Davin, You gave me some ideas, although I still haven't resolved the issue.
Currently, we are authenticating against AD for the username and passwords. We have multiple ways people can log into the system, and we want the User Tool to allow people to authenticate with their domain password, while the Mid Tier will automatically log in based on their domain credentials with SSO. Also, by not using the "Cross-reference blank password" option, I get ARERROR 623 and the AuthString value still gets passed. When I have it enabled, I get the 8908 message and the authstring is passed. I might take some of the other suggestions in that other people have given as far as seeing examples of other JSP pages that do authentication. I'm not sure if I'm having this much difficulty because of something in my environment or if I am too dense at the moment. It's probably a combination of the two, so thanks for your help. If you have any other ideas I'll be glad to try to them out. Thanks, Shawn Pierson -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Davin Lindner-Green Sent: Tuesday, April 29, 2008 1:17 PM To: [email protected] Subject: Re: IIS remoteuser for Single-Sign On Jiri, is another term for the token an NTLM hash? Just curious. Shawn, unless I have this wrong, in the context of Remedy authentication, I belive what you are getting from your SSO in the AuthString parameter would correspond to the 4th field on the OOB login screen ("Authentication"). Typically this is unused, except in cases where it might be needed to specify a domain or other information when configuring AREA LDAP login. In the AREA LDAP Configuration form, the contents of AuthString can be passed into the LDAP search base using the syntax $\AUTHSTRING$, for example. I don't know why you have data there, but you can probably ignore it. In your case, how is authentication supposed to be handled on the server? In the context of Midtier using IWA, normally you would not then go to the AD/LDAP server, because a valid IWA login is implicity trusted, so instead you would simply connect the user using a server side AREA plugin. When you ran plugin logging did you see the failed authentication attempt there? Does that shed any light? Hope that helps, Davin Private and confidential as detailed here: http://www.sug.com/disclaimers/default.htm#Mail . If you cannot access the link, please e-mail sender. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
