Novell Home

My Favorites

Close

Please to see your favorites.

Can't single-sign on to NetStorage through iChain

(Last modified: 24Jan2005)

This document (10071930) is provided subject to the disclaimer at the end of this document.

fact

iChain 2.1

iChain 2.2

iChain 2.3

symptom

Can't single-sign on to NetStorage through iChain

cause

NetStorage uses XTier authentication.  XTier authentication currently does not accept standard single sign on techniques (auth header, query string, etc.)  For SSO authentication, XTier authentication originally not only required username and password, but also a locally stored cookie.  The first time a user hits NetStorage they are prompted to login.  Then a SET COOKIE takes place to set the local cookie.  The browser, in all subsequent logins, sends the local cookie.  For iChain SSO to work, use NetWare 6.5 SP3 and enable "cookieless" authentication.

fix

For Single Sign On to work, use NetWare 6.5 SP3 and configure "cookieless" XTier (middle-tier) authentication as follows:

1)  Using  NSADMIN (http://server/oneNet/nsadmin), the first screen that comes up is the general options for the middle-tier. One of the options on this page is "cookieless". The default value is 0 (off).  Change this to 1 and restart the server.

2)  In the iChain ADMIN GUI, check the box to forward authentication information to Web Server on the Authentication Options button for the NetStorage accelerator, enable OLAC on the Access Control tab, and then configure OLAC on the NetStorage protected resource to send the CN rather than the DN in the basic auth header.  (Add ICHAIN_UID  -  LDAP  -  CN in the OLAC configuration.)

 

 Prior to NetWare 6.5 SP3, check the two configuration items immediately following, and then use one of the work-arounds below:
1)  Make sure that the XTier cookie is set to persistent in the NetStorage configuration.
2)  Make sure that iChain has not been configured to strip cookies.

Workaround 1:  Use Custom Servlet  (Old Method)

Novell IS&T wrote a servlet that will allow single-sign on to NetStorage.  The servlet can be downloaded from Developer's Novell Forge Site:  NetStorage.zip.

Please note that this servlet is being provided with the source code and is NOT supported by Novell Technical Support.  Additionally, as is, the servlet will only work with JVM 1.3.x and Tomcat 3.3.

IChain Configuration:

1)       Launch the iChain browser based admin utility and choose the Configure option.

2)       Choose Authentication and highlight the Authentication Profile.

3)       Modify the profile and under LDAP options, check that you are using the distinguished name on the profile.

4)       Modify the NetStorage Accelerator configuration.

5)       Choose Authentication options and check "Forward Authentication Information to Webserver".  Make sure the service profile used is the same LDAP profile configured to send the distinguished name.

 

 

NetStorage ICSLogin Configuration:

1)       Make sure that the XTier cookie is set to persistent in the NetStorage configuration.  Use NSAdmin and verify that the persistent cookie setting is not set to 0.

2)       Make sure that iChain has not been configured to strip cookies.

3)       Copy the class file into the  "sys:webapps/NetStorage/Web-inf/classes"  directory on the NetStorage server.  It can now be accessed using the following URL: "http://mynetstorageserver/NetStorage/servlet/ICSLogin".

4)       Add the following setting to the sys:webapps/NetStorage/Web-inf/classes/Settings.properties file:

     ICSBypassAddr=DNS name or IP Address of Netstorage box

               

              The file should already contain:

 

                     ServerProtocol = http: //
                     ServerPort = 80 (or whatever port NetStorage is accessed on)

                     ServerName =  DNS name or address of server

 

5)       Restart the TOMCAT servlet engine and APACHE Web Server on the NetStorage server.

              java -exit

              nvxadmdn

               ***pause here.  Let everything unload!  Give it a minute.

              tomcat33

              nvxadmup

 

 

NPS Shortcut Gadget Configuration:

1)       Login to your portal as a Portal Administrator.   (http://<DNSname-or-IPaddress>/nps)

2)       Select 'Administer the Portal'

3)       Select 'Pages'

4)       Select the 'Create' button and create a new Page with the name of  "NetStorage", then select the 'Create' button to properly create the page.

5)       Select the 'Edit' button, then select the 'Add' button to add a new gadget to your NetStorage page

6)       From the 'Select Gadget' option, choose the Shortcuts gadget and click the 'Add' button.

7)       Under the 'Display Name' field, enter the name you want this particular gadget to be known as.  (I.e. NetStorage)

8)       Select the 'Edit' button to start the Shortcut Gadget Wizard.

