New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Commander Commander
Commander
802 views

NTLM authentication - Dashboard error

Jump to solution

Hello,

we have set NTLM authentication on PPM 9.50 and we can normally connect to PPM but dashboard portlets are not shown.

You can see the front page attached. When we go on Search > Projects, everything is ok and then we again have problem on a project.

Do you have any idea how can this be fixed?

We have added this to the server.conf:

com.kintana.core.server.WEB_CACHE_DIR=C:/PPM/cache
com.kintana.core.server.EXTERNAL_WEB_PORT=8009
com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.WebRemoteUserSingleSignOn
com.kintana.core.server.ENABLE_WEB_ACCESS_LOGGING=True

And we have added AUTHENTICATIN_MODE=ITG,NTLM

We have changed ntlm and sso conf files.

We are using Apache 2.4

Did anybody have similar problem?

Thank you,

Mateja

0 Likes
1 Solution

Accepted Solutions
Highlighted
Commander Commander
Commander

Hello,

we have added following lines in uriworkermap.properties:
/itg/*=load_balancer

/dashboard/*=load_balancer

/reports/*=load_balancer

/logs/*=load_balancer

/pdf/*=load_balancer

/utility_portlets/*=load_balancer 

And in apache httpd.conf:
kMount /itg* "worker.list=name"  

            JkMount /itg/* "worker.list=name"  

    JkMount /dashboard/* "worker.list=name"  

            JkMount /reports/* "worker.list=name"  

            JkMount /logs/* "worker.list=name"  

            JkMount /pdf/* "worker.list=name"

<Location "/itg">

 

             #AllowOverride None

     Options +FollowSymLinks -SymLinksIfOwnerMatch

     #Order allow,deny

             #Require all granted

     #Allow from all

    AuthType SSPI

    NTLMAuth On

    NTLMAuthoritative On

            #NTLMDomain lab.zg

            NTLMPerRequestAuth On

            NTLMOfferBasic On

            NTLMBasicPreferred On

    <RequireAll>

        <RequireAny>

            Require valid-user

        </RequireAny>

                         <RequireNone>

            Require user "ANONYMOUS LOGON"

            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"

        </RequireNone>

    </RequireAll>

           

 

    # use this to add the authenticated username to you header

    # so any backend system can fetch the current user

    # rewrite_module needs to be loaded then

 

     RewriteEngine On

     RewriteCond %{LA-U:REMOTE_USER} (.+)

     RewriteRule . - [E=RU:%1,NS]

     RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e  

             #RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]

 

  </Location>

 

Now everything is ok.

View solution in original post

0 Likes
7 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hello Mateja,

 

Was this working fine before with the same external web server (with no NTLM)?

 

One guess may be that you do not have "/dashboard/*=load_balancer" in the uriworkermap.properties file:

 

/itg/*=load_balancer
/dashboard/*=load_balancer
/reports/*=load_balancer
/logs/*=load_balancer
/pdf/*=load_balancer
/utility_portlets/*=load_balancer

 

Link:

https://admhelp.microfocus.com/ppm/en/9.50-9.52/Help/Content/SA/Install&Admin/107050_InstallAdmin_Advance.htm

 

Other thing is that the 

com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.WebRemoteUserSingleSignOn 

with NTLM may need IIS as external web server: https://admhelp.microfocus.com/ppm/en/9.50-9.52/Help/Content/SA/Install&Admin/109900_InstallAdmin_Auth.htm 

 

Please double check what you already have, the SSO configuration, what is needed, and etc.

 

Best Regards,

Iliya

Highlighted
Commander Commander
Commander

Hello,

we have added things you have suggested in the uriworkermap.properties.

But still everything is the same.

This is what we see in Apache logs: 

[Tue May 28 12:25:55.831703 2019] [authz_user:debug] [pid 6328:tid 1876] mod_authz_user.c(77): [client ::1:54854] AH01663: access to /itg/images/common/avatar.png failed, reason: user 'MO\\tmphlino' does not meet 'require'ments for user to be allowed access, referer: http://srvms127mih.mo.hr/itg/dashboard/app/portal/PageView.jsp

Regards,

Mateja

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi,

 

I believe you have skipped the link: https://admhelp.microfocus.com/ppm/en/9.50-9.52/Help/Content/SA/Install&Admin/109900_InstallAdmin_Auth.htm

 

Implementing Web Remote Single Sign-On with PPM

This section provides information on how to implement Web remote single sign-on with PPM. This implementation is based on NTLM authentication and requires that the PPM Server(s) be integrated with an external Web server running Microsoft IIS.

