Single Sign On and LDAP Integration

Hi Dodi

We have three separate web access virtual directories, so that I can choose to logon using single sign-on (so that users go straight in without typing their username and password in), another that they do get prompted to type in the AD username and password, and a third which logs on using their LANDesk credentials.

The only site advertised is the main single sign-on one.  The second could be used (as you say), when wanting people to connect from outside your organisation.  The third we only use from a support side of things, so that we can login as other users simply for trouble-shooting purposes.

This doc (http://community.landesk.com/support/docs/DOC-11425) talks you through setting up single sign-on with integrated logon, and then you can simply create another virtual directory with explicit logon.

Hopefully that helps.

Cheers

Paul

My file structure on the app server looks like:

Hi Dodi

This directory structure is replicated in the inetpub\wwwroot folder.  In my instance, WebAccess is my automatic logon, WebAccessLDAP is manual AD logon, and WebAccessLogin is the LANDesk username.

Sorry, my previous post mentioned it was app server.  I meant to say Web Server.

Cheers

Paul

Hi

This document may be of interest:

http://community.landesk.com/support/docs/DOC-23342

Best wishes

Karen

Hi Dodi,

The SA account will always bypass the LDAP authentication and use regular explicit login.  You can enable more descriptive error messages for the LDAP authenticaion if the <ShowExceptions> setting in your LDAP auth configuration file is set to true so you can see what the actual issue is.

Hi Dodi,

Looking at your scenarios-

dodiy wrote:

 

The scenarios can be like these:

1. Employee access service desk within company network which is join domain. (this will use Single Sign On)

2. Employee access service desk at home/outside (this will use LDAP integration)

3. Normal user access service desk from outside (use LANDesk credential)

4. Normal user access service desk within company network (use LANDesk credential)

 

We had a customer with an almost identical request, they wanted integrated (single sign-on) access internally and externally they wanted LDAP authentication AND they only wanted one webaddress for WebAccess. Initially we thought this wouldn't be do-able, however their server team came up with a great solution- If you enable Basic Authentication and Windows Authentication for the WebAccess application in IIS then internally it performs integrated login but externally it will prompt them to login using their LDAP credentials. You set a default Domain in the Basic Auth configuration in IIS and it works like a charm.

If you combine this with Karen's article on setting up a failover to go to explicit if integrated fails then you should be able to meet all of your scenario requirements without needing to configure LDAP.

Note: You should use HTTPS browsing for WebAccess when running this configuration otherwise Basic Auth sends usernames and passwords unencrypted, but HTTPS will cover this.

Cheers,

Hadyn