• State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 9095 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebPortal SSO authentication doesn't work when connected by Application Server

dkamzolov
over 5 years ago

Hello all!

My SSO works when my Portal application targets the database directly.
At the same time, my application has Windows Authentication activated and Anonymous authentication is disabled, and NTLM is selected as the main provider.


Windows Authentication is also activated on the Default web site side, but Anonymous authentication is also enabled (SSO did not work without it) and NTLM is not used as the main provider.


I also use the following settings in my Internet Explorer browser:
"Enable Integrated Windows Authentication" activated. Portal site added to local intranet sites.
So, with all these inputs, SSO works fine for me.

It doesn't working when I connect not through the database, but through the application server. I tried various settings (please review previous screenshots).
The question is: what settings do we have on the side of the application server and IIS on which it is installed I must to do , when connecting my Portal application through the application server.

Thanks!

Parents
  • 0 over 5 years ago

    Is the application server installed on the same machine as the web portal? If not, using NTLM is not possible due to the double hop problem and you need to use negotiate and Kerberos to get Windows Authentication between a client and two servers working.

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Hello, Markus. Application server and server with Web Portal are on different machines. I changed Web Portal provider to Negotiate, but can you help me to know what Authentication methods and/or other parameters, as provider may be, i must use for AppSrv application and/or Default Web Site (IIS) where Application server installed.

     I tried two variants:

    1.I enabled Windows auth and disabled anonymous auth on application AppSrv. For Default Web Site i enabled Windows and Anonymous auth.

    After i tried to enter Web Portal i immediately have such error:

    And such error in Web Portal log:

    Error while handling the request /Portal/res.axd?svc=wcfurl ---> System.AggregateException: One or more errors occurred. ---> VI.DB.Entities.SessionExpiredException: Your session has expired. Log on again. ---> ServiceStack.WebServiceException: Unauthorized

    2. I enabled Windows and Anonymous auth for AppSrv application and for Default Web Site in IIS.

    First i redirected on default ONEIM login page and in log i have such error:

    Single-sign-on failed, URL was /Portal/ ---> System.AggregateException: One or more errors occurred. ---> QBM.AppServer.Interface.AppServerException: Application server returned an error. ---> VI.Base.ViException: An error occurred.

    On application server log:

    VI.Base.ViException: Failed to authenticate user. ---> VI.Base.ViException: The current user could not be determined.

  • 0 over 5 years ago in reply to dkamzolov

    You should check the following thread  https://www.quest.com/community/one-identity/identity-manager/f/identity-manager-forum/28037/issue-while-trying-to-authenticate-using-kerberos-on-the-web-portal

    Especially the document has linked should help to configure your IIS to achieve SSO using Kerberos between two machines.

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Thanks ,Markus,

    I tried to make all offers from this document. And so dit them for AppSrv application too. But i still have an error:

     ---> System.AggregateException: One or more errors occurred. ---> VI.DB.Entities.SessionExpiredException: Your session has expired. Log on again. ---> ServiceStack.WebServiceException: Unauthorized

  • 0 over 5 years ago in reply to dkamzolov

    This error may lead to a wrong session certificate for the application server. I should check this as well.

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Marcus, could you explain more fully what you mean when you talk about wrong session certificate for the application server? Thanks.

  • 0 over 5 years ago in reply to dkamzolov

    During the installation of the Application Server, he was asking for a session certificate. In a load balanced scenario, all application servers should use the same session certificate. 

  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Markus, i have 2 Application Servers and they Balancing from Netscaler. But, to eliminate errors with balancing, i tried to connect directly to one AppSrv.

    So, i have such error.

    What Database Authentication i must choose when i configure Application Server if i want to use SSO? Windows or Sql?

    Remember that when i directly connect from WebPortal to DB, SSO works fine.

    Really i can't understand. Also with error on "session expired" i have sometimes another error:

    VI.Base.ViException: No session could be created for the web project CCC_TNPORTAL. Check that the web project has been compiled. ---> Microsoft.Practices.Unity.ResolutionFailedException: Resolution of the dependency failed, type = "VI.WebRuntime.IUserSession", name = "(none)".
    Exception occurred while: while resolving.
    Exception is: InvalidOperationException - The type IUserSession does not have an accessible constructor.

  • 0 over 5 years ago in reply to dkamzolov

    The error message "No session could be created for the web project CCC_TNPORTAL. Check that the web project has been compiled." is pointing to the fact that your web project CCC_TNPORTAL is not compiled so no assemblies have been found in the database.

Reply Children
  • 0 over 5 years ago in reply to Markus Weiss-Ehlers

    Yes, i understand, it would be stupid to get an error due to lack of compilation.

    But my project was compilated, 100%. I checked it. Sometimes i ahve an error : No session could be created for the web project. 

    But more often an error is: Your session has expired. Log on again.

    In log i always have an error with expired session.

    So, I can’t find information anywhere, what parameters should be configured on the Application Server side for Web Portal to work through it using SSO. Disappointed

  • 0 over 5 years ago in reply to dkamzolov

    The last error was around compiling. I already answered with the pointer to the other thread in regards to SSO and Kerberos.

    I suggest it is time to contact support.