Service Desk Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

Active Directory integration SD 5.0.Sp1

Highlighted
Rubem Andrade
Occasional Visitor

Active Directory integration SD 5.0.Sp1

Hi fellows,
Would you pls anybody is using this stuff? If Yes , I just need a helping hand to clarify some issues regarding that. Pls dont tell me about the documentation like "how to integrate hp openview..." or the release notes ... I need an example of real config, if possible a real OVLOGIN file, just to see... Im stucked waiting for the creation of an user on AD.
HP suggests to take a look at the Online Help ... but ain´t no have a login ... so ...
Thanks and regards,
Rubem
11 REPLIES
Hasim.Baba
Frequent Visitor

Re: Active Directory integration SD 5.0.Sp1

Hi Rubem,
I have tried everything available in online help (its incomplete, the missing info is in release notes). I however did not try the token validation option (as its for added security).. I have already specified in my ovlogin file that I do not want to validate token... the bottom line is that it does not work.. I am wondering if anybody ever got it to work.

If you get it to work, please do share the steps.

Thanks,
-HSB
mmv
Member

Re: Active Directory integration SD 5.0.Sp1

Hello.

Here are steps for making SD-AD integration working:
1. Alter ovlogin.cfg to contain the following:
OVConsole {
com.hp.ov.sec.login.server.module.ADssoLoginModule required
realm=""
kdc=""
debug="true";
};
2. Restart login server
3. Alter sd user account: select "block Obs Authentication" and put @ in "active directory user name" field
4. Add -DServer= parameter to link to ovconsole.bat and remove any users from client settings
5. Everything should work and you will see the following lines in system log:
Jul 11, 2006 2:04:34 PM;9;11;com.hp.ov.sec.login.common.LoginContextProxy;;com.hp.ov.sec.login.common.LoginContextProxy;INFO;Obtaining UUID for this login session:
Jul 11, 2006 2:04:35 PM;10;11;com.hp.ov.sec.login.common.callback.Krb5TicketCallback;useCache;com.hp.ov.sec.login.common.callback.Krb5TicketCallback;INFO;Krb5TicketCallback is configured to use Krb5LoginModule to obtain the ticket.
Jul 11, 2006 2:04:35 PM;11;11;com.hp.ov.sec.login.common.LoginContextProxy;login;com.hp.ov.sec.login.common.LoginContextProxy;INFO;Login successful for session:
Hasim.Baba
Frequent Visitor

Re: Active Directory integration SD 5.0.Sp1

Thanks.. but I am still not able to login the error in system log file is :

Jul 12, 2006 5:58:57 PM;28;29;com.hp.ov.sec.login.server.LoginServer;processThrowable;com.hp.ov.sec.login.server.LoginServer;S
EVERE;class java.lang.SecurityException caught in the login server: D:\Program Files\HP OpenView\data\conf\sec\login\ovlogin.c
onfig (Access is denied)

my ovlogin.config file looks like this :

OVConsole {
com.hp.ov.sec.login.server.module.ADssoLoginModule required
realm="domainname"
kdc="hostnameofkdc"
debug="true";
};
OVConsole {
com.hp.ov.obs.impl.auth.ObsLoginModule required
providerURL="itp://localhost:30999"
debug="false";
};

Also i have done the changes as you have mentioned..

Do you suspect anything to do with multiple authentication mechanism in the ovlogin.config file as being "required"

Thanks again,
-HSB
mmv
Member

Re: Active Directory integration SD 5.0.Sp1

Multiply entries with same name in ovlogin.config are not permitted. If you want to use multiply authentication methods for different clients, you should use different names for configurations. You can set all of these configurations to "required", but only one configuration will be applied to client and you have to define it in client configuration (OVConsole configuration is by default).

i.e. in your case this would look like this

ovlogin.config:
ADAuth {
com.hp.ov.sec.login.server.module.ADssoLoginModule required
realm="domainname"
kdc="hostnameofkdc"
debug="true";
};
OVConsole {
com.hp.ov.obs.impl.auth.ObsLoginModule required
providerURL="itp://localhost:30999"
debug="false";
};

To authenticate client in AD you have to add -DJAASApplication=ADAuth to ovconsole parameters, to authenticate client in SD you don't need to add anything.

