Article Details
Product : ServiceDesk Plus
Category : ServiceDesk Plus>> Troubleshooting
 #100009 - PassThrough Authentication

Explanation about NtlmV2 Implementation in ServiceDesk Plus :-

NTLMV2 is a protocol supported by Microsoft in order to overcome the security issues of NTLMV1 and the same is implemented in ServiceDesk Plus using Jespa.

What's the protocol defines?

When a service wants to initiate the Single-sign-on, first a secure channel has to be built with the domain controller and the same has to be used by the service for further authentication process with the Active Directory. In a multi-domain environment the service will have the secure connection with only one domain controller and the same will authenticate the users of the other domains using the trust relationship with that domain.

ServiceDesk Plus has implemented the secure channel to the Active Directory using the NETLOGON service via a computer account. For enabling a NetLogon service that computer account requires a password.

NetLogon service is the internal communication channel of Microsoft. One computer will create a unique identity in the domain and create some random password for the further communications within the domain. For eg, When the user tries to login, the computer will produce its identity to the AD and then it tries to authenticates the user. The user accounts are used for access privileges and it cannot communicate with AD directly so we are using the computer account for netlogon. Since the password is generated random at the time of registering a computer under a domain and the same is not required to expose there is no option to reset password in the AD.



ServiceDesk Plus uses the VBScript to create a computer account and set the password for the same. If the same can be achieved by any other means,then that information can be used by the Service Desk Plus for Pass-through-authentication.


From 7600 version, ServiceDesk Plus Pass through Authentication uses NTMLV2 which provides better security and validates the credentials using NETLOGON service and NTLMV1 will no more be supported. When you do an upgrade from 7514 to 7600 version, Pass Through Authentication will be automatically disabled and you may have to reconfigure it, which requires a New ComputerAccount creation in the Active Directory. Further the authentication of the Active Directory credentials are going to be authorized through this Computer Account.


Configuring Pass Through Authentication in ServiceDesk Plus.


The following instructions will help you to configure Pass-Through Authentication under Admin – Active Directory.

1. Select the check box “Enable Pass- through Authentication” to activate single sign-on.


Please choose the Domain name from which you want configure Pass-through Authentication. You can enable Pass-through authentication for users from a particular Domain/AD forest. For authentication to happen for other domain users, the other domain should have trust relation with the selected domain or it should have parent-child relation. In case of Parent-Child domain, only the parent domain should be selected here. After configuring the Trust relationship in the AD, you have to configure the Pass through authentication.


Specify the DNS Server IP of the domain in the provided field and to make sure you are entering the correct credentials for (3. DNS Server IP & 5.Bind String) you may open a command prompt from the application server and execute ipconfig /all which will list the Primary DNS suffix which can be used as the Bind string and first IPaddress under DNS servers can be used under DNS server IP. Refer to the screen shot below:

To use the NTLM security provider as an authentication service a computer account needs to be created in the Active Directory with a specific password which meets the password policy in the Active directory. Specify a unique name for the Computer Account and Password for this account.

Note : Make sure that your password should comply the password policy of the domain. Then the computer account name should not be more than 12 characters and should not have any special characters in the same.

The Bind String parameter must be a fully qualified DNS domain name or the fully qualified DNS host name of a particular AD server.(The name found at the top of OU tree in the active directory.)


DNS Site field value can be captured from Active Directory Sites and Services in Active Directory. Expand the Sites and find the Site in which the Domain Controller configured under Windows Domain scan under Admin tab) is listed.

Note: An active user account cannot be specified as a computer account.

Upon saving the details, a new computer account will be created in the Active Directory (with the help of VB Script which will run in the background) and at the same time the details gets saved in the application database under a table named "jespaconfiguration".


If you are specifying existing computer account name, the password specified here will be also be set on the Active Directory for that computer account. You can also choose to reset the password of computer account by clicking on the Reset Password link as well.

Even if it throws an error while creating a Computer Account or resetting password (of an already created Computer Account) from the application, the details specified on the window will be saved in the application database. Download the scripts and save the scripts NewComputerAccount.vbs and SetComputerpass.vbs

You can download the scripts by clicking on Click Here link.


Note:

When you are trying to create a new Computer Account through the application or by running it locally on the AD server itself, the Computer Account will be created under the "Computers" container in the domain specified. If you have created a Computer Account elsewhere like on a different OU then the set password script won't work.

