12 Replies Latest reply: Feb 29, 2012 12:26 AM by kyt977 RSS

    ServiceDesk 7.5 Active Directory Authentication

    itskiguy Rookie

      Hello,

       

      I'm trying to get our ServiceDesk set up and I'm at a point where I'm starting to need users.  I ran an AD import and that seems fine, and was able to change myself to be an Analyst from an End User. 

      This is where I'm starting to run into some issues, partially stemming from the fact that different documents say to do different things.  The LDSDSetup document says that my Network Login should be my DN, and the Logon policy should be Explicit only

       

      But http://community.landesk.com/support/docs/DOC-11425 says to use domain\username for the Network Login and that the Logon policy should be Integrated Only.

       

      I added  <add key="AuthenticationProvider" value="Touchpaper.Integrations.LDAPLogon.DirectoryServiceAuthenticationProvider" /> to my tps.config

       

      My DirectoryServiceAuthentificationConfiguration.xml looks like this:

       

      <?xml version="1.0" encoding="utf-8"?>
      <DirectoryServiceAuthentifictionConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <!-- Server object to try to read (typically a branch on the tree) -->
      <ServerObject>ldap://domaincontroller:389/OU=My%20Users,OU=Employees,OU=User%20Accounts,DC=domain,DC=local</ServerObject>
        <!-- Debugging - throw error messages for any errors encountered-->
        <ShowExceptions>True</ShowExceptions>
        <!-- This is only valid for Active directory.  For eDirectory, use None-->
        <!-- Active Directory use Secure-->
        <!-- If using Active Directory SecureSocketsLayer the ServerObject must be by DNS name, not IP and the DNS name must match the name on the server side certificate-->
        <AuthenticationType>None</AuthenticationType>
      </DirectoryServiceAuthentifictionConfiguration>

       

      But even with <ShowExceptions>True</ShowExceptions> I'm only getting Logon failed when I try to log on.  I've tried both Integrated Only, Explicit Only, and All for the Logon Policy but none have changed the behavior.  I tried setting <AuthenticationType> to LDAP, and Secure but neither of those worked either.  I'm really lost, I'd appreciate any help anyone that's gotten this to work could offer. I went through these posts and they didn't work although clearly I'm not the only one finding conflicting information in the documentation...

       

      http://community.landesk.com/support/thread/12834?

      http://community.landesk.com/support/thread/16683?

      http://community.landesk.com/support/message/71785

       

       

      Thanks

        • 1. Re: ServiceDesk 7.5 Active Directory Authentication
          Expert

          Hi,

           

          The following is the requirements for LDAP Authentication (AD included)-

           

          • You must use DN as your network login value
          • Logon Policy must be set to explicit
          • You must have the configuration file correctly entered and placed in the appropriate directories (the setup documentation covers these details)
          • If you wish to enable for WebAccess there are several files that must be copied across from TPS dirs to WebAccess dirs (again, the documentation covers this)

           

          Make sure you've copied everything into the correct locations, triple confirm your configuration settings in the XML file and finally, IISRESET and try again.

           

          Cheers,

          Hadyn

          • 2. Re: ServiceDesk 7.5 Active Directory Authentication
            itskiguy Rookie

            Thanks for responding Hadyn,

             

            I'm still not having any luck, but I think I'd probalby be able to get further if I could get some kind of message other than "Logon failed". <ShowExceptions>True</ShowExceptions> doesn't seem to be doing anything (making me think that it's not even looking at the DirectoryServiceAuthentifictionConfiguration.xml) so I can't even see what it doesn't like.  Is there any other log that I can look at anywhere?

            • 3. Re: ServiceDesk 7.5 Active Directory Authentication
              Expert

              The Windows Event Logs on the server you're connecting to might have some additional info. Out of interest, where have you placed the copy of the LDAP configuration file?