Also you can use sequence of methods of authentication. (if 1st method of authentication fails, next one is tried and so on). In this case your ovlogin.config should look like this:

OVConsole {
com.hp.ov.sec.login.server.module.ADssoLoginModule sufficient
realm="domainname"
kdc="hostnameofkdc"
debug="true";

com.hp.ov.obs.impl.auth.ObsLoginModule required
providerURL="itp://localhost:30999"
debug="false";
};

Don't forget to run ovc -stop ovjms
ovc -start ovloginsv
after altering ovlogin.config

Hope this helps
Rubem Andrade
Occasional Visitor

Re: Active Directory integration SD 5.0.Sp1

Greetings.
Thanks for the effort and time to give me the answers. However Im not totaly satisfied.
First of all I would like to know if anybody are using this, with success. So, if Yes , pls send me the Ovlogin file used, not the example of the Release Notes, or the native file generated during the installation.
Rgds
Hasim.Baba
Frequent Visitor

Re: Active Directory integration SD 5.0.Sp1

HI,

I had tried that long time back, but did it again and the same error,i.e,

Jul 12, 2006 7:33:28 PM;12;17;com.hp.ov.sec.login.server.LoginServer;processThrowable;com.hp.ov.sec.login.server.LoginServer;S
EVERE;class java.lang.SecurityException caught in the login server: D:\Program Files\HP OpenView\data\conf\sec\login\ovlogin.c
onfig (Access is denied)

My ovlogin.config looks like this :
ADAuth {
com.hp.ov.sec.login.server.module.ADssoLoginModule sufficient
realm="abc.com"
kdc="hostname.abc.com"
debug="true";
};
OVConsole {
com.hp.ov.obs.impl.auth.ObsLoginModule required
providerURL="itp://localhost:30999"
debug="false";
};

My ovconsole.bat looks like this :

@echo off

rem © Copyright 2003 Hewlett-Packard Development Company, L.P.
SETLOCAL

set OV_HOME=%~dp0

FOR /F "tokens=1*" %%A in ('ovconfget.exe NONOV.ApacheA') DO set %%A

:checkParam
if "%1"=="" goto done
if "%1"=="-DServer" set Server=%2
if "%1"=="-DWebServerPort" set WebServerPort=%2
shift
goto checkParam
:done

if "%Server%"=="" set Server=%ServerName%
if "%WebServerPort%"=="" set WebServerPort=%Port%


set XPL_CLIENT_ARGS=-DWebServerPort=%Port% -DServer=sdhostname

set CWD=%CD%
set OV_LIB=%OV_HOME%..\java
set OV_JRE=%OV_HOME%..\nonOV\jre\1.4\bin
set JVMARGS=-Xms64m -Xmx256m -Dcom.hp.ov.ui.formOpenMax=10 -DovAppName=OvConsole %XPL_CLIENT_ARGS%
if "%OV_JAVA%" == "" set OV_JAVA=%OV_JRE%\javaw.exe

if NOT EXIST "%OV_JAVA%" goto exitNoJRE
if NOT EXIST "%OV_HOME%..\java" goto exitNoJavaFolder

echo Using %OV_JAVA%

start "" "%OV_JAVA%" %JVMARGS% %* -jar "%OV_LIB%\obs-launcher.jar" "%OV_LIB%\ui-clientapp.jar"
goto finalExit

:exitNoJavaFolder
echo Error: Cannot find OV java folder. Expected at: %OV_LIB%
goto finalExit

:exitNoJRE
echo Error: Cannot find OV java runtime environment. Expected at: %OV_JRE%

:finalExit
ENDLOCAL

The account which I am trying to login has got account name as john and AD username as john@abc.com

I have deleted the client settings for all users in the machine from where I am trying to login. I am already logged on to the domain in that machine with account abc/john

It still does not help..

