1. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  2. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

Active Directory SSO with Pass-Thru enabled

Discussion in 'LoginShare' started by chris88, Jan 11, 2012.

  1. Drew Keller

    Drew Keller Just one person in a world of millions.

    Matthew,

    I asked that question because in the release you are using Kayako did some major revamp or the folder structure and the way the API's etc are used and I can see this script has not been updated since then, So I wonder if it is an issue with compatability to the later versions of Kayako.

    I also noticed you mentioned ;
    But I am not sure if this logon share was written with SSO for Staff CP, it seems to be very User focused (based on the Fusion Group in the Config.php file).
     
  2. Matthew Holko

    Matthew Holko Established Member

    That's ok about the staff CP login, I really just wanted it to be able to pass thorugh Active Directory Single Sign on.
    Do you or anyone else out there know for sure if it works or doesnt work with version 4.50.1636 ?
     
  3. aM-Nick

    aM-Nick Member

    I have upgraded an it works fine. I think earlier in this thread you will find your answers. I will double check, but i believe your issue is a permission issues for letting pass through auth occur.
     
  4. aM-Nick

    aM-Nick Member

    Matthew,
    What IIS version are you using?
    Also take a look at Post #60. This solved my issue a while back.
    Also take a look at your IIS authentication settings for your custom folder and the login.php.
     
  5. Matthew Holko

    Matthew Holko Established Member

    Thanks for your reply and help.
    I am running IIS 7.5 on Server 2008R2
    I followed the steps in post #60. The post also said to put Windows authetication on the Custom folder and anonymous on th ldap which I did.
    Unfortunatley I am still getting the same error.
    Invalid data provided: 1
     
  6. aM-Nick

    aM-Nick Member

    Did you try running the Test.php from Post #44 and then check the Logs in the Admin CP. This will tell us if we have an issue with the code or if the Authentication is not working.
     
  7. Matthew Holko

    Matthew Holko Established Member

    Hi aM-Nick,

    Ive tried to run that test.php but when run it via the browser I get
    404 - File or directory not found.
    The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
    In the Recent Activity, Login Failures, Error Logs, Parser logs area on the front Dashboard, each are showing No information available in this view.

    Thanks so much for helping me out.
     
  8. Matthew Holko

    Matthew Holko Established Member

    Hi aM-Nick,
    I ended up taking the custom folder off and reinstalled it all again as per chris88s instructions.
    Now when I try and login I am getting the error
    Invalid data provided: 2
    I initially get a Windows login box and after entering my domain name and password I get the above error.

    If I go in via the AdminCP and check the error logs I see
    Loginshare Invalid XML Received for User LoginShare Plugin

    Not sure why but I still can't open that test.php page. When I go to that I get

    500 - Internal server error.
    There is a problem with the resource you are looking for, and it cannot be displayed.

    I've spent the day going through the forums and troubleshooting these errors but haven’t been able to get it to work.



     
  9. aM-Nick

    aM-Nick Member

    Matthew Holko,

    I have created a copy of my settings for you try and look at and see if they shed any light towards a solution.

    Remember these are my settings and work for me. They may need to be adjusted for you.
    My biggest issue was the authentication settings for IIS and which folder had which access.

    BTW: Im running Win Srv 2008 R2 with SP1 Version 6.1 (Build 7601)
    2 Intel Xeons E5430s
    8GB Ram
    IIS version 7.5.7600.16385

    The only thing i use the server for is my helpdesk and one development/test helpdesk that is virtually never running unless im testing.
    So just take these settings with a grain of salt and hopefully they help.
     

    Attached Files:

  10. Matthew Holko

    Matthew Holko Established Member

    Thanks for your help again. I went thorugh and mirrored your settings but still no luck.
    The only thing I can think of is my path in IIS is different than yours and some others.
    Instead of my Kayako site at the top root level of IIS, I have it under a support folder
    \inetpub\wwwroot\support\custom\ldap

    Do you think that this would be an issue at all?
     
  11. Matthew Holko

    Matthew Holko Established Member

    The only other thing I was unsure about was the shared secret settings in the config.php
    Do I have to change this in the config.php and also enter that shared secret somewhere else?

