Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
DICGC Absent Member.
Absent Member.
2929 views

NetIQ AM SSO for web application


Hi All,

I am new learner of NetIq and currently I am doing one POC to achieve
SSO for one web application. I have 2 servers and I installed Admin and
IDP full installation on one and Access gateway on second server.
Currently i am using IDP as my user store.

I need help for how can I go forward to achieve my SSO with Access
gateway. I followed the documentation but I am confused in the DNS
server name of proxy list. I provide hostname of where my web app reside
but everytime it gives me error that server is not operational.

why i am getting this error can anyone help me.

Thanks,


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
29 Replies
Knowledge Partner
Knowledge Partner

Re: NetIQ AM SSO for web application

Have you successfully setup the reverse proxy?

It sounds like you haven't gotten that far.

Normally in order to test things, I will make up a new DNS name
Example:

Origin web server = www.something.com = 10.1.1.35

I create a reverse proxy in NAM and when asked for the Published DNS name, I make my own:
www.somethingelse.com
I point that to the 10.1.1.35 origin web server

On the reverse proxy config, I tick the box "forward received header".

I then modify the hosts file on my pc so that:
www.somethingelse.com -> the published IP of my NAM AG.
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


kjhurni;266787 Wrote:
> Have you successfully setup the reverse proxy?
>
> It sounds like you haven't gotten that far.
>
> Normally in order to test things, I will make up a new DNS name
> Example:
>
> Origin web server = www.something.com = 10.1.1.35
>
> I create a reverse proxy in NAM and when asked for the Published DNS
> name, I make my own:
> www.somethingelse.com
> I point that to the 10.1.1.35 origin web server
>
> On the reverse proxy config, I tick the box "forward received header".
>
> I then modify the hosts file on my pc so that:
> www.somethingelse.com -> the published IP of my NAM AG.
>
>
> --
> The opinions expressed are my own.
> Check out my OES2 Guides:
> Installing OES2 SP2:
> http://tinyurl.com/6pezrv7
> Upgrading to OES2 with ID Transfer:
> http://tinyurl.com/82a8ufn
> GroupWise Migration with OES2 ID Transfer:
> http://tinyurl.com/6oj94q8
> ------------------------------------------------------------------------
> kjhurni's Profile: https://forums.novell.com/member.php?userid=734
> View this thread: https://forums.novell.com/showthread.php?t=497799



Hi,
First of all thanks for your help. But in my case I have application
with ip based like http://10.28.2.89/dicgc/account/frmlogin.aspx. so how
can i protect this application. I am confused for publish DNS name
because all applications are ip based.

thanks
Sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Knowledge Partner
Knowledge Partner

Re: NetIQ AM SSO for web application

DICGC;2425559 wrote:
kjhurni;266787 Wrote:
> Have you successfully setup the reverse proxy?
>
> It sounds like you haven't gotten that far.
>
> Normally in order to test things, I will make up a new DNS name
> Example:
>
> Origin web server = www.something.com = 10.1.1.35
>
> I create a reverse proxy in NAM and when asked for the Published DNS
> name, I make my own:
> www.somethingelse.com
> I point that to the 10.1.1.35 origin web server
>
> On the reverse proxy config, I tick the box "forward received header".
>
> I then modify the hosts file on my pc so that:
> www.somethingelse.com -> the published IP of my NAM AG.
>
>
> --
> The opinions expressed are my own.
> Check out my OES2 Guides:
> Installing OES2 SP2:
> http://tinyurl.com/6pezrv7
> Upgrading to OES2 with ID Transfer:
> http://tinyurl.com/82a8ufn
> GroupWise Migration with OES2 ID Transfer:
> http://tinyurl.com/6oj94q8
> ------------------------------------------------------------------------
> kjhurni's Profile: https://forums.novell.com/member.php?userid=734
> View this thread: https://forums.novell.com/showthread.php?t=497799



Hi,
First of all thanks for your help. But in my case I have application
with ip based like http://10.28.2.89/dicgc/account/frmlogin.aspx. so how
can i protect this application. I am confused for publish DNS name
because all applications are ip based.

thanks
Sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691


AFAIK, you will have to use a published DNS name. The only way the AG can "listen" is either DNS-based multi-homing or path-based multihoming. The NAM AG can only talk to the origin servers based upon IP.