Web remote single sign-on works with PPM as follows:

  1. A user logs in to a Windows desktop.

  2. The user accesses PPM through the external (IIS) Web server.

  3. The user is authenticated through the Windows user account to IIS and the user name is passed to the PPM Server by way of the REMOTE_USER HTTP header field.

  4. If the user is a valid PPM user, the standard interface and PPM Dashboard open.

Requirements for Implementing Web Remote Single Sign-On

To implement Web remote single sign-on, your system must meet the following requirements:

  • PPM must be set up with an external Microsoft IIS Web server. For information on how to do this, see Integrating an External Web Server with a PPM Server.

  • To ensure that you have the required access rights, make sure that the system username you use to log on to PPM is same as the account username for the active directory.

  • Clients must use Microsoft Internet Explorer to log on to PPM. Logon credentials are not automatically passed from Web browsers other than Internet Explorer (for example, Firefox) when connecting to IIS.

Setting Up Web Remote Single Sign-On with PPM

To configure Web remote single sign-on with PPM:

  1. Integrate the external IIS Web server with the PPM Server(s).

    For information about how to integrate the external Web server with a PPM Server, see Integrating an External Web Server with a PPM Server.

  2. On the PPM Server, do the following:

    1. Stop the PPM Server.

    2. Open the server.conf file in a text editor, and then add to it the following:

      com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN =com.kintana.sc.security.auth.WebRemoteUserSingleSignOn

 

...

 

 

Best Regards,

Iliya

 

0 Likes
Highlighted
Commodore
Commodore

Hi,

Should be something with apache conf files. Can you post?

Regards,

--Remember to give Kudos if you like the solution.

Murat Akbar
MIF Software & Consultancy - Istanbul
http://www.mif.com.tr
Highlighted
Commander Commander
Commander
Hello,
no, we haven't. But we wanted to fix this problem without IIS server.
0 Likes
Highlighted
Commander Commander
Commander

Hello,

we have added following lines in uriworkermap.properties:
/itg/*=load_balancer

/dashboard/*=load_balancer

/reports/*=load_balancer

/logs/*=load_balancer

/pdf/*=load_balancer

/utility_portlets/*=load_balancer 

And in apache httpd.conf:
kMount /itg* "worker.list=name"  

            JkMount /itg/* "worker.list=name"  

    JkMount /dashboard/* "worker.list=name"  

            JkMount /reports/* "worker.list=name"  

            JkMount /logs/* "worker.list=name"  

            JkMount /pdf/* "worker.list=name"

<Location "/itg">

 

             #AllowOverride None

     Options +FollowSymLinks -SymLinksIfOwnerMatch

     #Order allow,deny

             #Require all granted

     #Allow from all

    AuthType SSPI

    NTLMAuth On

    NTLMAuthoritative On

            #NTLMDomain lab.zg

            NTLMPerRequestAuth On

            NTLMOfferBasic On

            NTLMBasicPreferred On

    <RequireAll>

        <RequireAny>

            Require valid-user

        </RequireAny>

                         <RequireNone>

            Require user "ANONYMOUS LOGON"

            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"

        </RequireNone>

    </RequireAll>

           

 

    # use this to add the authenticated username to you header

    # so any backend system can fetch the current user

    # rewrite_module needs to be loaded then

 

     RewriteEngine On

     RewriteCond %{LA-U:REMOTE_USER} (.+)

     RewriteRule . - [E=RU:%1,NS]

     RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e  

             #RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]

 

  </Location>

 

Now everything is ok.

View solution in original post

0 Likes
Highlighted
Commander Commander
Commander

@MIF wrote:

Hi,

Should be something with apache conf files. Can you post?

Regards,


Yes, you were right. After we changed them and restarted Apache, dashboard is working properly.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.