    // Random shared secret to verify email address used to authenticate is legit
    // Change this to something else @ install...
    $AD_SSO_shared_secret = '**********************************';
    ?>
     
  12. aM-Nick

    aM-Nick Member

    I actually do not remember what i did with that shared key and why its even there i do not know. I would hate if i forgot that i did something with that. If my memory serves me right i just make some random code with the same number of characters.

    The only other thing i did not mention was i did change the permissions on the login.php so my domain users have full control.
    I'm not sure if this is necessary, it may have just been something i did when troubleshooting my problems. See Pic.

    Questions: Were you able to get the plain LDAP Login Share to work?
     

    Attached Files:

  13. Matthew Holko

    Matthew Holko Established Member

    Yes I do have the Domain Users with Full Control on the login.php
    I still havent been able to get it to work.
    If I attempt to log in I am still getting the Invalid Data Proved:1
    error
    I dont know what else I can do to get this going as Ive checked all the solutions in this forum.
    The only other thing that I can think why it would work is my question on post #90
     
  14. Drew Keller

    Drew Keller Just one person in a world of millions.

    From what I can see from the script, the Shared Secret is just used to create a Password hash that is stored in the database and used to validate the user at actual signon.

    Have you enabled loging and had a look at what it is reporting?
    What version of adLDAP are you using, I noticed version 4.0.4 is out, are you using this or 4.0.3 as was tested originally?
     
  15. Matthew Holko

    Matthew Holko Established Member

    I am using the older version of LDAP 4.03
    Thought Id go with what was supported.

    With logging on I go to the /support/custom/ldap/ad-ldap-sso.php
    and get the following-

    Warning: Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Melbourne' for '10.0/no DST' instead in Unknown on line 0 Fatal error: Uncaught exception 'adLDAPException' with message 'No LDAP support for PHP. See: http://www.php.net/ldap' in C:\inetpub\wwwroot\support\custom\ldap\adLDAP.php:602 Stack trace: #0 C:\inetpub\wwwroot\support\custom\ldap\ad-ldap-sso.php(11): adLDAP->__construct(Array) #1 {main} thrown in C:\inetpub\wwwroot\support\custom\ldap\adLDAP.php on line 602
     
  16. Matthew Holko

    Matthew Holko Established Member

    Also I was hoping that someone could put some instructions up on how to setup logging. I noticed in the forums various ways but was hoping someone could let me know the correct steps so that I can get to see the errors I need to see.
     
  17. 014

    014 New Member

    Hi, Matthew. I don't have a solution but am chiming in to say I'm in the same boat. I started attempting to implement this yesterday. I have tried post #60 and the one later regarding changing the directory structure slightly. I am about to start over using the instructions purely from #60. If / when I get this working, I'll create a detailed reply here including directories with contents, permissions, and some IIS settings.

    Kayako 4.50.1636
    Windows Server 2008 R2 w/ IIS 7.5
    PHP 5.3.16
    Active Directory domain and forest functional levels are Windows Server 2008 R2
     
  18. 014

    014 New Member

    I still have not gotten it to work, but I found an entry in the IIS logs that might be revealing:
    2012-11-15 17:06:46 192.168.x.x POST /resolve/custom/ad-ldap-sso.php - 80 - 192.168.x.x SWIFT_LoginShare 401 2 5 0

    I think that's the error that is causing my trouble. If I leave config.php at default or delete it, I still get the same Invalid data provided: 2 error. That tells me that file is not even being used yet. In fact, I get the same error if I purposely tell LoginShare to use the wrong PHP file.

    Which is closer to working, Invalid data provided: 1 or Invalid data provided: 2? I am able to reproduce either of those errors.
     
  19. Matthew Holko

    Matthew Holko Established Member

    014
    That would be great if you can point me in the right direction when you get it going. I'm very stumped with this considering I installed it 3 times just to make sure I did it right.
    I followed the instruction as they were set out and still no go.

    Can anyone read into the error message I posted in post #95 ?
    Thanks you all :)
     
  20. 014

    014 New Member

    For the first part, you need to go to your php.ini file and uncomment the timezone and specify the timezone you're in. For example:
    PHP:
    date.timezone "America/Chicago"
    For the LDAP support in PHP part, you'll want to go to this site and read the comments at the bottom. They tell of making sure you have the appropriate DLL files in your PHP directory. You probably also need to uncomment the LDAP extension within your php.ini file.
    http://www.php.net/ldap
    PHP:
    extension=php_ldap.dll
     

Share This Page