Project and Portfolio Management Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

Invalid Username/Password Connecting to PPM from MS Project

Highlighted
MaxH
Member

Invalid Username/Password Connecting to PPM from MS Project

In a previous post, Etienne said:

 

"Re: MS Project-Sending WP to PPM Center problem
 

Hi TM,

 

- Are you using some SSO or LDAP authentication in your production environment?

 

- Do you see the prompt for login and password or do you immediately have the "invalid username or password" message popping up?

 

- What are the differences between test and prod environment exactly?

 

- What is the URL of your PPM Production instance, is it of the form http(s)://server[:port]/itg or is there something else between "itg" and the server name:port ?

 

Thanks,

Etienne."

 

----------

I have this same issue.  I implemented a Common Access Card (CAC) Single Sign-On (SSO) login methodology  with PPM and now users are unable to get work plans to/from PPM via the connector.  The error is the same, "Invalid Username or Password". 

 

1.  We are using SSO authentication

2.  We do get an immediate "invalid username or password" message popping up

3.  TEST and PROD are exactly the same, the issue occurs in both instances

4.  The URL is as follows: http://server.domain:8080 (We also tried https://server.domain:443, doesn't work either)

 

The username field in PPM is directly assoicated with the CAC header information, (i.e. - JONES.TIMOTHY.FRANCIS.3456788890) and I purposefully left the existing user passwords in place.  This specific solution works with Workbench, but does not allow connections between the Microsoft Project Connector and PPM.

 

Has anyone else run across this issue or Etienne, did you ever figure out a solution for it?  Thanks.

 

Max

 

 

 

 

6 REPLIES
Etienne_Canaud
HPE Expert

Re: Invalid Username/Password Connecting to PPM from MS Project

Hi Max,

 

It's very interesting to know that you successfully implemented PPM authentication using CAC, as it is not natively supported by PPM (we do get some ER for it).

 

Could you describe what setup you are using exactly to achieve this integration, and what do your users have to do to login?

When you mention that you are using SSO, do you mean the generic Web SSO approach, with authentication done at the web server level?

 

If your users can log it to PPM through the web server but cannot through the MSP Plugin, then I suppose it should be considered a defect. What is strange is that the plugin displays an error message stating that username and password are refused ; when using Web SSO, it should display a Web Browser window for the user to authenticate.

 

If you could attach all the MSP Plugin logs when trying to unsuccessfully connect to PPM, that would be helpful. However, please make sure to anonymize the logs and remove any password that may appear in clear, as MSP logger tends to log everything that passes on the network in http_trace.log without obfuscating passwords (this file contains a full dump of the whole network traffic between the plugin and the PPM Server).

 

Thanks,

Etienne.

 

MaxH
Member

Re: Invalid Username/Password Connecting to PPM from MS Project

Etienne, thanks for responding.

 

The solution for SSO with CAC was actually quite simple, it just took a while to determine what we needed to do in our specific environment.  Regardless, it is done, and yes; we did send the Enhancement Request to HP along with some generic info regarding the setup.. 

 

The basic setup was fairly simple.

 

First, we enabled the Generic Single Sign-On plug-in.

 

Next, we set the sso.conf to the CAC header that was being passed from our front-end loader (in this case a Citirx Netscaler).

 

Lastly, we made certain that the user authentication mode was was set in the Workbench to "PPM" and we populated the user name field with the info that the Netscaler was passing to the PPM server. 

 

I then logged into PPM using my CAC and voila, CAC enabled, single sign-on! 

 

There are a couple more things that we did with the Netscaler, but since I am on a Government contract, I am not authorized to divulge the information.  We have made a request to the appropriate person to get permission to forward those configuration parameters to HP for other Government users but I do not know how long that might take.

 

Now users can log directly into PPM using thier CAC and it brings them to whatever Dashboard they personalized for themselves.  I have attached the requested logs and am looking forward to hearing from you again.  Thanks.

