03-18-2013 10:10 PM
We are using SM9.30 SSO using IIS7.5 and Apache Tomcat 7 via HTTPS. Everything is working. Let's call this URL:
We have also created a URL that will be used for users that are not part of our domain. This URL will bring you to the HP SM login page:
As you know, when you set up IIS for SSO you only need to enable Windows Authentication. If you enable Anonymous Authentication as well, SSO will not work.
And that's where my problem lies. Whenever we try to use https://sm.mycompany.com.au/sm/index.do, it's asking for a domain account and password (because of the IIS). If I enable Anonymous Authentication in the IIS, it will work but if you use the URL for SSO, it will now display the HP SM login page. It's either one or the other. I can't have both.
Has anyone ever done a set up where it will use Windows Authentication for anything that uses /smsso/. For those using the /sm/, it should allow for Anonymous Authentication.
Would appreciate any help/ideas/anything on this one.
Thanks and regards,
03-20-2013 11:01 AM
Unfortunately for Windows Authentication to work with TSO via the Webtier client, you must pass a domain user. There are other products besided Windows Authentication that could be used that might get you around your issue; Siteminder or Webseal maybe. It will not work with anonymous as the user passed from IIS.
If you are willing to NOT use TSO for your non domain users, you can use the following setup for them:
You will need to setup a separate deployment of the .war/.ear file and a separate Isapi connection to make this work.
For URL that have domain users:
keep the setup how you have it.
For URL that have non domain users:
- Rename the SM webtier war file to a new name of your choosing.
- In Tomcat 7 deploy the renamed .war file. As you know this is your context path once deployed.
- Configure the web.xml for SSL
- Make sure that the web.xml's parm: isCustomAuthenticationUsed is set to true. When TSO is not used this must be set to true.
- Do not change anything in the Applicate-context.xml file.
- Set the web.xml serverhost and port to be the one to the LoadBalancer on the SM server.
- In IIS setup a separate Virtual host website for the new context path.
- Configure another context path in the workers.properties.minimal and the uriworkermap.properties files to point to the new deployment.