user and see if you're automatically authenticated. You should be.
    Well, it worked for me. Disclaimer: I'm no PHP guru, web developer, or security expert, so take everything here with a grain of salt. Use at your own risk, no warranty, no refunds...don't blame me if it doesn't work, and so on.

    For anyone more technical than I (almost anyone) - I'm painfully aware that the modifications I made to the "header" template are an ugly hack, at best. I'd have preferred to handle this on the server side, but for the life of me, I couldn't figure out how to do so within the Dwoo templates that Kayako uses.

    There's a bit of error checking done by the scripts, but I've probably not thought out every use-case, and there may be some defaults that aren't a good fit for other organizations (for example, I parsed Exchange email addresses--that might not be what you want, though).

    Anyway, this is what worked for me. I'd very much welcome any feedback on how to improve upon this.
     

    Attached Files:

    ben31 and Jamie Edwards like this.
  2. Jamie Edwards

    Jamie Edwards Staff Member

    Hi Chris

    This is fantastic, thank you for sharing it with us. Might I suggest uploading it to a project on http://forge.kayako.com which would make managing feedback and code contribution easier?
     
  3. chris88

    chris88 Established Member

    Jamie Edwards likes this.
  4. AjayPatil

    AjayPatil Member

    I cannot get this to work. I am using it for Resolve is that going to be a problem
     
  5. AjayPatil

    AjayPatil Member

    i get the following error

    Module

    AnonymousAuthenticationModule
    Notification

    AuthenticateRequest
    Handler

    PHP_via_FastCGI
    Error Code

    0x80070021
    Config Error

    This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
    Config File

    \\?\C:\Kayako\custom\web.config

    Requested URL

    http://iis-server:80/custom/login.php?redir=
    Physical Path

    C:\Kayako\custom\login.php
    Logon Method

    Not yet determined
    Logon User

    Not yet determined

    Config Source

    5: <authentication>
    6: <anonymousAuthentication enabled="true" />
    7: </authentication>
     
  6. chris88

    chris88 Established Member

    It looks like an IIS problem. If you have only Windows Authentication enabled on your IIS site (and Anonymous authentication disabled), then you wouldn't need the web.config file. You might try deleting it and see if anything changes.
     
  7. AjayPatil

    AjayPatil Member

    Hi Chris,

    sorry i have not responded to your previous post.

    I have been re-creating my environment as i had made so many changes.

    anyway, i have now created a fresh install of Windows 2008 R2 server (64bit).
    I am running
    Kayako Resolve version: 4.30.750
    IIS 7.5
    PHP version: 5.3.8
    ioncube loader win v9
    Windows 2008 - Domain Controllers

    I have followed your instructions precisely (i hope) and it is still not working

    Error i get is as follows:-


    500 - Internal server error.

    There is a problem with the resource you are looking for, and it cannot be displayed.


    any help will be greatly appreciated
     
  8. chris88

    chris88 Established Member

    Did your Resolve install work prior to making any modifications? What about PHP itself? If you create a file called "test.php" with the following contents:

    PHP:
    <?php
    phpinfo
    ();
    ?>
    --does that return your PHP info, or also result in a 500 error?

    We probably want to turn on error reporting in PHP to troubleshoot. Modify your PHP.ini and set the following values:

    error_reporting = E_ALL

    ; Print out errors (as a part of the output). For production web sites,
    ; you're strongly encouraged to turn this feature off, and use error logging
    ; instead (see below). Keeping display_errors enabled on a production web site
    ; may reveal security information to end users, such as file paths on your Web
    ; server, your database schema or other information.
    display_errors=1

    If you haven't tried doing so already, you might also try opening Resolve from IE on the actual server that's hosting it. I believe the default in IIS 7.5 is to disable remote error viewing.
     
  9. AjayPatil

    AjayPatil Member

    Hi Chris,

    thanks for the prompt response.

    Resolve does/did work prior to any modifications. (if i undone the modification). Resolve works but I have to register a user manually.

    i have added the "test.php" and it does the return the PHP Info. i have uploaded the file on the forum. Please rename the file ext to .mht to view it in IE.

