Topic
6 replies Latest Post - ‏2013-06-21T13:04:25Z by Alessandro.Damiani
Alessandro.Damiani
Alessandro.Damiani
51 Posts
ACCEPTED ANSWER

Pinned topic [ICN 2.0.1, CM 8.4.3] - Trusted Logon & NTLM userid retrieval

‏2013-05-14T12:11:33Z |

Hi,

I am trying to set up trusted authentication logon to ICN, porting an existing set up that previously worked on WEBi.

The repository is CM 8.4.3.

I wrote a jsp landing page (attached: myssoICN.jsp) that uses NTLM's 4-way handshake to determine the user logged onto the machine. I am able to retrieve the username, and use it to logon to ICN (users logging on this way have the trusted logon privilege enabled).

However, users receive very frequent errors just like the one in the screenshot attached (PrintScreen.jpg), that do not however have any correspondence in the WAS logs, even after putting Navigator in trace mode. If the user repeats the operation that raised the error right after closing the error dialog, the operation works fine.

The error mentions required parameters being missing, and points to the application server's log files, which however do not contain any sign of the error...

Any help will be greatly appreciated, as this problem is currently blocking the solution from being put in production.

Thanks in advance,

Alessandro

 

Attachments

  • damorris
    damorris
    654 Posts
    ACCEPTED ANSWER

    Re: [ICN 2.0.1, CM 8.4.3] - Trusted Logon & NTLM userid retrieval

    ‏2013-05-15T23:06:56Z  in response to Alessandro.Damiani

    Do you see any errors in the dklog.log file?

    • Alessandro.Damiani
      Alessandro.Damiani
      51 Posts
      ACCEPTED ANSWER

      Re: [ICN 2.0.1, CM 8.4.3] - Trusted Logon & NTLM userid retrieval

      ‏2013-05-30T10:00:24Z  in response to damorris

      Hi Dana, thanks for your reply.

      Sorry for not replying sooner, but we have currently found a workaround for this problem, and thus haven't been able to reproduce the error in the old mode. The customer is now performing application tests on the environment, so it might take some time before we can experiment on it again...

      If I am able to reproduce the error, I will check the dklog.log file, as you suggest.

      • Karthik Senkodi
        Karthik Senkodi
        2 Posts
        ACCEPTED ANSWER

        Re: [ICN 2.0.1, CM 8.4.3] - Trusted Logon & NTLM userid retrieval

        ‏2013-06-20T20:25:17Z  in response to Alessandro.Damiani

        Hello Alessandro, What was the workaround?

        • Alessandro.Damiani
          Alessandro.Damiani
          51 Posts
          ACCEPTED ANSWER

          Re: [ICN 2.0.1, CM 8.4.3] - Trusted Logon & NTLM userid retrieval

          ‏2013-06-21T07:47:13Z  in response to Karthik Senkodi

          Hello Karthik,

          the workaround was a bit "ugly", to be honest, but this problem was blocking and we needed the project to move forward in a very short time.

          It also has a very limited applicability, because it only works if ICN is accessed through IE (9+), and if ActiveX execution is enabled on client machines, all conditions that were fortunately met in our situation.

          We basically only used NTLM authentication to retrieve the username, since the whole user authentication process was in charge of other software components installed on the client machine, so we looked for a different way to get the logged on username from Javascript, in order to connect to ICN with the proper account.

          We used the WScript.Network object, this way:

          var WshNetwork = new ActiveXObject("WScript.Network");
              
          var ssouserid = WshNetwork.UserName

          Definitely not the prettiest of solutions, but at least this does not produce the error. Also, it looks like the error only occurred in Internet Explorer (which is the standard browser the customer wants their users to use), but not in Firefox, so I guess this wouldn't be needed if ICN was to be accessed through a browser other than IE.

          • Karthik Senkodi
            Karthik Senkodi
            2 Posts
            ACCEPTED ANSWER

            Re: [ICN 2.0.1, CM 8.4.3] - Trusted Logon & NTLM userid retrieval

            ‏2013-06-21T11:57:18Z  in response to Alessandro.Damiani

            Thanks Alessandro. Also the trusted logon setup you have logs into ICN without providing a password?

            If so what was the setup you did on websphere/the application server that you used?

            Appreciate your help,

            Karthik

            • Alessandro.Damiani
              Alessandro.Damiani
              51 Posts
              ACCEPTED ANSWER

              Re: [ICN 2.0.1, CM 8.4.3] - Trusted Logon & NTLM userid retrieval

              ‏2013-06-21T13:04:25Z  in response to Karthik Senkodi

              Yes, the idea is that with trusted logon enabled, IBM Content Manager trusts that the user is already authenticated, and uses the userid for authorization purposes only.

              You still have to provide a password, when logging onto the CM repository in ICN, or you get an error, but that password can be whatever, since the repository doesn't in fact check it.

              As for how to set up such an environment, I haven't taken part in the installation and configuration phases of SSO, but I think it has been done by following the guidelines in the IBM documentation, which you can find here:

              http://publib.boulder.ibm.com/infocenter/cmgmt/v8r3m0/topic/com.ibm.installingcm.doc/icmpgmst454.htm