Running Scripts in the Active Directory Server:

Creating a Computer Account using NewComputerAccount.vbs

Open a command prompt on the AD server and browse to where the script is saved and then execute the below command:

CSCRIPT NewComputerAccount.vbs ComputerAcctName /p password /d DomainName

For Resetting the password using SetComputerPass.vbs

Open a command prompt on the AD server and browse to where the script is saved and then execute the below command:

CSCRIPT SetComputerPass.vbs ComputerAcctName /p password /d DomainName.


Creating the computer account under different OU:

cscript NewComputerAccount.vbs <ComputeraccountName> /p <Password> /d <domain name> | /ou <OU-Optional> /ou <Child-OU-Optional> /ou <Child-OU-Optional>

cscript SetComputerPass.vbs <ComputeraccountName> /p <password> /d <domain name> /ou <OU-Optional> /ou <Child-OU-Optional> /ou <Child-OU-Optional>

Note:

If the login page is modified, Pass Through authentication will not work as it can't make use of the session variables set in login.jsp file.


Troubleshooting - SSO Issue


1. Some times while creating computer account (newcomputeraccount.vbs) using script we may receive error message like 1A8:Object Required::


There might also be an error while using setcomputerpass.vbs file. Below are the screen shots for the same.


The computer account creation will work if we use domain name the domain name as the fully qualified domain name. In this example the customer Domain name was ZOHO. This how his domain name is configured in SDP also and all his users and workstations are associated to this domain. His primary dns suffix/bind string value was ZOHO.k12.mt.us. Refer to screenshot 1 for bindstring value reference.

Using the bind string value resolved the issue. Refer to the below screenshot.



SSO Troubleshooting based on Jespa.log Error Traces

You can find the jespa.log under Servicedesk-home/logs folder. Assuming SDP-home as C:\ManageEngine\Servicedesk

Open the file in a Notepad.


After performing each troubleshooting steps. You need to close all the Browser instance running in the machine. Clear the browser cookies and cache. Then try connecting to Servicedesk. Do not use bookmark link to connect to Servicedesk

Existing Computer Account error trace:

jcifs.smb.SmbException: The account used is a Computer Account. Use your global user account or local user account to access this server.

2012-05-14 13:18:21: at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:563

Cause:

This error occurs when we have specified an existing computer account name in Pass through authentication Configuration under Admin-->Active Directory

Troubleshooting:

Click on New Computer Account name in Admin-->Active Directory-->Give the new Computer account name which does not to exists in AD and reset the password. Save the settings. This will give you a NewComputerAccount.vbs script. Execute the script in Active Directory.

Domain not Found Error trace:

description: [Jespa Embedded Distribution Licensing Key for ZOHO Corporation.]

2012-05-17 08:44:26: NETLOGON: Bind successful

2012-05-17 08:44:26: HttpSecurityService: C: GET /lang/en_us.js

2012-05-17 08:44:26: HttpSecurityService: isProtected=true,token=true,passwordCredential=false,provider=false,isLogout=false,

isAnonymous=false,connectionId=192.168.12.115:3322,authContexts.size=2

2012-05-17 08:44:26: jespa.security.SecurityProviderException: Domain not found: 192.168.12.1

Cause:

The DNS Sever Ip field under admin-->Active Directory settings is given an incorrect value.

Troubleshooting:

Execute the command ipconfig /all in the Server where Sericedesk is installed .

The Output will give the value of the DNS Server


Failed to locate Authority for domain.Netbios.com


2012-05-12 18:34:26: jespa.security.SecurityProviderException: Failed to retrieve property: domain.netbios.name

2012-05-12 18:34:26: Caused by: jespa.security.SecurityProviderException: Failed to locate authority for name: zohocorp.com

2012-05-12 18:34:26: at jespa.security.SecurityProvider.getAuthorityDnsNames(SecurityProvider.java:233)

2012-05-12 18:34:26: at jespa.security.SecurityProvider.getProperty(SecurityProvider.java:272)

2012-05-12 18:34:26: at jespa.ntlm.NtlmSecurityProvider.getProperty(NtlmSecurityProvider.java:395)

2012-05-12 18:34:26: at jespa.security.Properties.getProperty(Properties.java:179)

2012-05-12 18:34:26: at jespa.ntlm.NtlmSecurityProvider.getNetlogonInstance(NtlmSecurityProvider.java:1184)

2012-05-12 18:34:26: at jespa.ntlm.NtlmSecurityProvider.getDomain(NtlmSecurityProvider.java:1410)

2012-05-12 18:34:26: at jespa.ntlm.NtlmSecurityProvider.getProperty(NtlmSecurityProvider.java:401)

2012-05-12 18:34:26: ... 46 more

2012-05-11 18:18:06: HttpSecurityService: ZOHOCORP\priyakumar successfully authenticated

Cause:

Domain configured for the SSO is incorrect.