    I am running Resolve from the server itself to avoid any problems.

    the setting in my php.ini are

    ; Common Values:
    ; E_ALL & ~E_NOTICE (Show all errors, except for notices and coding standards warnings.)
    ; E_ALL & ~E_NOTICE | E_STRICT (Show all errors, except for notices)
    ; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
    ; E_ALL | E_STRICT (Show all errors, warnings and notices including coding standards.)
    ; Default Value: E_ALL & ~E_NOTICE
    ; Development Value: E_ALL | E_STRICT
    ; Production Value: E_ALL & ~E_DEPRECATED
    ; http://php.net/error-reporting
    error_reporting = E_ALL & ~E_DEPRECATED (this is now it was)
    ; This directive controls whether or not and where PHP will output errors,
    ; notices and warnings too. Error output is very useful during development, but
    ; it could be very dangerous in production environments. Depending on the code
    ; which is triggering the error, sensitive information could potentially leak
    ; out of your application such as database usernames and passwords or worse.
    ; It's recommended that errors be logged on production servers rather than
    ; having the errors sent to STDOUT.
    ; Possible Values:
    ; Off = Do not display any errors
    ; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
    ; On or stdout = Display errors to STDOUT
    ; Default Value: On
    ; Development Value: On
    ; Production Value: Off
    ; http://php.net/display-errors
    display_errors = On (I changed this from Off to On)


    Since i changed the display_error = On i now get this error


    404 - File or directory not found.

    The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
     

    Attached Files:

  10. AjayPatil

    AjayPatil Member

    Hi Chris,

    Made a stupid mistake.

    I now get this error

    Invalid data provided: 2
     
  11. AjayPatil

    AjayPatil Member

    Hi Chris,

    i just retried this and i am get this again.


    500 - Internal server error.

    There is a problem with the resource you are looking for, and it cannot be displayed.
     
  12. chris88

    chris88 Established Member

    What is the URL of the page that's giving you this error?

    "Invalid data provided: 2" is what I'd expect to see returned if LoginShare didn't receive any valid XML from the ad-ldap-sso.php script. Now that I think about it, I don't have error handling for the case that adLDAP returned an error. You might double-check custom/config.php and make sure your AD configuration is correct there.

    You should be able to pull up http://your-server-name/custom/ad-ldap-sso.php directly from your browser and get an XML formatted error message. If you're getting any PHP errors when you pull up this page, then that needs to be sorted out first.
     
  13. AjayPatil

    AjayPatil Member

    Hi Chris,

    not sure if this helps.

    instead of typing the url of the website i.e. http://helpdesk.domain.com... i entered http://localhost

    it then gave me this

    HTTP Error 500.19 - Internal Server Error


    The requested page cannot be accessed because the related configuration data for the page is invalid.


    Detailed Error Information
    Module AnonymousAuthenticationModule
    Notification AuthenticateRequest
    Handler PHP_via_FastCGI
    Error Code 0x80070021
    Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
    Config File \\?\C:\Support\custom\web.config
    Requested URL http://localhost:80/custom/login.php?redir=
    Physical Path C:\Support\custom\login.php
    Logon Method Not yet determined
    Logon User Not yet determined


    Config Source
    5: <authentication> 6: <anonymousAuthentication enabled="true" /> 7: </authentication>



    when i go to my IIS setting to see if Windows Authentication is on the custom as a mimum i get the following error. which i cannot upload to the forum not some reason.

    so i will type it out

    There was an error while performing this operation.
    Details:
    Filename: \\?\C:\support\custom\web.config
    Line number: 6
    Error: This configuration section cannot be used at this path. This
    happens when the section is locked at a parent level. Locking is
    either by default (overrideModeDefault="Deny"), or set explicitly
    by a location tag with overrideMode="Deny" or the legacy
    allowOverride="false".


    Any ideas!!!!
     
  14. AjayPatil

    AjayPatil Member

    Hi Chris,

    i enter the url http://my-server-name/custom/ad-ldap-sso.php on the server browse and still getting the following error


    500 - Internal server error.

    There is a problem with the resource you are looking for, and it cannot be displayed.


    here is my config.php setting

    <?php
    // AD SSO Configuration options
    // This should really be the only file you need to edit...
    // HelpDesk Config
    // User group to assign imported users to
    $AD_SSO_Fusion_Group="Registered"; ===== DOES IT MATTER THAT THIS SAY FUSION======
    // Active Directory Config
    $AD_SSO_base_dn="DC=domain-name,DC=com";
    $AD_SSO_account_suffix=firstname.lastname@domain-name.com;
    $AD_SSO_domain_controllers="domaincontrollername";
    $AD_SSO_admin_username="username"; ======this is my username which has full domain rights=====
    $AD_SSO_admin_password="password";
    // Random shared secret to verify email address used to authenticate is legit
    // Change this to something else @ install...
    $AD_SSO_shared_secret = "8jSGxbzWxyUZMGd3JWJJB9bs4Fs68CyeghpgHumzyPfkpkrKaHDegGuHdnqTVRgK";
    ?>
     
  15. chris88

    chris88 Established Member

    Try deleting web.config from the /custom folder and see if that changes anything.
     
