PassThrough AuthenticationExplanation about NtlmV2 Implementation in SupportCenter Plus
NTLMV2 is a protocol supported by Microsoft and the same is implemented in SupportCenter Plus.
What's the protocol defines?
When a service wants to initiate the Single-sign-on, first a secure channel has to be built with the domain controller and the same has to be used by the service for further authentication process with the Active Directory. In a multi-domain environment the service will have the secure connection with only one domain controller and the same will authenticate the users of the other domains using the trust relationship with that domain.
SupportCenter Plus has implemented the secure channel to the Active Directory using the NETLOGON service via a computer account. For enabling a NetLogon service that computer account requires a password. NetLogon service is the internal communication channel of Microsoft. One computer will create a unique identity in the domain and create some random password for the further communications within the domain. For eg, When the user tries to login, the computer will produce its identity to the AD and then it tries to authenticates the user. The user accounts are used for access privileges and it cannot communicate with AD directly so we are using the computer account for netlogon. Since the password is generated random at the time of registering a computer under a domain and the same is not required to expose there is no option to reset password in the AD.
SupportCenter Plus uses the VBScript to create a computer account and set the password for the same. If the same can be achieved by any other means, then that information can be used by the SupportCenter Plus for Pass-through-authentication.
Configuring Pass Through Authentication in SupportCenter Plus
The following instructions will help you to configure Pass-Through Authentication under Admin –> Active Directory.
Select the check box to activate single sign-on.
Please choose the Domain name. You can enable Pass-through authentication for users from a particular Domain/AD forest. For authentication to happen for other domain users, the other domain should have trust relation with the selected domain or it should have parent-child relation. In case of Parent-Child domain, only the parent domain should be selected here.
Specify the DNS Server IP of the domain in the provided field and to make sure you are entering the correct credentials for (DNS Server IP & Bind String) you may open a command prompt from the application server and execute ipconfig /all which will list the Primary DNS suffix which can be used as the Bind string and first IPaddress under DNS servers can be used under DNS server IP. Refer to the screen shot below:
To use the NTLM security provider as an authentication service, a computer account needs to be created in the Active Directory with a specific password which meets the password policy in the Active Directory. Specify a unique name for the Computer Account and Password for this account.
Note: Make sure that your password should comply the password policy of the domain. Then the computer account name should not be more than 12 characters and should not have any special characters in the same.
The Bind String parameter must be a fully qualified DNS domain name or the fully qualified DNS host name of a particular AD server. (The name can be found at the top of OU tree in the Active Directory.)
Note: An active user account cannot be specified as a computer account.
Upon saving the details, a new computer account will be created in the Active Directory (with the help of VB Script which will run in the background) and at the same time the details gets saved in the application database.
If you are specifying existing computer account name, the password specified here will also be set on the Active Directory for that computer account. You can also choose to reset the password of computer account by clicking on the Reset Password link as well.
Even if it throws an error while creating a Computer Account or resetting password (of an already created Computer Account) from the application, the details specified on the window will be saved in the application database and user can later execute the scripts locally on the AD server specifying the same details (mentioned in the application) to create computer account / reset password. The scripts for creating a Computer Account and Resetting the password are attached below.
The scripts can be generated from the link below as well.
https://forums.manageengine.com/viewFile.do?fileId=49000003788021&forumGroupId=49000000002007
Note:
When you are trying to create a new Computer Account through the application or by running it locally on the AD server itself, the Computer Account will be created under the "Computers" container in the domain specified. If you have created a Computer Account elsewhere like on a different OU then the set password script won't work.
Running Scripts in the Active Directory Server:
Creating a Computer Account using NewComputerAccount.vbs
Open a command prompt on the AD server and browse to where the script is saved and then execute the below command:
CSCRIPT NewComputerAccount.vbs ComputerAcctName /p password /d DomainName
For Resetting the password using SetComputerPass.vbs
Open a command prompt on the AD server and browse to where the script is saved and then execute the below command:
CSCRIPT SetComputerPass.vbs ComputerAcctName /p password /d DomainName.
Creating the computer account under different OU:
cscript NewComputerAccount.vbs <ComputeraccountName> /p <Password> /d <domain name> | /ou <OU-Optional> /ou <Child-OU-Optional> /ou <Child-OU-Optional>
Note: If the login page is modified, Pass Through authentication will not work as it can't make use of the session variables set in login.jsp file.
Copyright © 2012, ZOHO Corp. All Rights Reserved.
|
