Pass-through Authentication

Contents

 

Pass-through Authentication

Pass-through authentication (Single Sign-on) provides the ability to authenticate yourself automatically in Network Configuration Manager using your currently logged in windows system username and password. You would not need to manually enter your windows credential to log-in to Network Configuration Manager webclient.

Prerequisites:

Configuring Active Directory authentication

Active directory authentication must have been configured in Network Configuration Manager for the domain you want enable Pass-through Authentication. Click here to know how to add a domain under Active Directory authentication in Network Configuration Manager.

Creating necessary user accounts in Network Configuration Manager

  • User accounts to whom you want to enable pass-through must have been already available in Network Configuration Manager. Click here to know how you can add new users.
  • Note: Pass-through authentication will work only for the active directory users already been added to Network Configuration Manager. If you do not want to manually create user account for all the users in your domain, enable auto-login for the domain (Admin → User Manager → Windows Domains). Once auto-login is enabled, you have to manually enter username and password of your account only during the first login and an user account in Network Configuration Manager will be created automatically. From there on, you can simply work without manually entering.

Creating Computer Account:

A computer account must be created in the Domain Controller for accessing the NETLOGON service in a domain by Network Configuration Manager. Click here to know how you can create a new computer account.

Note: After version 124085, new computer accounts can be created from the Passthrough configuration window itself, if the Network Configuration Manager service is running under a user who has administrative privileges. Also, if the Network Configuration Manager server has been started from Command Prompt, make sure it is being run as a administrator.

Configuring Network Configuration Manager as a trusted site in your browser(s):

Network Configuration Manager webserver must be added as a trusted site in all browsers you are going to use to access the Network Configuration Manager webclient, to prevent the browsers from opening unnecessary popups for providing your credentials.

To configure trusted sites, follow these steps:

  • For Internet Explorer (applicable to Chrome as well):
  • For Internet Explorer (applicable to Chrome as well):
  • For Firefox:
  • In URL box enter about:config. Click the button "I'll be careful. I promise", if warning page is displayed. In the resulting page, search for ntlm. Double click the option network.automatic-ntlm-auth.trusted-uris. Enter Network Configuration Manager server URL in the text box and click OK. (Multiple site entries can be entered separated by comma.)

Configuring Passthrough Authentication in Network Configuration Manager:

After all the prerequisites have been ensured, follow the steps below to auto-configure Passthrough Authentication in Network Configuration Manager:

  • Go to Settings > User management > 'Pass-through' tab.
  • Click on the 'Enable' button, and select the required domain from the dropdown list.
  • Click on 'Fetch' to get all the necessary credentials from the domain controller such as Bind string, DNS server IPs and DNS site.
  • Note: If there are any issues in fetching the necessary details, or if you're in a version of Network Configuration Manager earlier than 124085, you will have to configure these settings manually.
  • Also, enter the Computer account and password of the Domain Controller (computer account name must be less than or equal to 15 characters). If you provide the wrong credentials, an error message will be displayed which indicates whether the account name or the password is wrong, or if the account doesn't exist.
  • After version 124085, if the Network Configuration Manager service runs under a user who has administrator privileges, an account will be created with the provided account name even if it doesn't exist already.
  • Also, if you want to update your password, just select the 'Override existing computer account password' checkbox, and the existing password for the computer account will be overridden with the value that you have provided in the 'Password' field.
  • To verify if the provided details are right, click on 'Save & Test'. If all the details are provided correctly, a success message will be displayed on your screen. If not, a message displaying the possible errors in the parameters passed will be displayed. Rectify those errors and then click 'Save'.
  • Else if you are confident with the credentials that you provided, you can directly click 'Save'.

Configuring Passthrough Authentication manually

  1. Domain Name: NETBIOS name of your domain. Example: OPMANHV (How can I find it?)
  2. Bind String: DNS Name of your domain. Example: opmanhv.com (How can I find it?)
  3. DNS Server IP: Primary IP Address of the DNS Server. (Separated by commas if there are multiple DNS server IPs) (How can I find it?)
  4. DNS Site: Site under which the Domain Controller is listed. (How can I find it?)
  5. Computer Account: Account name of the computer account created.
    Example: mytestacc$@OPMANHV.COM
    (For versions of Network Configuration Manager before 124085, it is mandatory to append $@domain_dns_name with the account name.)
    Note that the computer account name must be less than or equal to 15 characters.
  6. Password: Password of the computer account

1 & 2 - Getting Domain DNS Name and NETBIOS Name:

In the Domain Controller device, open Start → Administrative Tools → Active Directory Users and Computers.

3 - Getting DNS Server IP:

Open Command Prompt in Network Configuration Manager server. Run the command "ipconfig /all". The first IP Address mentioned in the DNS Servers field is the primary DNS Server IP Address.

4 - Getting DNS Site:

In Domain Controller device, open Start → Administrative Tools → Active Directory Sites and Services. The Site under which your Domain Controller device name listed is your site name. You can leave the DNS Site field empty in Pass-through configuration form in Network Configuration Manager, if there is only one site present in your Domain Controller.

Creating a new computer account:

To create a new computer account, follow the steps below:

  • Run the script NewComputerAccount.vbs present under OpManager_Home\conf\OpManager\application\scripts to create a new computer account.
  • cscript NewComputerAccount.vbs account_name /p password /d domain_name
  • To reset the password for an existing computer account, run the script SetComputerPass.vbs present under OpManager_Home\conf\OpManager\application\scripts to create a new computer account.
  • cscript SetComputerPass.vbs account_name /p password /d domain_name
  • Ensure that the password you give is compliant to the password policy for that domain. Do not use the New Computer Account option present in AD native client which will not allow you to choose password. If you face problem running this script from Network Configuration Manager server, copy the script to the domain controller machine itself and try running it.

Note: The length of the computer account name must be less than or equal to 15 characters.

Design Limitation:

  • Pass-through authentication can be enabled for only one domain, preferably the domain in which Network Configuration Manager server resides. If pass-through has been configured for a domain other than the one in which Network Configuration Manager server resides, ensure the other domain will provide logged in user information to a website from different domain.

Disable Pass-through Authentication:

In Network Configuration Manager webclient, click on Settings → Basic Settings → User Management → Pass-through. Use the radio buttons to Enable/ Disable Passthrough Authentication.

Log File:

If you face any issue with Pass-through Authentication, contact support with a ZIP file of the logs present under OpManager_Home\logs folder.

Was this article helpful?