Showing results for 
Search instead for 
Do you mean 
Community Home Request Access Read Blogs Share Your Ideas Search Community View My Settings
Reply
New Member
Posts: 8
Registered: ‎06-20-2011

Re: SLX Mobile (2011) Windows Authentication

[ Edited ]

 

Hi greensweater,

 

Just to let you know that I followed this guide ... http://slxtraining.net/2011/04/

 

Therefore when I go to http://localhost:3333/sdata/$system/adapters, the login prompt will tell me “The server [yourservername] at SalesLogix Client requires a username and password.” Before that, mine did say what you were getting ... machininename.domain.local.

 

Can you please give me a sample of your setspn command? I unfortunately (maybe fortunately) don't have access to this and I must go through the process with other people. We ran the setspn command but I can't remember or verify what we ran. My server name is STEP1SLXWeb01 so can yo usee if I am using the command correctly?

 

setspn -A http/step1slxweb01 domain\webdll

setspn -A http/stepslxweb01.domain.com domain\webdll

setspn -L domain/webdll

This command should take me one step closer in regards to resolving SLX Mobile 2011 being able to use AD credentials right?

 

Thanks!

Bronze Super Contributor
Posts: 152
Registered: ‎02-01-2011

Re: SLX Mobile (2011) Windows Authentication

Your sample setspn command looks like mine, except for using .com. It's looking for that fully qualified machine name, so it looks like you may have a discrepancy between using .com and .local. The setspn -L will list the SPNs for the user, you don't need admin rights to list, so double check. Also make sure auth methods in IIS are right. Also, users must be set to use windows auth in SLX admin. Also, the windows user must have read rights on the directory. You could add the Domain Users group to inetpub. There are a lot of ways to break this... make sure all the steps are completed!
Andy Freeman
TrellisPoint, LLC
New Member
Posts: 8
Registered: ‎06-20-2011

Re: SLX Mobile (2011) Windows Authentication

Hmmmm ... maybe it needs to be without the .com like such

 

setspn -A http/step1slxweb01 domain\webdll

setspn -A http/stepslxweb01.domain domain\webdll

setspn -L domain/webdll

Just that on the SLX v7.5.4 Implementation Guide, Page 98 of the guide (page 106 of the document) has the .com .... but it doesn't look right ..

 

When you say auth methods in IIS, could you elaborate a bit more if possible? Just want to make sure I have covered it all!

 

"Also, users must be set to use windows auth in SLX admin" - Yeap all users are set up that way for the SLX LAN Client. The Admin user is linked to WebDLL.

 

"Also, the windows user must have read rights on the directory" - Just wondering which directory are you refering to - is this c:\inetpub ?

 

I read in the guide that the user I nominate to run the setspn command against, which is the WebDLL user, needs to have "rights to modify the active directory" (pg 105 of implementation guide for v7.5.4). I was asked why WebDLL needed to modify and I have no idea coz I'm just following the guide - would you be able to assist as I do suspect WebDLL might not have the correct permission to "modify the active directory".

 

Cheers!

Bronze Super Contributor
Posts: 152
Registered: ‎02-01-2011

Re: SLX Mobile (2011) Windows Authentication

[ Edited ]

This is what worked for us:

 

setspn -A http/machinename domain\webdll

setspn -A http/machinename.domain.local domain\webdll

 

We are only accessing the machine on the intranet. So I'm really not sure how that fits if you're accessing from outside the local network. The big clue for me was in the "Logon to machinename.domain.local" in the authentication window... this should match the SPN! You should only see the window in IE if Windows auth doesn't work... but then, only IE will automatically pass credentials. Firefox or any other browser should pop up an authentication window. When that happens, you need to specify the domain when logging in: e.g. "domain\username" and not just "username".  Blackberry has its own problems... thread

 

Authentication methods for sdata directory should be Windows authentication and Basic authentication, per instructions in Administrator help file. There are also some web.config changes you need to make. (I've attached a pdf for windows 2008 excerpted from the help, there are also instructions for 2003 in the help.) 

 

If the user is not set in the SLX Administrator to use Windows auth, then sdata falls back to Basic authentication which relies on SLX credentials. The authentication popup for SData is slightly different for basic authentication. SData will always prefer windows creds over basic, so the Mobile client will use your windows user even if you enter SLX creds. This could cause some confusion.

 

We had still more problems with 401 errors when accessing SData with Windows auth. This was solved for us by adding the Domain Users group to read/execute access on C:\inetpub\wwwroot\SData directory (or anywhere up the path... wwwroot should be a safe bet). You can check your IIS logs and the event viewer for failed access attempts. I believe that when using Windows auth, IIS sees the user as themselves, not as WebDLL or IUSR... therefore by adding Domain Users, we give all logged-in domain users rights to read. You could create a special AD group if you prefer.

 

That part in the guide about "modify the active directory" is worded strangely. I believe they mean you must be logged in as a Domain Admin to perform the setspn command to create the SPNs. WebDLL user does not need Domain Admin level access for SalesLogix to work correctly.

 

Sorry this sounds all over the place -- successfully setting this up was a real trial-and-error process for us. Hopefully this thread helps to collect the details.

