Hi Leonid, You're absolutely right with your analysis. Currently, if you're using SSO, OTRS will expect that the user is already available. If you're not using SSO, but LDAP Authentication instead, OTRS can pull in the user data from LDAP on request. Unfortunately, with SSO, OTRS does not do this at the moment. You can run otrs/scripts/tools/sync-ldap2db.pl via a cron job or so to make sure user data is available if the user connects. hth, -- Michiel Beijen R&D Follow me on Twitter: @otrsnl [https://twitter.com/otrsnl] OTRS AG Norsk-Data-Str 1. 61352 Bad Homburg Germany T: +31 (0) 6457 42418 F: +49 (0) 9421 56818-18 I: http://www.otrs.com/ Business location: Bad Homburg, Country Court: Bad Homburg, HRB 10751, VAT ID: DE256610065 Chairman: Burchard Steinbild, Managing Board: André Mindermann CU@ CeBIT 2010 in Hannover (Germany) and get to know more about OTRS at booth no. C37, in hall 2 from March 2-6, 2010! http://bit.ly/4qLvqm On Fri, Feb 12, 2010 at 12:25 PM, Leonid Korokh wrote:

Hi All,

My goal is to authenticate agents using integrated windows authentication and use database backend to store their accounts (group membership and so on).  We cannot use passwords as we use smartcards to authenticate in windows domain.

I’ve deployed clean OTRS 2.4.7 setup under IIS and MSSQL. All settings in Config.pm are defaults except that are needed to use MSSQL. I’ve created user in database (let’s say qqq) which is member of admin and users groups. After that I’ve added these two strings into Config.pm:

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';

$Self->{'AuthModule::HTTPBasicAuth::Replace'} = ‘DOMAIN\\';

Next I set IIS to use integrated windows authentication, so REMOTE_USER environment variable will be set to the user who is authenticated by IIS, for example DOMAIN\qqq.  As I understand architecture of OTRS it is allowed to do this way.

But when I try to enter agent’s interface I got these errors:

Message: Need UserLogin or UserID!

 Traceback (3364):

   Module: Kernel::System::User::UserLookup (v1.94) Line: 668

   Module: Kernel::System::Auth::Auth (v1.42) Line: 261

   Module: Kernel::System::Web::InterfaceAgent::Run (v1.43.2.1) Line: 192

   Module: c:\inetpub\wwwroot\bin\cgi-bin\index.pl (v1.88) Line: 48

Digging into source code I’ve found that Atuh.pm expects that $Param{User} variable should be set somewhere before the call of UserLookup at line 261. If I add Param{User}=$User  at line 260 everything is working well.

So, is it a bug, or I do something wrong?

TIA

---------------------------------------------------

Leonid S. Korokh

CIO

Aladdin Software Security R.D.

Phone: +7 (495) 223-0001 (30 lines)

Phone: +7 (495) 988-4640

Fax: +7 (495) 646-0882

E-mail: l.korokh@aladdin.ru

Web: www.aladdin.ru

--------------------------------------------------------------------- OTRS mailing list: dev - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/dev To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/