 

Max

 






Etienne_Canaud
HPE Expert

Re: Invalid Username/Password Connecting to PPM from MS Project

Hi Max,

 

 

Am I correct in assuming that the URL you are using for connecting to PPM from the MSP Plugin is different from your BASE_URL defined in PPM? It's not the URL of your Netscaler (that you should use as BASE_URL), right?

 

If yes, then you have two problems:

 

1) You should always use the BASE_URL for connecting with the MSP Plugin. I suppose that BASE_URL is the URL of your Netscaler. Only like that will the MSP Plugin be able to authenticate properly. It should do so by displaying a WebBrowser window after failing to contact the PPM Server as Netscaler should not allow any non-authenticated HTTP request to reach PPM Server, and the MSP Plugin will detect that and fall back to SSO login mode (i.e. display the web browser window).

 

2) The second problem is much more serious, especially considering that you are supposedly running PPM in a highly secured environment: From the logs, I can see that any client can reach the PPM Server directly (on port 8080) and bypass the frontend Web Server (Netscaler or whatever). This is a MAJOR security flaw when PPM Generic Web SSO is enabled, because it means that any user could forge the HTTP header used by PPM to identify the user, and impersonate any PPM user as long as they know their username. It is absolutely mandatory that you prevent any direct HTTP traffic between clients and the PPM server when using Generic Web SSO. Every HTTP traffic MUST go through the front end web server in charge of authentication.

Note that as far as I know, this is emphasized in PPM Administrator User Guide.

 

Please advise,


Thanks,

Etienne.

MaxH
Member

Re: Invalid Username/Password Connecting to PPM from MS Project

Etienne, 1. You are correct in your assumption. We are attempting to connect to the PPM server via the connector using (http://XXXX.XXXXX.XXXX.xxx.xxx:8080/itg) which is different than the BASE_URL in the PPM config. Please understand, however; that whenever I attempt to put the actual BASE_URL in (https://xxxx.xxxxx.xxxx.xxx.xxx:443) I get this error: "The server you entered is unavailable, please try again. You can copy and paste the PPM Server URL from your internet browser bar. Error returned is: "The request was aborted: Could not create SSL/TLS secure channel." 2. Where the second problem is concerned, since we are using CAC authentication, I have been unable to get the Workbench utility to open with SSO. We have not found a way to do this implementation, so therefore we have to keep Port 8080 open to get to the back end for the Workbench. Do you know of a work around for this? Thanks. Max

Etienne_Canaud
HPE Expert

Re: Invalid Username/Password Connecting to PPM from MS Project

Hi Max,

 

1) Even though this error message means that the SSL certificate of your server is invalid (and using invalid SSL certificates is not a good practice), the MSP Plugin is supposed to work even when connecting to servers with invalid certificates. This must be a special case of invalid certificate that the MSP Plugin doesn't handle... please open a case with HP Support and attach the MSP logs. Don't hesitate to tell them upfront that I sent you there so that they quickly have R&D open a defect for this. Please inform them that it's very likely that the issue with the plugin code is the same as described here: http://stackoverflow.com/questions/2859790/the-request-was-aborted-could-not-create-ssl-tls-secure-channel

 

 

2) If you open the workbench on desktop, you shouldn't have to connect directly to the PPM Server through HTTP, you only need to have the RMI port open (I may be wrong here, I hope someone with more workbench experience may provide more info). You should at least find a way to restrict the HTTP traffic from your standard users to the PPM server, or else you have a big security issue. One solution if you really need HTTP connection to open the workbench would be to have firewall prevent every http traffic except for a few machines on a subnetwork, and have trusted Workbench users remote connect to these machines to use the workbench.

 

Thanks,

Etienne.

MaxH
Member

Re: Invalid Username/Password Connecting to PPM from MS Project

Thanks Etienne. I have opened a ticket with Support and hopefully we can get this figured out. Appreciate your support. Max
//Add this to "OnDomLoad" event