So:
Browser -> NAM AG = DNS
NAM AG -> Origin web server = IP

You'll have to make up a DNS name that resolves to the IP of the NAM AG and configure the reverse proxy to "listen" for that "published" DNS name.

--Kevin
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


kjhurni;266847 Wrote:
> DICGC;2425559 Wrote:
> > kjhurni;266787 Wrote:
> > > Have you successfully setup the reverse proxy?
> > >
> > > It sounds like you haven't gotten that far.
> > >
> > > Normally in order to test things, I will make up a new DNS name
> > > Example:
> > >
> > > Origin web server = www.something.com = 10.1.1.35
> > >
> > > I create a reverse proxy in NAM and when asked for the Published

> DNS
> > > name, I make my own:
> > > www.somethingelse.com
> > > I point that to the 10.1.1.35 origin web server
> > >
> > > On the reverse proxy config, I tick the box "forward received

> > header".
> > >
> > > I then modify the hosts file on my pc so that:
> > > www.somethingelse.com -> the published IP of my NAM AG.
> > >
> > >
> > > --
> > > The opinions expressed are my own.
> > > Check out my OES2 Guides:
> > > Installing OES2 SP2:
> > > http://tinyurl.com/6pezrv7
> > > Upgrading to OES2 with ID Transfer:
> > > http://tinyurl.com/82a8ufn
> > > GroupWise Migration with OES2 ID Transfer:
> > > http://tinyurl.com/6oj94q8
> > >

> >

> ------------------------------------------------------------------------
> > > kjhurni's Profile: https://forums.novell.com/member.php?userid=734
> > > View this thread: https://forums.novell.com/showthread.php?t=497799

> >
> >
> > Hi,
> > First of all thanks for your help. But in my case I have application
> > with ip based like http://10.28.2.89/dicgc/account/frmlogin.aspx. so
> > how
> > can i protect this application. I am confused for publish DNS name
> > because all applications are ip based.
> >
> > thanks
> > Sarita
> >
> >
> > --
> > DICGC
> >

> ------------------------------------------------------------------------
> > DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
> > View this thread: https://forums.netiq.com/showthread.php?t=55691

>
> AFAIK, you will have to use a published DNS name. The only way the AG
> can "listen" is either DNS-based multi-homing or path-based
> multihoming.
> The NAM AG can only talk to the origin servers based upon IP.
>
> So:
> Browser -> NAM AG = DNS
> NAM AG -> Origin web server = IP
>
> You'll have to make up a DNS name that resolves to the IP of the NAM AG
> and configure the reverse proxy to "listen" for that "published" DNS
> name.
>
> --Kevin
>
>
> --
> The opinions expressed are my own.
> Check out my OES2 Guides:
> Installing OES2 SP2:
> http://tinyurl.com/6pezrv7
> Upgrading to OES2 with ID Transfer:
> http://tinyurl.com/82a8ufn
> GroupWise Migration with OES2 ID Transfer:
> http://tinyurl.com/6oj94q8
> ------------------------------------------------------------------------
> kjhurni's Profile: https://forums.novell.com/member.php?userid=734
> View this thread: https://forums.novell.com/showthread.php?t=497799





Hi Kevin and kjhurni,
Thanks for your help. I have follow step by step instructions that you
provide me. but currently i am facing problem to connect to my DNS
server "Unable to connect to dns server". I have check log but not
getting proper message. Can you help me in this.

I have to protect 6 web application which is in same domain with NetIQ
so I have to use different proxies for all 6 web application which is
deployed on different web servers.


Thanks,
Sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:


> Hi Kevin and kjhurni,
> Thanks for your help. I have follow step by step instructions that you
> provide me. but currently i am facing problem to connect to my DNS
> server "Unable to connect to dns server". I have check log but not
> getting proper message. Can you help me in this.
>
> I have to protect 6 web application which is in same domain with NetIQ
> so I have to use different proxies for all 6 web application which is
> deployed on different web servers.