               

              Cheers,

              Hadyn

              • 4. Re: ServiceDesk 7.5 Active Directory Authentication
                itskiguy Rookie

                Sorry for the delay getting back to you.  By the LDAP configuration file, you're referring to DirectoryServiceAuthentifictionConfiguration.xml right?  That is in the following locations:

                 

                C:\ProgramData\Touchpaper\ServiceDesk.WebAccess

                C:\ProgramData\Touchpaper\ServiceDesk.Framework

                C:\ProgramData\Touchpaper\ServiceDesk.Mobile

                 

                I checked the Windows Event Log.  There is an error there, but it doesn't seem very helpful:

                 

                 

                Log Name:      Application
                Source:        Touchpaper Services
                Date:          2/10/2012 1:19:14 PM
                Event ID:      0
                Task Category: None
                Level:         Error
                Keywords:      Classic
                User:          N/A
                Computer:      servicedesk.domain.local
                Description:
                TouchpaperException
                Touchpaper Error Code: Exception.Authentication.LogonFailed (-2147218680)
                Logon failed
                Stack Trace:
                   at Touchpaper.Framework.SystemServices.Authenticator.ValidateCredentials(ITpsCredentials tpsCredentials)
                   at Touchpaper.Framework.SystemServices.Authenticator.Logon(ITpsSession tpsSession, ITpsEnvironment environment, ITpsCredentials tpsCredentials)
                   at Touchpaper.Framework.SystemServices.SoapExtensions.CombinedExtension.ProcessServerMessageAfterDeserialize(SoapServerMessage message)
                   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)
                   at System.Web.Services.Protocols.SoapServerProtocol.CreateServerInstance()
                   at System.Web.Services.Protocols.WebServiceHandler.Invoke()
                   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()
                Event Xml:
                  <System>
                    <Provider Name="Touchpaper Services" />
                    <EventID Qualifiers="0">0</EventID>
                    <Level>2</Level>
                    <Task>0</Task>
                    <Keywords>0x80000000000000</Keywords>
                    <TimeCreated SystemTime="2012-02-10T18:19:14.000000000Z" />
                    <EventRecordID>6606</EventRecordID>
                    <Channel>Application</Channel>
                    <Computer> servicedesk.domain.local </Computer>
                    <Security />
                  </System>
                  <EventData>
                    <Data>TouchpaperException
                Touchpaper Error Code: Exception.Authentication.LogonFailed (-2147218680)
                Logon failed
                Stack Trace:
                   at Touchpaper.Framework.SystemServices.Authenticator.ValidateCredentials(ITpsCredentials tpsCredentials)
                   at Touchpaper.Framework.SystemServices.Authenticator.Logon(ITpsSession tpsSession, ITpsEnvironment environment, ITpsCredentials tpsCredentials)
                   at Touchpaper.Framework.SystemServices.SoapExtensions.CombinedExtension.ProcessServerMessageAfterDeserialize(SoapServerMessage message)
                   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)
                   at System.Web.Services.Protocols.SoapServerProtocol.CreateServerInstance()
                   at System.Web.Services.Protocols.WebServiceHandler.Invoke()
                   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()</Data>
                  </EventData>
                </Event>
                • 5. Re: ServiceDesk 7.5 Active Directory Authentication
                  NHARCUP Employee

                  Hi,

                  Have you confirmed that the server can connect to:-


                  ldap://domaincontroller:389/OU=My Users,OU=Employees,OU=User Accounts,DC=domain,DC=local


                  You can download an LDAP browser free from the web to verify this (I use LDP from Microsoft.com).  I guess you can logon as "SA" without the logon failed error?, also it is worth stopping the services before running your tests as I have seen this error produced by background services so it may not be related.


                  Kindest Regards


                  Nathan


                  • 6. Re: ServiceDesk 7.5 Active Directory Authentication
                    itskiguy Rookie

                    Hi Nathan,

                     

                    Yes I'm able to connect to the ldap url from the Service Desk machine.  Are you referring to any particular services that should be stopped?

                    • 7. Re: ServiceDesk 7.5 Active Directory Authentication
                      NHARCUP Employee

                      Hi,

                      I would stop all LANDesk Service Desk services while testing to ensure that the error returned in the event log is defiantly a result of the LDAP authentication failing and not a LANDesk ServiceDesk service.