Also tried running the ovconsole.bat file like this :

ovconsole.bat -DJAASApplication=ADAuth

Please find a screenshot attached of the error from client machine.

IF you have this working in your SD installation, can u tell us if its SD 5 SP1 and if you are using windows 2000 or 2003.

Thanks for efforts, just not able to assign you points in this thread :)

Regards,
-HSB
mmv
Member

Re: Active Directory integration SD 5.0.Sp1

Rubem, yes, we use AD-SD integration (populate sd persons/accounts via connector + AD authentication). It works ok. Our ovlogin.conf file doesn't differ much from default one. Anyway I attached it.

sayasif, try running ovconsole.bat -DServer=
-DJAASApplication=ADAuth

Error Jul 12, 2006 7:33:28 PM;12;17;com.hp.ov.sec.login.server.LoginServer;processThrowable;com.hp.ov.sec.l
ogin.server.LoginServer;S
EVERE;class java.lang.SecurityException caught in the login server: D:\Program Files\HP OpenView\data\conf\sec\login\ovlogin.c
onfig (Access is denied)
is strange. It doesn't say there're any problems with authentication itself, but problems with accessing file ovlogin.config. Check its permissions, try to delete it/create again, restart ovloginserver.

We use HP OV SD 5.0 SP1 in 2 different enviroments: one on Windows 2000 AS SP4, another on Windows 2003 EE SP1.
Hasim.Baba
Frequent Visitor

Re: Active Directory integration SD 5.0.Sp1

HI !!

I think I am getting closer !! , I have changed the ovlogin.config file permission to have it full access. Now its giving a error of incorrect username or password :) , atleast close i would say.. can u please let me know what permissions you have on the ovlogin.config file

Thanks,
-HSB
p.s. Rubem, if possible,please assign points to MMV, unfortunately I cannot unless I open a new thread.. thanks
Hasim.Baba
Frequent Visitor

Re: Active Directory integration SD 5.0.Sp1

Here are lines from the logfile.. it says succeeded, but on the client machine it says incorrect username or password.. let me know if you can spot any errors.