Could it be that your DNS server is an internal DNS server only and
can't resolve anything externally? Have you tried to ping a DNS name
from your access gateway?

In order to verify the DNS server's health the access gateways tried to
resolve www.novell.com. If it can't resolve it because the DNS server
can't find it it'll report that the DNS server is unavailable. You can
set the domain it should resolve under the advanced options.

You'll find a setting there like:
IgnoreDNSServerHealth off www.novell.com

If your DNS server can only resolve internal domains you can change
www.novell.com to whatever it can resolve.



--
Cheers,
Edward
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


Edward van der Maas;267118 Wrote:
> DICGC wrote:
>
>
> > Hi Kevin and kjhurni,
> > Thanks for your help. I have follow step by step instructions that

> you
> > provide me. but currently i am facing problem to connect to my DNS
> > server "Unable to connect to dns server". I have check log but not
> > getting proper message. Can you help me in this.
> >
> > I have to protect 6 web application which is in same domain with

> NetIQ
> > so I have to use different proxies for all 6 web application which is
> > deployed on different web servers.

>
> Could it be that your DNS server is an internal DNS server only and
> can't resolve anything externally? Have you tried to ping a DNS name
> from your access gateway?
>
> In order to verify the DNS server's health the access gateways tried to
> resolve www.novell.com. If it can't resolve it because the DNS server
> can't find it it'll report that the DNS server is unavailable. You can
> set the domain it should resolve under the advanced options.
>
> You'll find a setting there like:
> IgnoreDNSServerHealth off www.novell.com
>
> If your DNS server can only resolve internal domains you can change
> www.novell.com to whatever it can resolve.
>
>
>
> --
> Cheers,
> Edward



Thanks Edward its working now....

thanks
Sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Highlighted
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


DICGC;267165 Wrote:
> Thanks Edward its working now....
>
> thanks
> Sarita






Hi All,

In my case I have 2 server and on one I have installed AD and IDP and on
another server I have AG and I don't have any Ldap for user store. I am
using IDP as my user store as there are only 50 users in the department
who is going to access SSO.

Is this good option that I am doing because I don't have any other sever
to install any LDAP.

thanks
Sarita khamkar


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

On 4/22/2016 5:24 AM, DICGC wrote:
> Hi All,
>
> In my case I have 2 server and on one I have installed AD and IDP and on
> another server I have AG and I don't have any Ldap for user store. I am
> using IDP as my user store as there are only 50 users in the department
> who is going to access SSO.
>
> Is this good option that I am doing because I don't have any other sever
> to install any LDAP.
>
> thanks
> Sarita khamkar


Do you have active directory? How do the users log into their workstations?
If you have no directory service then yes that is really your only option.


--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

DICGC wrote:


> In my case I have 2 server and on one I have installed AD and IDP and
> on another server I have AG and I don't have any Ldap for user store.
> I am using IDP as my user store as there are only 50 users in the
> department who is going to access SSO.
>
> Is this good option that I am doing because I don't have any other
> sever to install any LDAP.


It is technically fine to do so but for users its still a poor
experience as they still get prompted for authentication. If you do
have Active Directory then I'd probably look at enabling Kerberos
Authentication on the IDP so the users have a true single sign-on
experience. They authenticate to the desktop and thats it. The IDP will
authenticate them seamlessly and so will the proxy (if you setup
identntiy injection and formfill at least).

--
Cheers,
Edward
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


Edward van der Maas;267198 Wrote:
> DICGC wrote:
>
>
> > In my case I have 2 server and on one I have installed AD and IDP and
> > on another server I have AG and I don't have any Ldap for user store.
> > I am using IDP as my user store as there are only 50 users in the
> > department who is going to access SSO.
> >
> > Is this good option that I am doing because I don't have any other
> > sever to install any LDAP.

