|
Explanation
about NtlmV2 Implementation in ServiceDesk Plus :-
NTLMV2
is a protocol supported by Microsoft in order to overcome the
security issues of NTLMV1 and the same is implemented in ServiceDesk
Plus using Jespa.
What's
the protocol defines?
When
a service wants to initiate the Single-sign-on, first a secure
channel has to be built with the domain controller and the same has
to be used by the service for further authentication process with the
Active Directory. In a multi-domain environment the service will have
the secure connection with only one domain controller and the same
will authenticate the users of the other domains using the trust
relationship with that domain.
ServiceDesk
Plus has implemented the secure channel to the Active Directory using
the NETLOGON service via a computer account. For enabling a NetLogon
service that computer account requires a password.
NetLogon
service is the internal communication channel of Microsoft. One
computer will create a unique identity in the domain and create some
random password for the further communications within the domain. For
eg, When the user tries to login, the computer will produce its
identity to the AD and then it tries to authenticates the user. The
user accounts are used for access privileges and it cannot
communicate with AD directly so we are using the computer account for
netlogon. Since the password is generated random at the time of
registering a computer under a domain and the same is not required to
expose there is no option to reset password in the AD.
ServiceDesk
Plus uses the VBScript to create a computer account and set the
password for the same. If the same can be achieved by any other
means,then that information can be used by the Service Desk Plus for
Pass-through-authentication.
From
7600 version, ServiceDesk Plus Pass through Authentication uses
NTMLV2 which provides better security and validates the credentials
using NETLOGON service and NTLMV1 will no more be supported. When you
do an upgrade from 7514 to 7600 version, Pass Through Authentication
will be automatically disabled and you may have to reconfigure it,
which requires a New ComputerAccount creation in the Active
Directory. Further the authentication of the Active Directory
credentials are going to be authorized through this Computer Account.
Configuring
Pass Through Authentication in ServiceDesk Plus.
The
following instructions will help you to configure Pass-Through
Authentication under Admin – Active Directory.
1.
Select the check box “Enable Pass- through Authentication” to
activate single sign-on.
Please
choose the Domain name from which you want configure Pass-through
Authentication. You can enable Pass-through authentication for users
from a particular Domain/AD forest. For authentication to happen for
other domain users, the other domain should have trust relation with
the selected domain or it should have parent-child relation. In case
of Parent-Child domain, only the parent domain should be selected
here. After configuring the Trust relationship in the AD, you have to
configure the Pass through authentication.
Specify
the DNS Server IP of the domain in the provided field and to make
sure you are entering the correct credentials for (3. DNS Server IP &
5.Bind String) you may open a command prompt from the application
server and execute ipconfig /all which will list the Primary DNS
suffix which can be used as the Bind string and first IPaddress under
DNS servers can be used under DNS server IP. Refer to the screen shot
below:
To
use the NTLM security provider as an authentication service a
computer account needs to be created in the Active Directory with a
specific password which meets the password policy in the Active
directory. Specify a unique name for the Computer Account and
Password for this account.
Note
: Make sure that your password should comply the password policy of
the domain. Then the computer account name should not be more than 12
characters and should not have any special characters in the same.
The
Bind String parameter must be a fully qualified DNS domain name or
the fully qualified DNS host name of a particular AD server.(The name
found at the top of OU tree in the active directory.)
DNS
Site field value can be captured from Active Directory Sites and
Services in Active Directory. Expand the Sites and find the Site in
which the Domain Controller configured under Windows Domain scan
under Admin tab) is listed.
Note:
An active user account cannot be specified as a computer account.
Upon
saving the details, a new computer account will be created in the
Active Directory (with the help of VB Script which will run in the
background) and at the same time the details gets saved in the
application database under a table named "jespaconfiguration".
If
you are specifying existing computer account name, the password
specified here will be also be set on the Active Directory for that
computer account. You can also choose to reset the password of
computer account by clicking on the Reset Password link as well.
Even
if it throws an error while creating a Computer Account or resetting
password (of an already created Computer Account) from the
application, the details specified on the window will be saved in the
application database. Download the scripts and save the scripts
NewComputerAccount.vbs and SetComputerpass.vbs
You
can download the scripts by clicking on Click Here link.
Note:
When
you are trying to create a new Computer Account through the
application or by running it locally on the AD server itself, the
Computer Account will be created under the "Computers"
container in the domain specified. If you have created a Computer
Account elsewhere like on a different OU then the set password script
won't work.
