SSO - Single Sign on pass through - An illustrated config manual_NOT IN USE
NTLM SSO is discontinued. Only SAML SSO is supported. Refer
here.
Access Requirements:
Direct access to the Domain Controller.
Direct access to the ServiceDesk Plus server.
Procedure:
(As a best practice, I recommend you to do this activity directly from the Domain Controller)
1. Open ServiceDesk Plus in a browser and go to Admin > Discovery > Windows Domain Scan. Check the entries that are available for your domain. ServiceDesk Plus tends to fetch both the Fully qualified domain name (FQDN) and the pre-windows 2000 format name (NetBios name) of your domain, however the domain controller details would be updated only for one of the entries. In this document, I have used our test domain environment 'SDPEXCHANGE' to explain the scenario.
2. In order for the Pass-Through Authentication to work, we have to use only the pre-windows 2000 format of your domain name i.e NETBIOS Name of the Domain. To identify the domain entry which is tied with the user accounts, check the requester list view (Admin > Users > Requester)
To check the pre-windows 2000 format (NetBios) name of you domain, go to Administrative Tools > Active Directory Users and Computers > Right Click on your domain > Properties.
3. In this case SDPEXCHANGE.COM (FQDN Entry) is tied with the user accounts, thus we have to edit this entry in the domain list and update the NetBios name instead of the FQDN. To achieve this, rename 'SDPEXCHANGE' as 'SDPEXCHANGE_OLD' (fig 1) and then update 'SDPEXCHANGE.COM' as 'SDPEXCHANGE' (fig 2)
4. Once the domain name is updated, the requester list will reflect the updated domain name. 5. Now go to Admin > Users > Active Directory > Import the users once again from Active Directory.
6. Enable the Pass-Through Authentication, choose the domain 'SDPEXCHANGE' 7. Computer Account: Pass-Through authentication requires a dedicated computer account to establish a secured channel with the Domain Controller, thus you have to provide a unique computer name which does not exist in you domain as a user or a computer account and it has to be within 13 characters. I have used the name 'PassThru' and a password that complies with the complexity policy.
8. DNS Server IP / Bind String: Go to the ServiceDesk Plus server and open a command prompt, execute the command 'ipconfig /all'. It will provide you the connection details of that machine. Make a note if the Primary DNS Suffix, which has to updated as the Bind String and the DNS Servers, which has to be updated in the DNS Server IP column. If you have more than 1 DNS server, you can update them in the same field separated by commas (eg., 192.168.1.2,192.168.1.253,192.168.1.252).
9. DNS Site: It is the Site under which your Domain Controller (server) is located. To find it, open Active Directory Sites and Services, expand the Sites and check where the Domain Controller is placed. In my case it is 'Chennai'.
10. Update all the information in the configuration wizard and save. In most case, we might receive an error
11. Download the script (Click Here - is a hyperlink) and save it the C:\ of your domain controller and execute the command string as stated in the error message.
12. Now, go back to the Pass-Through Configuration page and save the settings without making any changes.
13. Go to the ServiceDesk Plus server, Stop and Start the application once.
14. Pass-Through uses NT LM v2 for authentication which requires the browser response for the NT LM queries. Therefore you have to add ServiceDesk Plus application URL to the Local Intranet Sites list. In the browser open Internet Options > Security > Local Intranet > Sites > Advanced > Save and Close the browser window.
15. Open a fresh window and launch ServiceDesk Plus, it will Pass-thru..!
New to ADSelfService Plus?
Related Articles
How Pass Through Authentication Works
NTLMV2 is a protocol supported by Microsoft in order to overcome the security issues of NTLMV1 and the same is implemented in ServiceDesk Plus. What's the protocol defines? When a service wants to initiate the Single-sign-on, first a secure channel ...
Problem while creating the computer account for SSO
Once the SSO configurations are done. It will try to create the computer account in Domain controller using the VBScript. If the script execution is being blocked. We need to copy and execute the same under DC. To Create and set password for a new ...
Best practise to configure Sites to follow same configurations using Site refer sites feature
Let me explain with some examples : In case , if the Accounts / Sites are geographically distributed and you want to configure dedicated technicians for them , we can make use of Site-Refer-Sites feature (similar to default settings but applicable ...
How to configure SAML with Azure AD
This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...
How to use Account based support e-mail address ?
How can i raise a request through an Email and how it will be assigned to an Account? In your mail-server, create a user e-mail account to which all e-mails will be fetched. Create an e-mail alias for this e-mail account for each of your customer ...