How to Enable NTLM Authentication for CA SDM Tomcat Using WAFFLE

Document ID : KB000072484
Last Modified Date : 01/03/2018
Show Technical Document Details
Introduction:
Out of the box SDM does not support NTLM Authentication on Tomcat. We can enable this with a third party library called WAFFLE. While this is not officially supported, it is a known workaround.
Environment:
Service Desk Manager 12.x
Service Desk Manager 14.x
Service Desk Manager 17.x
Instructions:
Download the latest version (As of writing 1.8.3) of the WAFFLE zip from https://github.com/dblock/waffle/releases

Extract the file to a temporary directory (ex: c:\UNZIPPED_DIRECTORY) on the SDM server

Copy the files waffle-jna-1.8.1.jar, guava-19.0.jar, jna-4.2.2.jar, jna-platform-4.2.2.jar and slf4j-1.7.21.jar from the zip directory in step #2 above to the '%NX_ROOT%\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\lib' directory on the SDM server

NOTE: %NX_ROOT% refers to the Installation directory of CA SDM. For example, the default location is 'C:\Program Files (x86)\CA\Service Desk Manager' on a Windows 64-bit OS.

NOTE: Copying commons-logging-1.1.1.jar is optional as it is already present in another Tomcat directory.

Backup the current '%NX_ROOT%\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\web.xml' file. Open the file with a text editor and add the following content to the bottom of the file:

NOTE: All of the following lines have to be placed BEFORE the </web-app> HTML tag

<filter>
  <filter-name>SecurityFilter</filter-name>
  <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>SecurityFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Stop and start the SDM Tomcat process by running the following commands:

pdm_tomcat_nxd -c stop
Wait for 10 seconds
pdm_tomcat_nxd -c start

Check off "External Authentication" for the contact's Access Type.

Assuming that the SDM Contact record has External Authentication type enabled and O/S authentication enabled, the SDM Tomcat engine should now let you authenticate users for that access type without prompting you for the SDM logon screen.

The procedure above is not yet formally certified, but is a known workaround.

If there are any problems starting the SDM Tomcat process, review the '%NX_ROOT%\log\pdm_tomcat.log' file.
Additional Information:
WAFFLE Repository - https://github.com/dblock/waffle