Jul 12, 2006 8:27:37 PM;11;16;com.hp.ov.sec.login.server.module.ADssoLoginModule.debug;FINE;[ADssoLoginModule] validateServer
= false, therefore user principal will be retrieved from client ticket.
Jul 12, 2006 8:27:37 PM;12;16;com.hp.ov.sec.login.server.module.ADssoLoginModule;login;com.hp.ov.sec.login.server.module.ADsso
LoginModule.debug;FINE;[ADssoLoginModule] got ticket: Ticket (hex) =
0000: 61 82 03 D1 30 82 03 CD A0 03 02 01 05 A1 12 1B a...0...........
0010: 10 45 53 45 52 56 45 47 4C 4F 42 41 4C 2E 43 4F .abc.CO
0020: 4D A2 25 30 23 A0 03 02 01 02 A1 1C 30 1A 1B 06 M.%0#.......0...
0030: 6B 72 62 74 67 74 1B 10 45 53 45 52 56 45 47 4C krbtgt..abc
0040: 4F 42 41 4C 2E 43 4F 4D A3 82 03 89 30 82 03 85 .COM....0...
0050: A0 03 02 01 17 A2 82 03 7C 04 82 03 78 6C BD 7F ............xl..
0060: FD 4F D4 64 8C 2D CA 16 B4 3C 3A 09 96 C0 CB B8 .O.d.-...<:.....
0070: 2A 11 26 7E 42 56 8C 3E F1 DE 33 FB AA B2 13 6F *.&.BV.>..3....o
0080: 0B 37 4F BD 30 CF 9E DD 4B 27 05 BB 18 73 38 8B .7O.0...K'...s8.
0090: 32 D4 C3 F5 46 20 8D E7 3B B2 71 0B 06 16 CA B6 2...F ..;.q.....
00A0: 83 D6 F0 8F 9B 61 85 A9 F8 E5 81 16 26 D2 0A 33 .....a......&..3
00B0: 41 26 35 33 54 ED F8 8F 0D 2B 71 1D 38 99 AE 7E A&53T....+q.8...
00C0: 96 82 80 22 65 F8 15 DC 89 A5 C1 35 1A FC 63 E9 ..."e......5..c.
00D0: 00 B9 E8 0D 41 25 95 9E 69 EB D6 B0 AD 31 D2 0B ....A%..i....1..
00E0: E9 8C 9C 93 06 55 77 E1 BC B9 39 F3 30 B5 B5 7C .....Uw...9.0...
00F0: A2 D8 7D 57 3C 75 39 B3 1F 50 BE 3C 65 E4 E3 04 ...W0100: 9E 66 8B B4 CD 3E 2A 18 19 D8 5D 5E AD 3E F2 31 .f...>*...]^.>.1
0110: 1A 69 7E 27 77 54 F0 D7 CB AA 1F A7 EB 40 56 BC .i.'wT.......@V.
0120: 29 09 5E 48 D5 54 4D 44 5E A8 11 AA 71 61 95 04 ).^H.TMD^...qa..
0130: 90 C5 82 9B 6A 43 C5 B6 F2 A1 C8 C8 F3 52 97 10 ....jC.......R..
0140: 51 D0 E6 6A E8 CB BC 8C 67 94 D5 A6 75 42 44 3B Q..j....g...uBD;
0150: 2D 0E 74 DD 34 A8 19 8C BA 7F 1D C6 BA 7F F1 F2 -.t.4...........
0160: C8 06 1A 75 86 92 64 1B E5 39 20 4A 05 98 57 58 ...u..d..9 J..WX
0170: A7 A0 35 C4 B6 5C 2B C8 9D E1 BF 12 32 BC 03 68 ..5..\+.....2..h
0180: C7 F2 8E A1 50 FC 97 D2 B8 90 81 33 99 BC 97 B3 ....P......3....
0190: FE 53 1B 89 EB 6D FA B1 FE 8E 55 94 1A 86 10 87 .S...m....U.....
01A0: 7E C6 C6 4B 8A 79 32 CC 5D 5B B6 1E B7 2F C3 C7 ...K.y2.][.../..
01B0: 66 E4 AD C0 3D 48 21 9D 8A E2 5E AE DD 74 73 14 f...=H!...^..ts.
01C0: 93 CF FE 85 7F E0 F5 8B 0D 37 97 63 4D D4 E5 1C .........7.cM...
01D0: 6F AD 19 2E E6 A2 9D 29 50 D2 54 94 BB B4 F0 AC o......)P.T.....
01E0: C6 63 70 1D 23 97 94 52 72 6A 13 2C B6 91 8D B8 .cp.#..Rrj.,....
01F0: BF 0C 45 57 F0 3B 54 68 1E 4E 7A 85 A5 1A 3C 58 ..EW.;Th.Nz...0200: 60 BF B0 66 BD DD C8 2B 8F 16 91 9C 98 0A 45 0C `..f...+......E.
0210: E5 B8 B7 3B 65 63 8D 8B 8B 44 FE 5D 29 97 C1 FE ...;ec...D.])...
0220: C3 64 DF 55 9A 8A FE D7 FA 1C E6 9B CC 6C 93 07 .d.U.........l..
