Hi,

I'm trying to get the SingleSignOn for the Dashboard running, but my REMOTE_USER variable is not beeing populated. I read the manual and other guides several times, but something is going wrong on my configuration.

I'm using a Windows Server 2003 with WebFOCUS 7.6.4 with Tomcat and no IIS installied.


1
I configured the custom settings in the MR Administration Console like:

IBIMR_domain(pass)
MR_FULL_FEXNAME(pass)
MR_ITEM_HANDLE(pass)
MR_CHANGE_PASS(protect)
IBIMR_user (pass)
WORP_USER(pass)
REMOTE_USER(pass)

2
I configured the MR security settings for authentification like:
User Web Server REMOTE_USER variable + Include Windows domain

3
Tomcat server.xml file
< !-- Define an AJP 1.3 Connector on port 8009 -->
Connector port="8009" enableLookups="false" request.tomcatAuthentication="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3"

When I try to open the dashboard I get an error message like the following:

Error Number 19104
Description invalid User-ID or Password.
ibi.webfoc.wfmre.mrutil.WFMRError: invalid User-ID or Password

(I searched for this Error Number, but i only found another Description to that error, that does not match with mine.)


But this becomes understandable, when i trace the MR Realm Driver while dashboard login:

**********************************D:/ibi/WebFOCUS76/logs\00103_mrrealm_090217_094421.trace
----------------------------------------------------------------
Logging started on [2009-02-17 09:44:21 CET]
WF Gen: 168 Date: Thursday, November 15, 2007 5:15:36 AM CET
MR Realm Driver Revision: 2.3.0 (7.6)
----------------------------------------------------------------
[2009-02-17 09:44:21 CET] {INFO} [WFMRX_MRSecurityDriver] authenticateUser: Trusted Mode Authentication for user 'null'
[2009-02-17 09:44:21 CET] {INFO} [WFMRX_MRSecurityDriver] findReposUserByID: User 'null' Not Found
[2009-02-17 09:44:21 CET] {INFO} [WFMRX_MRSecurityDriver] >authenticateUser: User null failed to authenticate

The HTTP Request Info in the diagnosticts tell me the following:

App Server: Apache Tomcat/5.5.25
REMOTE_USER: null
J2EE-Role: Unknown

HTTP-Header:
Header-Name Header-Wert
accept image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
accept-language de
ua-cpu x86
accept-encoding gzip, deflate
user-agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1)
host xxxyyy
connection Keep-Alive
cookie JSESSIONID=516D23295DF31DB3A0A793D907F06DDA; IBIWF_language=de; wcSessionID=8E07671DA0E11D3F1514063BB993ECF582907E58397875A27C4F96BD7EF4E2BD; WFC_COOKIE=137e9fb318a19cd5513a1f13eef6c6413cd5f5883be2e9b5886c4e7378081d42bb9d87b835ef3f2ab66eced41e6144d78ba138814d56c0edd5093169a01a19c9381c


Is anyone able to make a suggestion for a solution?

This message has been edited. Last edited by: Kerry,

First thing I would do is check your browser security settings.
It needs to be set to Automatic logon with current username and password

If you are using Tomcat with no IIS, then changing AJP is meaningless, as you will be connecting to the HTTP connector.

How is Tomcat suppose to know who you are?

@JG
I checked this browser settings, although the security and administration manual tells, that the browser should be configured to "Automatic logon only in Intranet zone".

@dhagen
What configuration do I have to set to get the REMOTE_USER populated without IIS?

Jean,

Are you planning to grab the windows logon id?

Sayed

Maybe I did not understand the single sign on authentification process correctly, but I think it is becoming a bit clearer now.

The Web Server populates the REMOTE_USER variable and Tomcat is able to read that variable and pass it to the MRE. I don't use IIS as Web Server, so Tomcat receives an empty REMOTE_USER variable. Is that correct so far?

If I don't use a Web Server that sets the REMOTE_USER variable, is it possible to get the SingleSignOn working with Tomcat? Or do I need to install a Web Server and there is no way around it?

To get the Remote_User without IIS you would have to configure Tomcat to use Active Directory as an authentication point. This would not be trusted, and therefore, your users would be then prompted for credentials.

To get true SSO with Tomcat standalone, read TM4647 (Configuring Single Sign-on to the WebFOCUS Reporting Server Using Kerberos). It can be a bit of a ride to configure, but it should allow you to do what you are looking for.

Sorry I should have asked the obvious question first.

If it's Tomcat standalone then you need to configure and deploy a servlet like jcifs,
this is open source and quite easy to do.

However depending on your security implementations you may need to go to a servlet such as
Jespa this is foc for a max 25 users but $400 for unlimited users. (pea nuts).

The browser settings you have are fine if the webserver is on the intranet,
however if you have external users they must use the Internet logon.

As I see the easiest way to get the SSO working is to use the IIS. Alternatively we can implement JCIFS for ntlm authentification for tomcat standalone or use the kerberos protocol.

I think we will install the WebFOCUS with IIS in the future and try the solution with the JCIFS also.

Thank you for your help.