1. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  2. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

Active Directory SSO with Pass-Thru enabled

Discussion in 'LoginShare' started by chris88, Jan 11, 2012.

  1. bartek Dirycz

    bartek Dirycz Member

    How would I get this to work with Apache?
     
  2. Matthew Holko

    Matthew Holko Established Member

    Hi there,
    In regards to the config.php file, what user credentials should I have in there at the least? I dont really want to put domain administrator credentials in there which would be a security risk.
    Also what NTFS permissions can I have on this file? Do domain users have to have read access? Can only domain administrators and or the IIS_IUSRS have access to the file?
    Thanks everyone for their help :)
     
  3. Matthew Holko

    Matthew Holko Established Member

    Hi again,
    Just wondering if anyone had any advice on my last post above? I read that this username has to have elevated privelages like a domain administrator. The details of the username and password sit in the config.php file. The password isnt encrypted or anything so essentially people could view this file and view domain admin credentials.
    Is this correct?
    Thanks in advance, great forum :)
     
  4. Ali Dursun

    Ali Dursun Member

    Can you please describe under which infrastructure scenarios this would work for us. for example:

    a) kayako on-premise + DHCP / DNS on-premise

    b) kayako on webhoster + DHCP / DNS on webhoster

    c) kayako on webhoster + DHCP / DNS on-premise

    d) kayako on-premise + DHCP / DNS on webhoster

    would your solution work for all scenarios, or only for some of these?

    we work with scenario "c", but want to switch later in 2014 to "a", when the cloud becomes more interesting for us.

    thanks in advance
     
  5. aM-Nick

    aM-Nick Member

    The only think i also forgot to mention was that when you finally get it working, your domain settings might be restricting the auto authentication. My domain, and most require your site to be in the trusted sites group and have your logon setting in this group set to use current username and password. Just for some of the people that can get this working but are stumped as to why they are receiving a popup to log in versus the SSO pass through.This can be completed in a few simple steps in your Group Policies.
     
  6. Aaron H

    Aaron H Member

    +1 on this working on *Nix w/ Apache. Would be lovely if we could use this tool.
     
  7. chrisjako

    chrisjako New Member

    Yes I do want SSO, i work at a school where asking teachers to enter their credentials to sign in will result in them not bothering to use the system, but i also want to publish the support system to parents and users outside of our Active Directory, and cannot see anyway to accomplish this! Can anyone please help?? Even a link to register as a new user would be a good work around but i've tried creating a new template group and directing to the URL using this new group and it still asks for authentication!
     
  8. Michael M

    Michael M Member

    I have been working on getting this up and running for about 8 hours. I've read just about every post in here, but I can't figure out the error I'm receiving. I'm hoping someone can help. I'm running a Win Server 2008, SP2, IIS 7.0, Kayako Fusion 4.50.1636 and PHP 5.3.24. When attempting to login as a user, I receive:

    "Invalid data provided:2".

    On the admin platform, I see the following:

    "Invalid XML Received for User LoginShare Plugin<BR /><BR />PHP Warning: require_once(C:\Help Desk\custom/adLDAP.php): failed to open stream: No such file or directory in C:\Help Desk\custom\ad-ldap-sso.php on line 9
    PHP Fatal error: require_once(): Failed opening required 'C:\Help Desk\custom/adLDAP.php' (include_path='.;C:\php\pear') in C:\Help Desk\custom\ad-ldap-sso.php on line 9"

    Does anyone have any suggestions on how to fix this? Thanks so much for any help!
     
  9. Gary McGrath

    Gary McGrath Staff Member

    Hi Michael,

    On your server, can you right click and goto the properties of the adldap.php file, on the properties page, do you see an "unblock" button? ( check the other files in your custom folder for the same.

    Windows 2008 has a protection technology where it marks files "downloaded" from the internet as "untrusted" and "blocks" those files.

    If the file in question is a zip file, when you extract the files out of it, it also "blocks" all those files. IIS cannot access files which are "blocked".

    also ensure that your IIS user account has full control of the custom folder you created.

    Assuming that all checks out, can you check your php error log, and post the last few errors php is showing in the logs ( the bottom lines of the file )

    Gary
     
  10. Michael M

    Michael M Member

    Gary,

    I've gone through the process of 'unblocking the files' (thanks - I didn't know W2008 did that), reinstalled and configured, and am still receiving the same error:

    Invalid XML Received for User LoginShare Plugin<BR /><BR />PHP Warning: require_once(C:\Help Desk\custom/adLDAP.php): failed to open stream: No such file or directory in C:\Help Desk\custom\ad-ldap-sso.php on line 9
    PHP Fatal error: require_once(): Failed opening required 'C:\Help Desk\custom/adLDAP.php' (include_path='.;C:\php\pear') in C:\Help Desk\custom\ad-ldap-sso.php on line 9
     
  11. Gary McGrath

    Gary McGrath Staff Member

    Hi Michael,

    I have not looked at this mod directly, but it states that within the code its got hard set locations, so if your using anything like SEO url's it would likely break.

    can you check your php error log ( you can check the php.ini for its location ) and paste the last few error lines here?