Running
Scripts in the Active Directory Server:
Creating
a Computer Account using NewComputerAccount.vbs
Open
a command prompt on the AD server and browse to where the script is
saved and then execute the below command:
CSCRIPT
NewComputerAccount.vbs ComputerAcctName /p password /d DomainName
For
Resetting the password using SetComputerPass.vbs
Open
a command prompt on the AD server and browse to where the script is
saved and then execute the below command:
CSCRIPT
SetComputerPass.vbs ComputerAcctName /p password /d DomainName.
Creating
the computer account under different OU:
cscript
NewComputerAccount.vbs <ComputeraccountName> /p <Password>
/d <domain name> | /ou <OU-Optional> /ou
<Child-OU-Optional> /ou <Child-OU-Optional>
cscript
SetComputerPass.vbs <ComputeraccountName> /p <password>
/d <domain name> /ou <OU-Optional> /ou
<Child-OU-Optional> /ou <Child-OU-Optional>
Note:
If
the login page is modified, Pass Through authentication will not work
as it can't make use of the session variables set in login.jsp file.
Troubleshooting
- SSO Issue
1.
Some times while creating computer account
(newcomputeraccount.vbs) using script we may receive error message
like 1A8:Object Required::
There
might also be an error while using setcomputerpass.vbs file. Below
are the screen shots for the same.
The
computer account creation will work if we use domain name the domain
name as the fully qualified domain name. In this example the customer
Domain name was ZOHO. This how his domain name is configured in SDP
also and all his users and workstations are associated to this
domain. His primary dns suffix/bind string value was ZOHO.k12.mt.us.
Refer to screenshot 1 for bindstring value reference.
Using
the bind string value resolved the issue. Refer to the below
screenshot.
SSO
Troubleshooting based on Jespa.log Error Traces
You
can find the jespa.log under Servicedesk-home/logs folder. Assuming
SDP-home as C:\ManageEngine\Servicedesk
Open
the file in a Notepad.
After
performing each troubleshooting steps. You need to close all the
Browser instance running in the machine. Clear the browser cookies
and cache. Then try connecting to Servicedesk. Do not use bookmark
link to connect to Servicedesk
Existing
Computer Account error trace:
jcifs.smb.SmbException:
The
account used is a Computer Account. Use your global user account or
local user account to access this server.
2012-05-14
13:18:21: at
jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:563
Cause:
This
error occurs when we have specified an existing computer account
name in Pass through authentication Configuration under
Admin-->Active Directory
Troubleshooting:
Click
on New Computer Account name in Admin-->Active Directory-->Give
the new Computer account name which does not to exists in AD and
reset the password. Save the settings. This will give you a
NewComputerAccount.vbs script. Execute the script in Active
Directory.
Domain
not Found Error trace:
description:
[Jespa Embedded Distribution Licensing Key for ZOHO Corporation.]
2012-05-17
08:44:26: NETLOGON: Bind successful
2012-05-17
08:44:26: HttpSecurityService: C: GET /lang/en_us.js
2012-05-17
08:44:26: HttpSecurityService:
isProtected=true,token=true,passwordCredential=false,provider=false,isLogout=false,
isAnonymous=false,connectionId=192.168.12.115:3322,authContexts.size=2
2012-05-17
08:44:26: jespa.security.SecurityProviderException: Domain
not found: 192.168.12.1
Cause:
The
DNS Sever Ip field under admin-->Active Directory settings is
given an incorrect value.
Troubleshooting:
Execute
the command ipconfig /all in the Server where Sericedesk is
installed .
The
Output will give the value of the DNS Server
Failed
to locate Authority for domain.Netbios.com
2012-05-12
18:34:26: jespa.security.SecurityProviderException: Failed to
retrieve property: domain.netbios.name
2012-05-12
18:34:26: Caused by: jespa.security.SecurityProviderException: Failed
to locate authority for name: zohocorp.com
2012-05-12
18:34:26: at
jespa.security.SecurityProvider.getAuthorityDnsNames(SecurityProvider.java:233)
2012-05-12
18:34:26: at
jespa.security.SecurityProvider.getProperty(SecurityProvider.java:272)
2012-05-12
18:34:26: at
jespa.ntlm.NtlmSecurityProvider.getProperty(NtlmSecurityProvider.java:395)
2012-05-12
18:34:26: at
jespa.security.Properties.getProperty(Properties.java:179)
2012-05-12
18:34:26: at
jespa.ntlm.NtlmSecurityProvider.getNetlogonInstance(NtlmSecurityProvider.java:1184)
2012-05-12
18:34:26: at
jespa.ntlm.NtlmSecurityProvider.getDomain(NtlmSecurityProvider.java:1410)
2012-05-12
18:34:26: at
jespa.ntlm.NtlmSecurityProvider.getProperty(NtlmSecurityProvider.java:401)
2012-05-12
18:34:26: ... 46 more
2012-05-11
18:18:06: HttpSecurityService:
ZOHOCORP\priyakumar successfully authenticated
Cause:
Domain
configured for the SSO is incorrect.