>
> It is technically fine to do so but for users its still a poor
> experience as they still get prompted for authentication. If you do
> have Active Directory then I'd probably look at enabling Kerberos
> Authentication on the IDP so the users have a true single sign-on
> experience. They authenticate to the desktop and thats it. The IDP will
> authenticate them seamlessly and so will the proxy (if you setup
> identntiy injection and formfill at least).
>
> --
> Cheers,
> Edward




Hi Edward,

Now I have to do SSO with 6 web application which is deployed on
different web server but in the same domain so can I use one Access
gateway to achieve my SSO and how I can configure all this.
thanks
Sarita


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application

On 4/25/2016 12:24 AM, DICGC wrote:
> Hi Edward,
>
> Now I have to do SSO with 6 web application which is deployed on
> different web server but in the same domain so can I use one Access
> gateway to achieve my SSO and how I can configure all this.
> thanks
> Sarita


The answer is likely yes. Obviously it depends on the specifics. You can tie lots of servers into a single MAG without much
trouble. Just depends on how you want to do it.

So I would go about it this way:
1. Work on the Kerberos config between your IDP and your AD. That way you don't have to create accounts in the NAM tree and
can utilize your users' existing passwords. After you read the docs on that if you need help that would be a good new post
to start.

2. Map out your web apps in how you want them to work. So for instance:
company.com -> Main web server
company.com/app1/ -> app1 web server
company.com/hr/ -> hr web server
company.com/finance/ -> finance web app

Once you have that we can help you craft the NAM layout.
Does that make sense?

--
-----------------------------------------------------------------------
Will Schneider
Knowledge Partner http://forums.netiq.com

If you find this post helpful, please click on the star below.
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


Will Schneider;267219 Wrote:
> On 4/25/2016 12:24 AM, DICGC wrote:
> > Hi Edward,
> >
> > Now I have to do SSO with 6 web application which is deployed on
> > different web server but in the same domain so can I use one Access
> > gateway to achieve my SSO and how I can configure all this.
> > thanks
> > Sarita

>
> The answer is likely yes. Obviously it depends on the specifics. You
> can tie lots of servers into a single MAG without much
> trouble. Just depends on how you want to do it.
>
> So I would go about it this way:
> 1. Work on the Kerberos config between your IDP and your AD. That way
> you don't have to create accounts in the NAM tree and
> can utilize your users' existing passwords. After you read the docs on
> that if you need help that would be a good new post
> to start.
>
> 2. Map out your web apps in how you want them to work. So for
> instance:
> company.com -> Main web server
> company.com/app1/ -> app1 web server
> company.com/hr/ -> hr web server
> company.com/finance/ -> finance web app
>
> Once you have that we can help you craft the NAM layout.
> Does that make sense?
>
> --
> -----------------------------------------------------------------------
> Will Schneider
> Knowledge Partner http://forums.netiq.com
>
> If you find this post helpful, please click on the star below.




Thanks,

Yes I have created Reverse proxy name for company.in and then i created
proxy entry Domain based for my web application "core.company.in" and
give Basic authentication scheme but getting BAD request 400 error. I
am using same LDAP which is coming by default with IDP and AD full
installation of NAM. I don't have different LDAP. Where I have to
provide LDAP details while configuring SSO. I am using Identity
injection and add rule for header.

"Bad Request

Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit."


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
Knowledge Partner
Knowledge Partner

Re: NetIQ AM SSO for web application

DICGC;2427157 wrote:
Will Schneider;267219 Wrote:
> On 4/25/2016 12:24 AM, DICGC wrote:
> > Hi Edward,
> >
> > Now I have to do SSO with 6 web application which is deployed on
> > different web server but in the same domain so can I use one Access
> > gateway to achieve my SSO and how I can configure all this.
> > thanks
> > Sarita

>
> The answer is likely yes. Obviously it depends on the specifics. You
> can tie lots of servers into a single MAG without much
> trouble. Just depends on how you want to do it.
>
> So I would go about it this way:
> 1. Work on the Kerberos config between your IDP and your AD. That way
> you don't have to create accounts in the NAM tree and
> can utilize your users' existing passwords. After you read the docs on
> that if you need help that would be a good new post
> to start.
>
> 2. Map out your web apps in how you want them to work. So for
> instance:
> company.com -> Main web server
> company.com/app1/ -> app1 web server
> company.com/hr/ -> hr web server
> company.com/finance/ -> finance web app
>
> Once you have that we can help you craft the NAM layout.
> Does that make sense?
>
> --
> -----------------------------------------------------------------------
> Will Schneider
> Knowledge Partner http://forums.netiq.com
>
> If you find this post helpful, please click on the star below.




