Setting up Active directory authentication

Post any questions regarding Installing or Upgrading Ebase, including problems starting up the Ebase Xi Server or Designer

Moderators: Jon, Steve, Ian, Dave

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Setting up Active directory authentication

#1

Postby Segi » Wed Feb 10, 2021 5:46 pm

I am attempting to set up automatic user authentication through Active Directory over LDAP.

I set up IIS 8 on Windows Server with Windows Authentication and LDAP.

Since Verj uses ports 80 and 443, IIS is listening on 8443. When I visit localhost:8443 IIS prompts me to log in with my Windows credentials.

In the Verj admin console under Security properties, I am able to test the LDAP connection and that connects successfully.

Under user authentication, I checked Windows Domain User but when I click on "Test Windows User" I get the error "Error: no Windows user could be found. Check that requests are routed via IIS and that IIS option 'Windows Authentication' is enabled."

I do have Windows Authentication enabled in IIS and that's the only enabled authentication method.

In server.xml, I have this connector (Not sure if this is relevant or not)
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" maxSwallowSize="50000000"/>

The active directory server that I am trying to connect to is located on another server within our network.

What am I missing ?
0 x

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: Setting up Active directory authentication

#2

Postby Steve » Thu Feb 11, 2021 3:52 pm

Hi Segi,

Have you set up an AJP connector from within IIS?

I would recommend either Boncode or Apache AJP connector.

Boncode is much easier to setup that AJP connector as you just install it and follow the instructions.

http://www.boncode.net/boncode-connector

In the server.xml this is very important:
In server.xml, I have this connector (Not sure if this is relevant or not)
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" maxSwallowSize="50000000"/>
This is the port that IIS will talk to Verj.io on (8009 as default)

Once configured correctly, you will access Verj.io via IIS on port 80 and 443 (you can remove the port 80 and 443 connectors from the server.xml as you should be accessing IIS on this port). You should also be applying the SSL certificate to IIS and NOT tomcat, as the browser is communicating to IIS and IIS is proxying to tomcat via port 8009.

Once this is configured correctly, you should be able to call a form and log a message using JavaScript by calling:

Code: Select all

log('Windows User: ' + client.request.getRemoteUser()) 
This should print out your username as:

Windows User: <domain>\<username>

for example

Windows User: MYDOMAIN\steve

Once you have this working, you should be able to check the Windows User Authentication in the server admin. Note that you will need the LDAP configuration in the server admin to point to your Active Directory also.

I hope this helps.

Steve
0 x

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

Re: Setting up Active directory authentication

#3

Postby Segi » Thu Feb 18, 2021 8:05 pm

Steve,

Thanks for this information.

I install AJP13 connector and verified that port 8009 is listening using netstat (but 8009 is open by tomcat.exe)

I loaded the SSL certificate in IIS and applied it to the https connector.

This is my server.xml https://bpa.st/7DQA which doesn't have a connector listening on 443 but has the AJP redirect on 8009

When I visit https://mysite.example.com it shows that the SSL is set up correctly. I am prompted to enter my windows credentials. After I do that, I am taken to the IIS landing page. If I try to access any URL with /ufs/ it returns a 404 error coming from IIS so something in IIS is not redirecting to tomcat.

Do you know what I am missing ?

Update: It seems that Boncode might not be set up correctly.

C:\inetpub\wwwroot\BIN contains:

BonCodeAJP13.dll
BonCodeIIS.dll
BonCodeAJP13.settings

BonCodeAJP13.settings contains:

Code: Select all

<Settings>
  <Port>8009</Port>
  <Server>localhost</Server>
  <MaxConnections>200</MaxConnections>
  <LogLevel>0</LogLevel>
  <FlushThreshold>0</FlushThreshold>
  <EnableRemoteAdmin>False</EnableRemoteAdmin>
  <EnableHeaderDataSupport>True</EnableHeaderDataSupport>
</Settings>
When I try to access localhost:8009 in my browser it times out. It doesn't redirect to 8443
0 x

Steve
Moderator
Moderator
Posts: 414
Joined: Fri Sep 07, 2007 3:44 pm
Location: Sandy, UK
Contact:

Re: Setting up Active directory authentication

#4

Postby Steve » Tue Feb 23, 2021 9:16 am

Hi Segi,

I tried to answer this yesterday... but it appears my post failed to submit..

When you installed BonCode, did you check the setting (in the installer):

Servet (add a wilcard reference and pass all traffic to tomcat)

This setting will forward all traffic to tomcat via the AJP port. This setting is unchecked as default, but without it, it will not work.

I am satisfied that the Boncode is working on the right port, but the important other setting will be in the IIS webapp located in the web.config file inside the directory:

C:\inetpub\wwwroot (or the webapp folder)

Notice that the BonCode hander has been added to the webServer node:

Code: Select all

<handlers>
            <remove name="BonCode-Tomcat-WC-Handler" />
            <add name="BonCode-Tomcat-WC-Handler" path="*" verb="*" type="BonCodeIIS.BonCodeCallHandler,BonCodeIIS,Version=1.0.0.0,Culture=neutral,PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
        </handlers>
Also note from my setting that the path and verb are set to "*"

The IIS windows authentication should be checked and you will only be prompted to enter your credentials if you are trying to access the web server OUTSIDE the domain. If the web server is on the domain and you are logged in, you should not be required to login again.. that's sort of the point.

Your AJP connector settings look correct if you are using Verj.io 5.6.. if you are using Verj.io 5.9.. the configuration is slightly different, but I don't think this is your problem.

Also the tomcat access log (UserData\Server\tomcat\logs) will show whether the connection is getting through to tomcat .. even if it serves a 404 response, but I am pretty sure it is not getting this far.

I hope this helps

Steve
0 x


Who is online

Users browsing this forum: No registered users and 4 guests