  16. AjayPatil

    AjayPatil Member

    Hi Chris,

    i have remove the web.config file from the custom folder and then tried to Resolve website and i now get this

    Invalid data provided: 2

    i also tried going to http://my-server-name/custom/ad-ldap-sso.php and get the following

    Fatal error: Uncaught exception 'adLDAPException' with message 'Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials' in C:\Support\custom\adLDAP.php:651 Stack trace: #0 C:\Support\custom\adLDAP.php(605): adLDAP->connect() #1 C:\Support\custom\ad-ldap-sso.php(11): adLDAP->__construct(Array) #2 {main} thrown in C:\Support\custom\adLDAP.php on line 651

    i have double checked my credentials and everything is correct as far as i can see.
    do you think this is because of my windows 2008 R2 domain.
     
  17. AjayPatil

    AjayPatil Member

    Hi Chris,

    any ideas...

    regards
     
  18. chris88

    chris88 Established Member

    Well--it's good to see we're finally getting a meaningful error ;)

    I'm running AD on Windows Server 2008 R2 as well, so I don't think that's the problem. I'd check to make sure that TCP/389 is accessible on the DC you have defined in config.php from your webserver. Beyond that, maybe do a quick scan of the Windows Event logs on the DC to see if anything is being logged there when the LDAP bind is being attempted. Perhaps there's a policy denying non-LDAPS binds?
     
  19. AjayPatil

    AjayPatil Member

    Hi Chris,

    this is what i have do so far to check/confirm ldap communication with my domain is working correctly.

    I copied your adldap.php script and then changed the configuration of my domain in the following location. instead of using your config.php file. i did this to ensure that the config.php was not causign the problem.

    const ADLDAP_LDAP_PORT = '389';
    const ADLDAP_LDAPS_PORT = '636';
    protected $accountSuffix = "@domainname.com";
    protected $baseDn = "DC=domainname,DC=com";
    protected $adPort = self::ADLDAP_LDAP_PORT;
    protected $domainControllers = array("domaincontrollerservername");
    protected $adminUsername = "domain admin username";
    protected $adminPassword = "domain admin password";

    we then created a file called TEST.PHP which had the following in there

    <?php
    require_once(dirname(__FILE__) . '/adLDAP.php');
    $adldap = new adLDAP();
    $username='domain user';
    $password='password';
    $authUser = $adldap->authenticate($username, $password);
    if ($authUser == true) {
    echo "User authenticated successfully";
    }
    else {
    echo "User authentication unsuccessful";
    }
    ?>


    I then open IE and went to the TEST.PHP url

    and got the result

    "User authenticated successfully"

    this to me proved that the adldap settings were correct and was not causing the problems.

    I understand that in the TEST.PHP i have manual entered the name of the username that AD needs to validate.

    is there a way to check in your .PHP files what username it is picking up. I understand it should SSO and hence it should be the user you are logged in with.


    if i change it back according to your first post on this forum then i get the following error

    Fatal error: Uncaught exception 'adLDAPException' with message 'Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials' in C:\Support\custom\adLDAP.php:651 Stack trace: #0 C:\Support\custom\adLDAP.php(605): adLDAP->connect() #1 C:\Support\custom\ad-ldap-sso.php(11): adLDAP->__construct(Array) #2 {main} thrown in C:\Support\custom\adLDAP.php on line 651

    I am not PHP expert but i am trying to understand your script and how the SSO is implemented.
     
  20. chris88

    chris88 Established Member

    Can you please try downloading the latest version of custom.zip from here:

    http://forge.kayako.com/attachments/download/126/custom.zip

    I made some very minor changes to config.php. I'm just guessing, but I'd assume your AD Admin Password, as defined in config.php, has some special characters in it (maybe a "$")? Anyway, I changed them from double-quoted strings to single-quoted strings, which in theory, should help. See:

    http://php.net/manual/en/language.types.string.php

    I'll try to diagram out the "logic" behind my script if I get some time today. I'm quite the PHP "noob" myself, so bear with me. We've been running this in production for a few weeks now, and once I got the initial bugs worked out, it's been rock solid.

    Please let me know how you progress. I'd love to see someone else benefit from this, or find an even better solution.
     

Share This Page