Andy Freeman
TrellisPoint, LLC
Bronze Super Contributor
Posts: 152
Registered: ‎02-01-2011

Re: SLX Mobile (2011) Windows Authentication

BTW the 7.5.4 Intellisync client config includes a checkmark for "Use Windows Authentication" ... and it works!
Andy Freeman
TrellisPoint, LLC
New Member
Posts: 8
Registered: ‎06-20-2011

Re: SLX Mobile (2011) Windows Authentication

[ Edited ]

I managed to gain access to a Win Server 2008 machine and ran setspn -L domain\webdll and this is what I got:


Registered ServicePrincipalNames for CN=WebDLL,OU=SalesLogix,OU=ApplicationSecurity,DC=domain,DC=local:
        HTTP/step1SLXWeb01
        HTTP/step1SLXWeb01.domain.local
        http/Step1SLXWeb
        http/Step1SLXWeb.starnet.local

 

Step1SLXWeb without the 01 is another server we have that was not on the domain before but we put it in anyway.

 

Does this look correct to you?

 

I am opening up FireFox on the Web Server that is hosting SLX Mobile 2011 so technically, I am running SLX Mobile 2011 internally (I need to prove AD credentials & SLX Mobile 2011 works internally before I muck around with trying to make it external!) I actually read the Blackberry post and coupled with other forums, I started looking at spns in more depth. Do you go to a browser other than IE (coz its not supported), type in http://ipaddress:3333/slxmobile and get the standard SLX Mobile 2011 login screen and then type in the AD credentials? My browsers don't pop up a prompt asking for a username and password when going to this URL.

 

Thx for the attached. We are running Windows 2003 ... Would you by any chance be able to upload the 2003 document instead? Done a search and I can't find it.

 

I checked the Event Log like you said and sure enough ... there is a log of my failed attempts - it say:

2011-08-04 12:43:56,034 [1] ERROR Sage.SalesLogix.Web.SLXWebBasicAuthenticationModule - Unable to authenticate user 'domain\username'.

 

What would be really nice is if there was some form of official document for Windows Authentication for SLX Mobile 2011 ... I' out of my league with the domain side of things and there are just so many bits to configure.

 

O also ... can you direct me to the Windows Authentication setting for IntelliSync? Our IntelliSync version is v7.3.2 Build 80.

 

Cheers!

 

 

Bronze Super Contributor
Posts: 152
Registered: ‎02-01-2011

Re: SLX Mobile (2011) Windows Authentication

[ Edited ]

Your SPNs look correct to me.

 

Do you go to a browser other than IE (coz its not supported), type in http://ipaddress:3333/slxmobile and get the standard SLX Mobile 2011 login screen and then type in the AD credentials?

 

Yes. You have to include the domain i.e. domain\user

 

Would you by any chance be able to upload the 2003 document instead? Done a search and I can't find it.

 

I copied the info from Administrator help, but I only did the 2008 section. You should be able to find the relevant information in Administrator help, search for "Windows Authentication."

 

2011-08-04 12:43:56,034 [1] ERROR Sage.SalesLogix.Web.SLXWebBasicAuthenticationModule - Unable to authenticate user 'domain\username'.

 

Sounds like you didn't update the web.config for sdata. You must remove the SLXWebBasicAuthenticationModule and add the SLXWebWindowsAuthenticationModule. Details can be found in the help.

 

can you direct me to the Windows Authentication setting for IntelliSync?

 

Taken from the "What's new in 7.5.4" slides. You'll need to update the client on each desktop:

 


Andy Freeman
TrellisPoint, LLC
New Member
Posts: 8
Registered: ‎06-20-2011

Re: SLX Mobile (2011) Windows Authentication

All working! You were correct in updating the web.config file in the SData folder! I think I may have mucked around with the web.config file in the SLXMobile folder instead but I reverted that back to the original file before I updated the web.config file in the SData folder! Thank you so much for your assistance greensweater!

 

Next job is to tackle the IntelliSync WIndows Authentication now (we don't use the Desktop Manager so I need to look at it from scratch) - that is probably for another post!

 

Cheers!

New Member
Posts: 8
Registered: ‎06-20-2011

Re: SLX Mobile (2011) Windows Authentication

Hi all,

 

I have been working to get this authorised in our production environment but I am having difficulties.

 

As we know, the SLX Mobile server needs to have access to the domain for Windows Authentication.

 

I have discussed with our other departments and there seems to be a few different options.

 

1) Federation Services - I don't know much but apparently this is a transparent service available where by the servers in the DMZ zone can utilise allowing a secure method for windows authentication requests to be sent through the firewall. Apparently SLX Mobile authentication may not support this

 

2) The SLX Mobile 2011 server is installed in the DMZ and holes are punched into the firewall to the doman controller. This was frowned upon as I was told it wasn't the way to go ... AD was meant to be for internal purposes rather than external purposes. At least with this option, if the server was hacked, it will not pose too much of a threat as option 3 would.

 

3) The SLX Mobile 2011 server is installed internally behind the firewall and holes are punched through the firewall so it can be accessed directly from the outside world. This was the least recommended setup with the reason being that if a hacker was to gain control of this server, they have direct access to internal servers.

 

Now I don't really have much documentation from Sage or their business providers about the setup ... just how to install a Web Server and then how to deploy the bundle using Application Architect ... much of the help has actually come from everyone else on the forums. Can either a rep from Sage advise me where if there is some documentation relating to suggested/recommended setup of this server if it has to utilise Window Authentication? Or is there a member of the forums that could propose a solution or what they could recommend and then justify why out of the 3 options, they have decided to to choose the 1?

 

Thanks once again in advance!

Highlighted
New Member
Posts: 6
Registered: ‎03-02-2011

Re: SLX Mobile (2011) Windows Authentication

Do you mean the intelli-sync client or the desktop integration?

 

If the first where is the setting ?


Cheers Eddie