Troubleshooting:

The domain name Configured under Admin-->Windows domain Scan will be incorrect i.e instead of NETBIOS name of the Domain, FQDN name of the Domain will be entered.

Actual Domain name will be ZOHOCORP however the Domain name added under Windows Domain scan would be ZOHOCORP.COM

You need to check the Logon to Domain name in machine (ctrl+Alt+Del) from where user tries to connect to Servicedesk.

NETLOGON bind successfull error:


2012-04-03 08:50:41: HttpSecurityService: ZOHOCORP\priyakumar successfully authenticated


2012-04-03 09:06:55: NETLOGON: Bind successful

2012-04-03 09:06:55: 0: Successfully opened Resource stream: jespa/license.key

2012-04-03 09:06:55: Jespa license.key: SN2007520090903|0|0|0|Jespa Embedded Distribution Licensing Key for ZOHO Corporation.||||||

2012-04-03 09:06:55: Jespa code-source: file:/C:/ServiceDesk/server/default/lib/jespa-1.0.9b.jar

2012-04-03 09:06:55: Jespa license.key decrypted successfully

Cause:

User information in Servicedesk will be mapped to a different domain

Troubleshooting:

Check whether the User belongs to the same Domain ZOHOCORP under Admin-->Requester-->Edit the User and change the Domain name or SSO might be Configured for an Incorrect Domain

User not allowed to logon to this Computer:

2012-05-09 10:32:40: jcifs.smb.SmbException: Logon failure: user not allowed to log on to this computer.

2012-05-09 10:32:40: at jespa.ntlm.Netlogon.validate0(Netlogon.java:505)

2012-05-09 10:32:40: at jespa.ntlm.Netlogon.validate(Netlogon.java:576)

Cause:

The Computer Account (under Admin-->Active Directory)which you have configured will be a username of user who exist in the Active Directory.

Troubleshooting:

Give a dummy Computer account name (under Admin-->Active Directory) and reset the password. Save the settings. Execute the script NewComputeraccount.vbs in the Active Directory.

Logon failure Error:

description: [Jespa Embedded Distribution Licensing Key for ZOHO Corporation.]

2012-05-18 16:52:03: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.

2012-05-18 16:52:03: at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:546)

2012-05-18 16:52:03: at jcifs.smb.SmbTransport.send(SmbTransport.java:663)

2012-05-18 16:52:03: at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:390)

2012-05-18 16:52:03: at jcifs.smb.SmbSession.send(SmbSession.java:218)

2012-05-18 16:52:03: at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)

Cause:

Password give under Admin-->Active Directory settings-->Reset Password would have Expired

or

The Password given does not fulfill the Domain password policy

Troubleshooting:

Give a dummy Computer account name (under Admin-->Active Directory) and reset the password. Save the settings. Execute the script NewComputeraccount.vbs in the Active Directory.

ICMP Ping failed error:


ICMP ping failed


Cause:

Domain Controller is not reachable or TCP port 7 is blocked

Troubleshooting:

Ping the Domain Controller configured under admin-->Windows domain scan from Servicedesk Server

TCP port 7 must be opened in the firewall


Received Time out:

2012-06-12 08:01:27: Caused by: java.net.SocketTimeoutException: Receive timed out

2012-06-12 08:01:27: at java.net.PlainDatagramSocketImpl.receive0(Native Method)

2012-06-12 08:01:27: at java.net.PlainDatagramSocketImpl.receive(Unknown Source)

2012-06-12 08:01:27: at java.net.DatagramSocket.receive(Unknown Source)

2012-06-12 08:01:27: at com.sun.jndi.dns.DnsClient.doUdpQuery(Unknown Source)

2012-06-12 08:01:27: at com.sun.jndi.dns.DnsClient.query(Unknown Source)

2012-06-12 08:01:27: at com.sun.jndi.dns.Resolver.query(Unknown Source)


Cause :

DNS Server IP address configured will have a wrong IP Address or the IP address will not be resolved properly in DNS Server


Troubleshooting:

Try to ping the DNS Server IP address from Servicedesk Server and check the reachability.