0230: 40 E5 3B E3 3B A1 6C 3C A1 6E B7 85 06 FA D1 5F @.;.;.l<.n....._
0240: BA A4 FC 59 D3 A3 60 D1 1E 6C 86 74 AA DA 5A A2 ...Y..`..l.t..Z.
0250: E4 24 1D DE D4 2D E1 DE BC 0D 67 AB E5 32 0F 79 .$...-....g..2.y
0260: A7 F2 EF 20 6A 7E BE FB E0 6D 78 03 6B E8 F9 43 ... j....mx.k..C
0270: 96 DE 8A 7B 38 95 A7 63 94 C0 E4 15 53 28 DD 75 ....8..c....S(.u
0280: 27 CA 82 8B 1C 8E 07 4F A1 5F 6D DB 2F C0 14 A2 '......O._m./...
0290: 29 6A 12 E2 8D F4 81 AE AA F5 A5 BC 9C 66 25 39 )j...........f%9
02A0: 5B 7C 17 6F C8 32 15 CE CF 95 1F 62 50 0B BD CE [..o.2.....bP...
02B0: 69 DD FB 79 95 35 03 34 AD 82 33 7A 60 B7 B4 FC i..y.5.4..3z`...
02C0: 08 9C 57 EE 94 68 BE F6 F6 83 4E 47 62 CD 2C 7F ..W..h....NGb.,.
02D0: FA 97 B7 31 08 C2 6F 1F E9 2C 35 F7 CC 46 86 CA ...1..o..,5..F..
02E0: F9 3F 78 06 9E C7 2C 68 F3 11 EE BE 76 9D 67 9C .?x...,h....v.g.
02F0: B9 58 C8 F0 9C 02 75 15 AF 38 27 91 2D 03 72 B8 .X....u..8'.-.r.
0300: DC 41 B2 42 A8 F2 91 2C 14 0C 3B 39 6E 88 8D 6C .A.B...,..;9n..l
0310: 69 92 DA 71 2F F5 5A E8 DA D2 A9 5D 9F 59 88 5B i..q/.Z....].Y.[
0320: 0B 58 4D 71 40 45 F0 C0 4D 12 55 04 24 81 FE 5F .XMq@E..M.U.$.._
0330: 37 41 29 69 09 79 82 86 42 64 91 AB 3D 9F 1C 72 7A)i.y..Bd..=..r
0340: 76 C4 54 0B BC 50 23 32 73 CA 5D FB 7B 3C 7A CD v.T..P#2s.]..0350: F2 4A 4F 3C 64 11 46 61 2E FD 09 28 38 22 13 42 .JO0360: 6B B6 48 75 74 F9 67 86 7E 14 41 F5 6A 19 54 D6 k.Hut.g...A.j.T.
0370: C4 E8 3B 74 94 AD F0 64 D2 82 64 D5 19 87 CC 64 ..;t...d..d....d
0380: 97 44 93 FC 5F 7D 83 62 C4 D5 66 02 A4 46 21 A7 .D.._..b..f..F!.
0390: F4 72 53 B0 3E B0 1D 48 A3 DF 62 8A 6F FB 1D EF .rS.>..H..b.o...
03A0: 3B 4E 1C 0E 6D C7 F6 4E 8A AC 43 29 8C CA 50 94 ;N..m..N..C)..P.
03B0: 70 75 1B CC DA AD 99 61 C2 63 91 B9 33 B9 7D 17 pu.....a.c..3...
03C0: F3 65 96 68 22 E5 15 9A B1 E5 A0 16 1C DB FF 81 .e.h"...........
03D0: 2F AD 96 04 49
Client Principal = abc@abc.COM
Server Principal = krbtgt/abc.COM@abc.COM
Session Key = EncryptionKey: keyType=0 keyBytes (hex dump)= Empty Key
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Wed Jul 12 14:34:21 GMT+05:30 2006
Start Time = Wed Jul 12 14:34:21 GMT+05:30 2006
End Time = Thu Jul 13 00:34:21 GMT+05:30 2006
Renew Till = Wed Jul 19 14:34:21 GMT+05:30 2006
Client Addresses Null
Jul 12, 2006 8:27:37 PM;13;16;com.hp.ov.sec.login.server.module.ADssoLoginModule.debug;FINE;[ADssoLoginModule] authentication
succeeded
Jul 12, 2006 8:27:37 PM;14;16;com.hp.ov.sec.login.server.module.ADssoLoginModule.debug;FINE;[ADssoLoginModule] added KerberosP
rincipal to Subject
bahloul
Occasional Advisor

Re: Active Directory integration SD 5.0.Sp1

Hello,

I want to thank you, I have tried the Ad Integration and it works fine,I want to ask you about Webconwsole integration with Active Directory.

Thanks.
Rubem Andrade
Occasional Visitor

Re: Active Directory integration SD 5.0.Sp1

Closed
//Add this to "OnDomLoad" event