    Gary
     
  12. Michael M

    Michael M Member

    Thanks Gary, I'm trying to track the location down.
     
  13. Michael M

    Michael M Member

    Gary, I apologize, but would you be kind enough to direct me where find the error log in the php.ini file? There are many 'error' related entries. Many thanks!
     
  14. Asbjorn.B

    Asbjorn.B Member

    Hi,
    1.
    I first got a problem with the web.config file which disables Anonymous Authentication, getting a server error that the "Section is locked at a parent level". I think I solved this by instead disabling Anonymous Authentication on the custom-folder (which contains the LoginShare script) in IIS8 (and enabling Windows Authentication), and just remove the web.config file.
    Do you agree that this is a good solution for this problem?
    2.
    Now I'm stuck with this Kayako error message:
    "A Cross Site Request Forgery attempt has been detected; cannot continue with the required action."
    It seems I get this message after IE has tried to login automatically. When I open it in Firefox it asks for my username and password before the error shows up after I try to log in.
    I'm not sure if these two errors are related.
    I got this to work: http://forums.kayako.com/threads/php-ad-ldap-authenticator.24269/
    I'm using Windows Server 2012 (IIS8) with php 5.3.26 (ldap enabled), MySQL 5.6, and Kayako 4.57.

    I tried the trick from post #60 with no success.

    I just tried Chris' test.php and it returned successful xml:
    <loginshare>
    <result>1</result>
    ...
    </loginshare>
     
  15. Farhaz Hofman

    Farhaz Hofman New Member

    After upgrading from 4.53 to 4.58, I am experiencing CSRF errors when trying to log in.

    I created an issue here: http://forge.kayako.com/issues/252

    I hope you have time to look into this issue.
     
  16. Asbjorn.B

    Asbjorn.B Member

    Me too. It was not working with versions 4.56 and 4.57.
     
  17. Gary McGrath

    Gary McGrath Staff Member

    Hi All,

    A work around to getting this working in the meantime for versions 4.56+

    file: class.Controller_User.php
    location: __swift\apps\base\client

    In the function Login

    comment out the CSRF check:
    Code:
    
      if (!in_array('header (Default)', SWIFT_Template::GetUpgradeRevertList()) && (!isset($_POST['_csrfhash']) || !SWIFT_Session::CheckCSRFHash($_POST['_csrfhash'])))
    {
    $this->UserInterface->Error(true, $this->Language->Get('msgcsrfhash'));
    $this->Load->Controller('Default')->Load->Index();
    return false;
    }
     
    
    e.g. change to

    Code:
    
     /* if (!in_array('header (Default)', SWIFT_Template::GetUpgradeRevertList()) && (!isset($_POST['_csrfhash']) || !SWIFT_Session::CheckCSRFHash($_POST['_csrfhash'])))
    {
    $this->UserInterface->Error(true, $this->Language->Get('msgcsrfhash'));
    $this->Load->Controller('Default')->Load->Index();
    return false;
    }*/
    
    Gary
     
    adr132 likes this.
  18. Farhaz Hofman

    Farhaz Hofman New Member

    Gary,

    Thanks for the work around !!
     
  19. Asbjorn.B

    Asbjorn.B Member

    Thanks again, Gary!
    And thanks to Ben31 for the solution to my "Invalid data provided: 2" problem which showed up. (at post #60)
    So now it's working fine with my IIS 8.
     
  20. Tjoxen

    Tjoxen New Member

    I have everything up and running on 4.58.0.3650 now. The problem i have is that i get random error 500 when i click around in the helpdesk. Sometimes i can click around in the menus 20 times, sometimes i click 2 times and get error 500. If i remove the SSO-stuff it works perfect. Im running W2K8R2 with IIS7.5, MySQL 5.6, PHP 5.3.27.
    This is a completly new enivronment setup because i had the above problem when trying to upgrade our production site that runs 4.40.1148. Because of that i installed a new clean system just to be sure it was not any old stuff in the production environment that was causing the problem, but i have the exact same behavior in the new clean environment.

    Anyone seen this or have any tips to give me?
     

Share This Page