Pass-through Authentication

Pass-through authentication (Single Sign-on) provides the ability to authenticate yourself automatically in OpManager using your currently logged in windows system username and password. You would not need to manually enter your windows credential to log-in to OpManager webclient.

Prerequisites:

  • Configuring Active Directory authentication

    Active directory authentication must have been configured in OpManager for the domain you want enable Pass-through Authentication. Click here to know how to add a domain under Active Directory authentication in OpManager.

  • Creating necessary user accounts in OpManager

    User accounts to whom you want to enable pass-through must have been already available in OpManager. Click here to know how you can add new users.

    Note: Pass-through authentication will work only for the active directory users already been added to OpManager. If you do not want to manually create user account for all the users in your domain, enable auto-login for the domain (Admin → User Manager → Windows Domains). Once auto-login is enabled, you have to manually enter username and password of your account only during the first login and an user account in OpManager will be created automatically. From there on, you can simply work without manually entering.

  • Creating Computer Account:

    A computer account must be created in the Domain Controller for accessing the NETLOGON service in a domain by OpManager. Click here to know how you can create a new computer account.

    Note: After version 124085, new computer accounts can be created from the Passthrough configuration window itself, if the OpManager service is running under a user who has administrative privileges. Also, if the OpManager server has been started from Command Prompt, make sure it is being run as a administrator.

  • Configuring OpManager as a trusted site in your browser(s):

    OpManager webserver must be added as a trusted site in all browsers you are going to use to access the OpManager webclient, to prevent the browsers from opening unnecessary popups for providing your credentials.

    To configure trusted sites, follow these steps:

    • For Internet Explorer (applicable to Chrome as well):

      Open Tools > Internet Options > Security > Local Intranet > Sites > Advanced. Enter OpManager server URL, click Add.

    • For Firefox:

      In URL box enter about:config. Click the button "I'll be careful. I promise", if warning page is displayed. In the resulting page, search for ntlm. Double click the option network.automatic-ntlm-auth.trusted-uris. Enter OpManager server URL in the text box and click OK. (Multiple site entries can be entered separated by comma.)

Configuring Passthrough Authentication in OpManager:

After all the prerequisites have been ensured, follow the steps below to auto-configure Passthrough Authentication in OpManager:

  • Go to Settings > User management > 'Pass-through' tab.
  • Click on the 'Enable' button, and select the required domain from the dropdown list.
  • Click on 'Fetch' to get all the necessary credentials from the domain controller such as Bind string, DNS server IPs and DNS site.

    Note: If there are any issues in fetching the necessary details, or if you're in a version of OpManager earlier than 124085, you will have to configure these settings manually.

  • Also, enter the Computer account and password of the Domain Controller (computer account name must be less than or equal to 15 characters). If you provide the wrong credentials, an error message will be displayed which indicates whether the account name or the password is wrong, or if the account doesn't exist.
  • After version 124085, if the OpManager service runs under a user who has administrator privileges, an account will be created with the provided account name even if it doesn't exist already.
  • Also, if you want to update your password, just select the 'Override existing computer account password' checkbox, and the existing password for the computer account will be overridden with the value that you have provided in the 'Password' field.
  • To verify if the provided details are right, click on 'Save & Test'. If all the details are provided correctly, a success message will be displayed on your screen. If not, a message displaying the possible errors in the parameters passed will be displayed. Rectify those errors and then click 'Save'.
  • Else if you are confident with the credentials that you provided, you can directly click 'Save'.

 

Configuring Passthrough Authentication manually

To manually configure Passthrough authentication, you'll need the following details:

  1. Domain Name: NETBIOS name of your domain. Example: OPMANHV (How can I find it?)
  2. Bind String: DNS Name of your domain. Example: opmanhv.com (How can I find it?)
  3. DNS Server IP: Primary IP Address of the DNS Server. (Separated by commas if there are multiple DNS server IPs) (How can I find it?)
  4. DNS Site: Site under which the Domain Controller is listed. (How can I find it?)
  5. Computer Account: Account name of the computer account created.
    Example: mytestacc$@OPMANHV.COM
    (For versions of OpManager before 124085, it is mandatory to append $@domain_dns_name with the account name.)
    Note that the computer account name must be less than or equal to 15 characters.
  6. Password: Password of the computer account

 

1 & 2 - Getting Domain DNS Name and NETBIOS Name:

In the Domain Controller device, open Start → Administrative Tools → Active Directory Users and Computers.

 

3 - Getting DNS Server IP:

Open Command Prompt in OpManager server. Run the command "ipconfig /all". The first IP Address mentioned in the DNS Servers field is the primary DNS Server IP Address.

 

 

4 - Getting DNS Site:

In Domain Controller device, open Start → Administrative Tools → Active Directory Sites and Services. The Site under which your Domain Controller device name listed is your site name. You can leave the DNS Site field empty in Pass-through configuration form in OpManager, if there is only one site present in your Domain Controller.

 

Creating a new computer account:

To create a new computer account, follow the steps below:

  • Run the script NewComputerAccount.vbs present under OpManager_Home\conf\OpManager\application\scripts to create a new computer account.

    cscript NewComputerAccount.vbs account_name /p password /d domain_name

  • To reset the password for an existing computer account, run the script SetComputerPass.vbs present under OpManager_Home\conf\OpManager\application\scripts to create a new computer account.

    cscript SetComputerPass.vbs account_name /p password /d domain_name

  • Ensure that the password you give is compliant to the password policy for that domain. Do not use the New Computer Account option present in AD native client which will not allow you to choose password. If you face problem running this script from OpManager server, copy the script to the domain controller machine itself and try running it.

Note: The length of the computer account name must be less than or equal to 15 characters.

Design Limitation:

  • Pass-through authentication can be enabled for only one domain, preferably the domain in which OpManager server resides. If pass-through has been configured for a domain other than the one in which OpManager server resides, ensure the other domain will provide logged in user information to a website from different domain.

Disable Pass-through Authentication:

In OpManager webclient, click on Settings → Basic Settings → User Management → Pass-through. Use the radio buttons to Enable/ Disable Passthrough Authentication.

Log File:

If you face any issue with Pass-through Authentication, contact support with a ZIP file of the logs present under OpManager_Home\logs folder.