9)       Select 'Add Web Link' and enter the URL to the ICSLogin class file. ie.  http: //mynetstorageserver/NetStorage/servlet/ICSLogin

10)   Choose 'next' until the Website Options and Window Features display.

11)   Select 'Save Changes' and then 'Finish' to save the configuration made in the gadget configuration wizard

12)   Select 'Continue' to save the gadget settings and 'Save' to save the page settings

13)   Assign the Shortcuts page to a user, group, portal group, dynamic group (if using eDir 8.61 or later) or container, then close the assignment page.

.

Workaround 2:  Use iChain 2.3's built-in xTier Authentication functionality. 

*Requires that the NetIdentity client be installed on the workstation accessing iChain.  See iChain 2.3 Admin Documentation for details.

Workaround 3:  Use the NetStorage Gadget that ships with NetWare 6.0 WebAccess or NetWare 6.5 Virtual Office. 

The gadget can also be placed on NPS 1.5.  See details below for NPS 1.5 configuration issues.

Issues with NetStorage Gadget on NPS 1.5


Our test platform is as follows:
Portal Server
NetWare 6.0 Support Pack 2 overlay CD
Installed products:
Apache (default from overlay)
Tomcat (default from overlay)
WebAccess (to ensure that the original NetStorage gadget was present)
NetStorage (default from overlay)

NPS1.5
NPS1.5 Support Pack 1 (This must be installed from the portal server itself)

NetStorage Server

NetWare 6.0 Support Pack 2 overlay CD
Installed products:
Apache (default from overlay)
Tomcat (default from overlay – not used for NetStorage, but was installed)
WebAccess
NetStorage

These servers were installed into a single tree environment with the Portal Server holding the master of root, and the NetStorage Server holding a Read-Write replica of root. (The portal server does NOT need to be a Master of root, but the other replica is important, I'll explain later on in this document).


"The Gotcha's:"


  1. NPS1.5 is currently in maintenance phase, and Novell product support for the product will be discontinued at the end of the year. It may be in the customers best interest to consider DEX 4.1 or exteNd Director Enterprise 5.0. The NetStorage gadget is available in DEX, and from what we've heard, a NetStorage portlet exists for exteNd Director Enterprise5.0. If you decide to implement anything other than NPS1.5 I would also recommend upgrading the server OS.

  2. In order for this solution to work, both the NPS1.5 and the NetStorage server MUST exist in the same tree. The NetStorage gadget has NEVER been tested working across trees, and is NOT supported.

  3. The NetStorage gadget from NetWare WebAccess gets pulled into NPS1.5 when it is installed. This gadget however, must be upgraded to the one found in NSTORE8.EXE, which may be found at: https://support.novell.com/ICSLogin/?"http://support.novell.com/servlet/downloadfile?file=/uns/ftf/nstore8.exe/". Carefully follow the install instructions for this gadget as some of the files will be used for the NPS1.5 server, and some will be installed onto the NetStorage Server.

  4. If NetWare 6.0 is used, the NetStorage pieces will NOT work with Support Pack 4, because the applets are broken. You will either need to stay at SP3 or wait until SP5 ships.

  5. In order for contextless login to work for NetStorage (this IS a requirement for using the NetStorage Gadget), the NetStorage server MUS.T contain a replica of the partition holding the user objects.

  6. In order for contextless login to work for NetStorage, the context or contexts holding the user objects must be added to the NetStorage Authentication Domain through NSADMIN (note: Any changes done through NSADMIN on NW6.0 require a server reboot to become active).

  7. Due to a couple of factors that come into play, between the handling of cookies, and having part of your portal page being built from a server other than the Portal server, it may be necessary to modify the “Privacy” settings within Internet Explorer, and set them to a lower level than the defaults.



iChain Configuration:


iChain 2.3 with two accelerators:
One for NPS 1.5
One for the NetStorage Server.


Notes: Make sure that the Alternate Host Name is the DNS name of the origin server. Make sure that you put the IP address of the origin server in the Web Server Addresses field.


Check the box to forward authentication information to Web Server on the Authentication Options button for each accelerator, and configure OLAC on the protected resource to include ICHAIN_UID  -  LDAP  -  CN.


Also, add the DNS name of the NetStorage server to the PIN list and specify it as type "bypass". Otherwise, you will not be able to see changes to the directories as you upload, download or delete files.

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10071930
  • Solution ID: NOVL80503
  • Creation Date: 14Jun2002
  • Modified Date: 24Jan2005
    • NovellBeta

      Connectivity Products

      eDirectory

      Web Services

Did this document solve your problem? Provide Feedback