                      Also could you confirm if you can logon as SA without issue?, this should bypass the LDAP logon.

                       

                      Kindest Regards

                       

                      Nathan

                      • 8. Re: ServiceDesk 7.5 Active Directory Authentication
                        itskiguy Rookie

                        Hi Nathan,

                         

                        Sorry yes I'm able to log in with sa.  Stopping all of the ServiceDesk services yielded the same result.

                        • 9. Re: ServiceDesk 7.5 Active Directory Authentication
                          itskiguy Rookie

                          I have an update.  I re-did the Active Directory Data Import mapping to different fields and now I'm getting this:

                           

                          Failed to create Authentication Provider 'Touchpaper.Integrations.LDAPLogon.DirectoryServiceAuthenticationProvider'. Contact an administrator to check that the provider is installed on the application server.

                           

                          Is that some kind of module that I would have needed to install?

                          • 10. Re: ServiceDesk 7.5 Active Directory Authentication
                            itskiguy Rookie

                            Ok, my mistake.  The error I was getting was on the ServiceDesk.WebAccess not in the Service Console.  I've now got the authentication working via the Service Console, but the web access is just giving me Logon Failed.

                             

                            Things that were wrong with authentication to ServiceDesk.Framework:

                            • <ServerObject> - LDAP needs to be capitalized.  At some point I had made that lowercase (ldap)
                            • During the course of creating the <ServerObject> I had copied the string out of an application rather than type it in.  This replaced spaces with %20 (User%20Accounts)
                            • Modified Import Mapping of AD users so that SAM-Account-Name is mapped to the Name Target Attribute.  That is evidently where the the Login ID comes from

                             

                            Now that that's working, I copeid the DirectoryServiceAuthentifictionConfiguration from SeviceDesk.Framwork into ServiceDesk.Mobile and ServiceDesk.WebAccess but they're still not working.  Do I need to change any IIS settings?  I'm still getting:

                             

                            Failed to create Authentication Provider 'Touchpaper.Integrations.LDAPLogon.DirectoryServiceAuthenticationProvider'. Contact an administrator to check that the provider is installed on the application server.

                            • 11. Re: ServiceDesk 7.5 Active Directory Authentication
                              itskiguy Rookie

                              also something to note, I was trying to get the network logins to map automatically and having a hard time with it, so I was looking around and found this

                               

                              http://community.landesk.com/support/docs/DOC-4602

                               

                              which has a sql script to create a stored procedure that does it.  It does NOT have to be a DN, domain\username works fine.  That's all that the stored procedure does and I tried this out with my account and it worked.

                              • 12. Re: ServiceDesk 7.5 Active Directory Authentication
                                Rookie

                                Hi,

                                 

                                Because you are using Active Directory, you need to set the following <AuthenticationType>Secure</AuthenticationType> in DirectoryServiceAuthentificationConfiguration.xml.

                                 

                                The default value is ‘None’ and not ‘Secure’.  I found the comments in the xml file confusing. This solved my initially login issue with the Console.

                                 

                                 

                                However, I then had you issue with the Self Service/Web Desk Website where it would report

                                 

                                Failed to create Authentication Provider 'Touchpaper.Integrations.LDAPLogon.DirectoryServiceAuthenticationProvider'.

                                 

                                It turns out there are some dlls that need to be copied from the Framework (C:\Program Files (x86)\LANDesk\Service Desk\WebApp\Framework\bin) folder to the WebAccess Folder (C:\Program Files (x86)\LANDesk\Service Desk\WebApp\WebAccess\bin).

                                 

                                The key files missing being:

                                1. Touchpaper.Integrations.LDAPLogon.dll
                                2. Touchpaper.Integrations.OpenLDAPLogon.dll
                                3. Touchpaper.Integrations.OpenLDAPSSLLogon.dll

                                 

                                Doing a forum search on these dlls will point you to this article - http://forum.landesk.com/support/docs/DOC-6801/

                                 

                                Hope it helps.

                                Kim