How to automatically fail over from an integrated login Web Access to explicit login

Version 4

    Verified Product Versions

    Service Desk 7.7.x

    Introduction

    A lot of sites use integrated login for Web Access, however in some scenarios there may be a set of users or locations where by the integrated login will fail.  This will be because the web server cannot identify the user's network login from the browser, and normally because the user is connecting from outside a trusted domain or outside the network entirely.

     

    The following explains how to set up automatic redirection to an explicit login instance of Web Access if IIS cannot identify the connecting user's network login.  However, if the login is identified but is not present in the Service Desk database this will not automatically redirect and instead the product handles this failure and displays an error page stating "Integrated login failed".  This behaviour is hard-coded and cannot be changed.

     

    Note: This is only possible if the integrated login Web Access is hosted on at least Windows Server 2008 with IIS 7.  It is not possible with IIS 6.

     

    Setting up the instances of Web Access

    Before you can configure the automatic fail over you need to have both an integrated login and explicit login Web Access set up and working.  They do not need to be hosted on the same server.  For help on setting this up see the following document: Configure Web Desk/ Web Access to use Integrated Login.

     

    For the rest of this document we will assume you have the following instances set up and working:

     

    Instance Folder NameLogin Policy
    /WebAccessIntegrated
    /WebAccess.ExplicitExplicit

     

    Configuring the automatic fail over

    Once both the integrated and explicit login Web Access instances are working the final step is to configure the integrated login instance to redirect to the explicit login instance if the server cannot identify the user's network login.  To do this perform the following steps:

     

    1. Within IIS select the integrated login WebAccess folder.
    2. From the Features View panel select Error Pages.
    3. From the Actions panel on the far right select Edit Feature Settings....
    4. Ensure that the Errors Responses setting is either Custom error pages or Detailed errors for local requests and custom error pages for remote requests.  Press OK.
    5. From the Actions panel click Add... to add a new rule.
    6. Set the Status Code to 401.1.
    7. Select Respond with a 302 redirect and in the Absolute URL field enter the URL of the explicit login Web Access.

     

    If both instances are hosted on the same server: Enter /<folder-name> as the URL, ie. /WebAccess.Explicit.

    If the explicit instance if hosted on another server: Enter the full URL, ie. http://servername/WebAccess.Explicit.

     

    What this change does is configure IIS to redirect any 401.1 error (Authentication attempted but failed) to the URL of your choice.  There will likely already be an error page rule for the 401 status with no substatus, this can remain as it is.

     

    Displaying an error message with the login page

    If your users are not expecting to see a login page you may want to display some information on why they have been redirected.  There are two ways you can achieve this:

     

    1. Rather than redirect straight to the explicit Web Access you could instead redirect to another page on your web server you have written yourself to explain why the user has landed there.  This could then include a link to the explicit login Web Access.
    2. Use a company_logo.gif image on the explicit login Web Access.  There is a feature to allow you to add an image of your choosing above the login box.  The image must be called company_logo.gif and put into the Content/Images folder.  The following is an example of what the image could display:

     

    company_logo.gif