CA Service Desk Manager (SDM) can be configured to allow users to be authenticated via external authentication methods. If you choose to allow external authentication, users are validated by the appropriate external method configured within their environment. One of the most recognized authentication methods today is to use Integrated Windows Authentication (IWA) to automatically authenticate with Microsoft's Active Directory.
The pre-requisites for this solution are:
- IIS 7.0 has been installed on the server where Service Desk is installed.
- CA Service Desk has been successfully configured to use IIS 7.0.
Step 1 - Configure IIS to perform Integrated Windows Authentication
- Open the Internet Information Services (IIS) Manager from the Administrative Tools menu. In the left hand pane, expand the <ServerName> node, where <ServerName> is the name of the Service Desk server. Expand the Sites node. Expand the Default Web Site node. Click on the CAisd node to display the CAisd Home page. See Figure 1.
- Double click on the Authentication feature to display the Authentication settings. See Figure 2.
- Change the Anonymous Authentication option to Disabled and the Windows Authentication option to Enabled (see Figure 3).
- Restart IIS to apply the changes.
Step 2 - Configure External Authentication in Service Desk
- Login to Service Desk with an account that has Administrator privileges. The Service Desk home page will be displayed (Figure 4).
- Select the Administration Tab, expand the Security and Role Management node and select the Access Types node (Figure 5).
- Click on the first Access Type that you wish to allow External Authentication for. The Update Access Type form will be displayed. Select the Web Authentication tab if it is not already displayed. Click on the Edit button to edit the Access Type (Figure 6).
- Select the Allow External Authentication checkbox. Also select the appropriate Validation Type for the Access Type from the Validation Type dropdown.
NB - The Validation Type is not used for External Authentication validation. It is used when users login through the Service Desk login form. When External Authentication is enabled the login page will only be displayed if Service Desk fails to find a Contact record that matches the credentials supplied by IIS (this includes the scenario where IIS does not supply any credentials), or if a user clicks on the logout link in Service Desk and the LogoutURL parameter has not been set in the web.cfg file.
Any of the Validation Types can be selected, but generally only the "No Access" and "OS - Use Operating System authentication" methods are used with External Authentication. The "No Access" option should be selected if you want to ensure that users can only use their own windows credentials to access Service Desk.
Click on the Save button to save the changes (Figure 7).
- Repeat steps 2.3 and 2.4 for each remaining Access Type that you wish to allow External Authentication for.
NB - In addition, ensure that a suitable Access Type is defined as the Default Access Type - this will be used when the External Authentication finds a Contact record that matches the credentials supplied by IIS but the Contact does not have an Access Type defined. Out of the box the Administration Access Type is defined as the Default Access Type which is unlikely to be appropriate in a Production environment. To set the Default Access Type, edit the appropriate Access Type and select the Default? Checkbox.
Step 3 - Test the External Authentication
- Login to windows using a userid which has an associated Contact record defined in Service Desk.
- Launch a new Browser window. Navigate to the Service Desk url (http://<servername>/CAisd/pdmweb.exe). The Service Desk home page should be displayed (Figure 8).
- If a browser login prompt is displayed, work through the following troubleshooting step:
For Windows 2003 servers and above, Internet Explorer Enhanced Security Configuration disables the automatic detection of intranet sites. In order for credentials to automatically be passed to an intranet site, the site needs to be manually added to the Local intranet zone. Microsoft Knowledge Base Article 815141 describes how Internet Explorer Enhanced Security Configuration changes the browsing experience. The Add sites to the Local Intranet zone section describes how to manually add a site to the Local intranet zone:
- If the Service Desk login page is displayed, work through the following troubleshooting steps:
- Confirm that the Anonymous Authentication option has been disabled in IIS.
- Confirm that the Windows Authentication option has been enabled in IIS.
- Confirm that a Contact record exists with the System Login field set to the userid used to login to Windows.
- Confirm that the System Login field is the same case as the userid used to login to Windows. NB - There is an Option Manager setting called Security - ignore_security_case which can be used to avoid issues with case sensitivity in userids.
- Confirm that the Access Type assigned to the Contact record has had External Authentication enabled.