Solved: Re: SA with NLB - Page 2

lawpak_ · ‎06-24-2012

HI Zanyterp,

No, actually, there is no any binding for the web site, and it is working fine under our internal network but sslvpn.

I have tested after added the delegated host to the web stie, but it is failure, it kept prompt me enter the id and password.

regards,

lawpak

zanyterp_ · ‎06-24-2012

I'm not sure how it is working without a bonded host. What does your user access log show now with the changes made?

lawpak_ · ‎06-25-2012

Hi,

the following is the user log:

thanks,

lawpak

Info AUT22886 2012-06-22 11:20:20 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Session timed out for DOMAIN\kat.law/Domain Users (session:00000000) due to inactivity (last access at 11:04:23 2012/06/22). Idle session identified during routine system scan. Info WEB20174 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest completed, GET to http://crm:5555//domainCRMProdEnv/m from 192.168.101.216 result=401 sent=31 received=0 in 0 seconds Minor ERR24617 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.domain.COM, host crm failed: Fetch TGS fetch error: Server not found in Kerberos database Minor ERR24617 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Fetch Kerberos TGS for user kat.law, TGT user kat.law, realm HK.domain.COM, host crm.hk.domain.com failed: Fetch TGS fetch error: Server not found in Kerberos database Info WEB20169 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest ok : Host: crm, Request: GET /domainCRMProdEnv/m HTTP/1.1 Info WEB24618 2012-06-22 11:04:39 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Web SSO: Fetched Kerberos TGT Ticket Client: [email protected], Server: krbtgt/[email protected], auth 06/22/12 11:04:39, start 06/22/12 11:04:39, end 06/22/12 21:04:39, renew 01/01/70 07:00:00, current 06/22/12 11:04:39 Info WEB20174 2012-06-22 11:04:28 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest completed, GET to http://crm:5555//domainCRMProdEnv/m from 192.168.101.216 result=401 sent=31 received=0 in 0 seconds Info WEB20169 2012-06-22 11:04:28 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - WebRequest ok : Host: crm, Request: GET /domainCRMProdEnv/m HTTP/1.1 Info AUT22670 2012-06-22 11:04:23 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Login succeeded for DOMAIN\kat.law/Domain Users (session:00000000) from 10.0.0.1. Info AUT24326 2012-06-22 11:04:22 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[] - Primary authentication successful for DOMAIN\kat.law/Domain AD from 10.0.0.1 Info AUT22673 2012-06-22 11:04:10 - XXXXX-SA-01 - [10.0.0.1] DOMAIN\kat.law(Domain Users)[IT Support, Domain Users, Open Asset, GlobalPilot, Project Images, CRM] - Logout from 10.0.0.1 (session:00000000)

jayLaiz_ · ‎06-25-2012

Hi Kat,

Can you please take a session recording and policy trace recording web policies when SSO is disabled for the CRM resource and attach here.This will determine the authentication used by the backend reource and we can configure SSO policies based on that

Note : you can try the below setting and see if it helps

under SSO policies,BasicAuth,NTLM and Kerberos policies, please make sure that you exclude the role we are using from the initial basic auth or no SSO policy

Try configuring NTLM and basic SSO policies for the resource and move it to the top and apply it to the role, we do not know at this point of time what authentication methods the backend is doing so we can try both NTLM and basic and test, the session recording will show the auth methods supported

Thanks,

Jai

lawpak_ · ‎06-26-2012

Hi Jai,

Attached the log we tested.

Thanks

zanyterp_ · ‎06-26-2012

does it work from a computer or is it the same results as the iphone lof you attached?

from the user access log you attached, you are continuing to try and configure auth for a server that doesn't exist

lawpak_ · ‎06-26-2012

Both desktop and iphone doesn't work until I changed the Resource address to IP instead of alias under AutopolicySO

Any way I can use alias but not ip address ? Attached the screen shot for your ref.

Thanks

jayLaiz_ · ‎06-27-2012

Hi Kat,

Thanks,

The authentication suppoted on backend is both kerberos and NTLM

2 suggestions:

1. Please use FQDN for the resource bookmark and do not use shortname CRM as SSO policy might not get applied correctly

2. Define a NTLM SSO policy for the resource which is defined as FQDN

To define one, go to Web-->resource polices SSO General, go to NTLM and enable it, enter your domain, variable username <USERNAME> and variable password <PASSWORD> and create an NTLM SSO policy for the resource with credential selected as the one we created

Regards,

Jay

lawpak_ · ‎06-27-2012

Thanks Jay, it look working fine.

romsworld_ · ‎06-28-2012

Please could you provide all setting about crm 2011 on your SA ?

I have some problem, when a click on the link of my bookmark, the crm is not load corretly. Advanced search does not work corretly.

Thanks,