Troubleshooting:
The
domain name Configured under Admin-->Windows domain Scan will be
incorrect i.e instead of NETBIOS name of the Domain, FQDN name of the
Domain will be entered.
Actual
Domain name will be ZOHOCORP however the Domain name added under
Windows Domain scan would be ZOHOCORP.COM
You
need to check the Logon to Domain name in machine (ctrl+Alt+Del) from
where user tries to connect to Servicedesk.
NETLOGON
bind successfull error:
2012-04-03
08:50:41: HttpSecurityService: ZOHOCORP\priyakumar successfully
authenticated
2012-04-03
09:06:55: NETLOGON: Bind successful
2012-04-03
09:06:55: 0: Successfully opened Resource stream: jespa/license.key
2012-04-03
09:06:55: Jespa license.key: SN2007520090903|0|0|0|Jespa Embedded
Distribution Licensing Key for ZOHO Corporation.||||||
2012-04-03
09:06:55: Jespa code-source:
file:/C:/ServiceDesk/server/default/lib/jespa-1.0.9b.jar
2012-04-03
09:06:55: Jespa license.key decrypted successfully
Cause:
User
information in Servicedesk will be mapped to a different domain
Troubleshooting:
Check
whether the User belongs to the same Domain ZOHOCORP under
Admin-->Requester-->Edit the User and change the Domain name or
SSO might be Configured for an Incorrect Domain
User
not allowed to logon to this Computer:
2012-05-09
10:32:40: jcifs.smb.SmbException: Logon
failure: user not allowed to log on to this computer.
2012-05-09
10:32:40: at jespa.ntlm.Netlogon.validate0(Netlogon.java:505)
2012-05-09
10:32:40: at jespa.ntlm.Netlogon.validate(Netlogon.java:576)
Cause:
The
Computer Account (under Admin-->Active Directory)which you have configured will be a username of user who exist in the Active Directory.
Troubleshooting:
Give
a dummy Computer account name (under Admin-->Active Directory) and
reset the password. Save the settings. Execute the script
NewComputeraccount.vbs in the Active Directory.
Logon
failure Error:
description:
[Jespa Embedded Distribution Licensing Key for ZOHO Corporation.]
2012-05-18
16:52:03: jcifs.smb.SmbAuthException: Logon
failure: unknown user name or bad password.
2012-05-18
16:52:03: at
jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:546)
2012-05-18
16:52:03: at jcifs.smb.SmbTransport.send(SmbTransport.java:663)
2012-05-18
16:52:03: at
jcifs.smb.SmbSession.sessionSetup(SmbSession.java:390)
2012-05-18
16:52:03: at jcifs.smb.SmbSession.send(SmbSession.java:218)
2012-05-18
16:52:03: at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
Cause:
Password
give under Admin-->Active Directory settings-->Reset Password
would have Expired
or
The
Password given does not fulfill the Domain password policy
Troubleshooting:
Give
a dummy Computer account name (under Admin-->Active Directory) and
reset the password. Save the settings. Execute the script
NewComputeraccount.vbs in the Active Directory.
ICMP
Ping failed error:
ICMP
ping failed
Cause:
Domain
Controller is not reachable or TCP port 7 is blocked
Troubleshooting:
Ping
the Domain Controller configured under admin-->Windows domain scan
from Servicedesk Server
TCP
port 7 must be opened in the firewall
Received
Time out:
2012-06-12
08:01:27: Caused by: java.net.SocketTimeoutException: Receive
timed out
2012-06-12
08:01:27: at java.net.PlainDatagramSocketImpl.receive0(Native
Method)
2012-06-12
08:01:27: at java.net.PlainDatagramSocketImpl.receive(Unknown
Source)
2012-06-12
08:01:27: at java.net.DatagramSocket.receive(Unknown Source)
2012-06-12
08:01:27: at com.sun.jndi.dns.DnsClient.doUdpQuery(Unknown
Source)
2012-06-12
08:01:27: at com.sun.jndi.dns.DnsClient.query(Unknown Source)
2012-06-12
08:01:27: at com.sun.jndi.dns.Resolver.query(Unknown Source)
Cause
:
DNS
Server IP address configured will have a wrong IP Address or the IP
address will not be resolved properly in DNS Server
Troubleshooting:
Try
to ping the DNS Server IP address from Servicedesk Server and check
the reachability.
|