Thanks,

Yes I have created Reverse proxy name for company.in and then i created
proxy entry Domain based for my web application "core.company.in" and
give Basic authentication scheme but getting BAD request 400 error. I
am using same LDAP which is coming by default with IDP and AD full
installation of NAM. I don't have different LDAP. Where I have to
provide LDAP details while configuring SSO. I am using Identity
injection and add rule for header.

"Bad Request

Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit."


--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691


You have no Active Directory or eDirectory in your environment?

--Kevin
0 Likes
DICGC Absent Member.
Absent Member.

Re: NetIQ AM SSO for web application


kjhurni;267246 Wrote:
> DICGC;2427157 Wrote:
> > Will Schneider;267219 Wrote:
> > > On 4/25/2016 12:24 AM, DICGC wrote:
> > > > Hi Edward,
> > > >
> > > > Now I have to do SSO with 6 web application which is deployed on
> > > > different web server but in the same domain so can I use one

> Access
> > > > gateway to achieve my SSO and how I can configure all this.
> > > > thanks
> > > > Sarita
> > >
> > > The answer is likely yes. Obviously it depends on the specifics.

> > You
> > > can tie lots of servers into a single MAG without much
> > > trouble. Just depends on how you want to do it.
> > >
> > > So I would go about it this way:
> > > 1. Work on the Kerberos config between your IDP and your AD. That

> > way
> > > you don't have to create accounts in the NAM tree and
> > > can utilize your users' existing passwords. After you read the

> docs
> > on
> > > that if you need help that would be a good new post
> > > to start.
> > >
> > > 2. Map out your web apps in how you want them to work. So for
> > > instance:
> > > company.com -> Main web server
> > > company.com/app1/ -> app1 web server
> > > company.com/hr/ -> hr web server
> > > company.com/finance/ -> finance web app
> > >
> > > Once you have that we can help you craft the NAM layout.
> > > Does that make sense?
> > >
> > > --
> > >

> >

> -----------------------------------------------------------------------
> > > Will Schneider
> > > Knowledge Partner

> > http://forums.netiq.com
> > >
> > > If you find this post helpful, please click on the star below.

> >
> >
> >
> > Thanks,
> >
> > Yes I have created Reverse proxy name for company.in and then i

> created
> > proxy entry Domain based for my web application "core.company.in" and
> > give Basic authentication scheme but getting BAD request 400 error.

> I
> > am using same LDAP which is coming by default with IDP and AD full
> > installation of NAM. I don't have different LDAP. Where I have to
> > provide LDAP details while configuring SSO. I am using Identity
> > injection and add rule for header.
> >
> > "Bad Request
> >
> > Your browser sent a request that this server could not understand.
> > Size of a request header field exceeds server limit."
> >
> >
> > --
> > DICGC
> >

> ------------------------------------------------------------------------
> > DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
> > View this thread: https://forums.netiq.com/showthread.php?t=55691

>
> You have no Active Directory or eDirectory in your environment?
>
> --Kevin
>
>
> iew this thread:
> https://forums.netiq.com/showthread.php?t=55691

>
> --
> The opinions expressed are my own.
> Check out my OES2 Guides:
> Installing OES2 SP2:
> http://tinyurl.com/6pezrv7
> Upgrading to OES2 with ID Transfer:
> http://tinyurl.com/82a8ufn
> GroupWise Migration with OES2 ID Transfer:
> http://tinyurl.com/6oj94q8
> ------------------------------------------------------------------------
> kjhurni's Profile: https://forums.novell.com/member.php?userid=734
> View this thread: https://forums.novell.com/showthread.php?t=497799


Client have AD but they don't allow us to make it as directory but I am
using the same default edirectory which I get while installing AD and
IDP.

thanks,
sarita

> DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
> V



--
DICGC
------------------------------------------------------------------------
DICGC's Profile: https://forums.netiq.com/member.php?userid=11372
View this thread: https://forums.netiq.com/showthread.php?t=55691

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.