Symantec Management Platform (SMP) Community

 View Only

Enabling Pass Through AD Authentication for Workflow 7.1 

May 25, 2011 12:13 PM

I recently had to build a new Workflow 7.1 server and realized that the past KB articles didn't address product changes and the new requirements of Windows 2008 R2. 

*Updated on Jun 10th, 2011 to reflect new findings on remote SQL*

My goal was to enable Active Directory pass through authentication for a WF 7.1 Process Manager portal running on a Windows 2008 R2 server.  The SQL server hosting the Process Manager database was off-box.

Here's a simple illustration of the lab used in this article:

 

Preparation

Prior to starting the Workflow install,  I did the following:

  1. *UPDATE* If you install the current version of SMP (7.1.6851), then SP1 for Windows 2008 R2 is now supported
  2. Make sure that both the Workflow Server and the SQL server are joined to the domain
  3. Create a standard domain user account, otherwise known as a Service Account.  I used wfservice for this article.
  4. Access the WF server console:
  5. Add the domain service account to the Local Administrators group on the WF server (may not be a necessary step)
  6. Run this using an elevated command prompt to install all required server components:
    ServerManagerCmd.exe -install Web-WebServer AS-Web-Support Web-Mgmt-Compat Web-Asp NET-HTTP-Activation NET-Non-HTTP-Activ
  7. Install SQL native client (sqlncli_x64.msi)
  8. Install Microsoft SQL Server Management Objects Collection (SQLServer2005_XMO_x64.msi)
  9. Open Server Manager > Roles > Web Server (IIS) > Internet Information Services (IIS) Manager > servername > Application Pools
  10. Right-click DefaultAppPool > Advanced Settings
  11. Set Managed Pipeline Mode to Classic
  12. Set Identity > Custom account to the domain service account
    App Pool 7.5 with Service Account
     
  13. Access the SQL Server's console:
  14. SQL Studio > Connect to the SQL server
  15. Create new Login
            * Login name = domain service account
            * Server Roles = public, sysadmin
            * Note:  After installation is complete, you can safely remove the sysadmin role, and instead grant the DBO role on the ProcessManager database
     
  16. Using a domain admin account (or an account with local admin on server, and SA SQL equivalent), run the Symantec.Workflow.Setup.exe on the server.  Based upon prior installation guides, don't use the service account to install. Choose the following setup wizard options:
        a. New Install
        b. Check "Show Advanced Settings During Installation"      *NEW*
            
        c. Check all server roles
        d. On the Database Connection page, use remote SQL connection info and Windows Integrated Security.  Rename the database to include a reference to the server (avoids collisions if you need to put multiple PM databases on the same server)
        e. Ignore the "Install Replication Database" and "Advanced Cube" step (and the subsequent analysis services warning on the config verification page). *NEW*
        f. On the System Accounts Access page, add a new entry for  your service account. UNCHECK all the other accounts, they aren't applicable for off-box SQL (they are local accounts) and frequently cause timeouts or failures during the SQL configuration step. *NEW*

          
         
          For reference,  in most large environments, it's rare to have IIS installed on your shared/dedicated SQL server, so it's impossible for these accounts to be valid.  I didn't catch this in my original article because I was using a lab VM which already SQL/IIS/SMP as my remote sql server.

       g. On the Process Manager authentication page,  use native mode.  Do NOT set to Active Directory during the install as there appears to be a bug in the installer.
       h. Keep defaults for Workflow persistence (SQL, Use PM settings)
       i. Finish the wizard and start the install. 
       j. After installation is complete, the installer will probably crash when you close it (harmless)
     
  17. After install, verify Process Manager is working by logging in as the administrator
  18. ProcessManager > Admin > Portal Master Settings > Process Manager Active Directory Settings
            a. Check Active Directory Authentication
            b. Click Save at the very bottom of the window
     
  19. Admin > AD Servers
            1. Orange Arrow > Add AD Server
            2. First line is the netbios name of domain  (mydomain)
            3. Second line is AD name of domain  (mydomain.com)
            4. Third and fourth line are AD credentials (documentation suggest using a domain admin, but it's probably overkill)
            5. Check auto create users on login (this avoids the need to wait for AD sync to happen for new AD accounts)
            6. Check All Users group for the default group (this puts each AD authorized user into the portal group "All Users")
            7. Sync Entire Domain or pick all containers that have relevant users and groups
            8. Click Save
            9. Orange Arrow  > Run AD Sync Process

     
  20. Testing:
        a. Logout of portal
        b. Close browser
        c. Open Process Manager again. You should auto-login, but your account is just a basic Portal user
        d. Verify your AD principal name is displayed at the top of the portal page (administrator@symepm.local)
        e. Click on the Submit Request and verify the page loads without challenging you for credentials.
     
  21. Final steps:
        a. Logout of portal
        b. Login as admin@logicbase.com
        c. Admin > Users
        d. Orange Arrow on your AD account > Manage Groups
        e. Select Group to Add > Administrators > Click Add > Close window
        f. Logout and close browser window
        g. Open a PM window.  It should login as your AD account, and you will have Admin rights to the portal
        h. Consider downgrading the service account rights on the SQL server as discussed previously

     

Unnecessary Configuration Steps

I used a vanilla installation of Windows 2008 R2.  I suspect that some of the existing KB articles may include steps that are only necessary when using an altered installation of the OS or enhanced security restrictions (Kerebos) enforced by Active Directory.  With that in mind, here are a list of steps that either provided no value, or broke a functioning implementation for this article:

  • Disabling UAC
  • Disabling Windows Firewall
  • Modifying authentication modes on the root IIS virtual directory for the ProcessManager site
  • Modifying authentication modes on the WindowsAuthentication.aspx page
  • Using SetSPN.exe
  • Modifying the Classic .NET App pool in any way (Install uses the DefaultAppPool)
  • Adding the Service Account to the local IIS_WPG user group (not relevant for Windows 2008)
  • Manually setting service account in AD to be trusted for delegation (probably already being set if you follow the provided steps above)

This is the default (working) authentication setting for the root ProcessManager virtual directory:

Authentication Settings

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

May 16, 2012 09:53 PM

Thank you, thank you, thank you. I spent 3 days trying to figure this out. Worked like a champ. And for anyone else that's new, the default password for admin@logicbase.com is "admin".

Sep 14, 2011 08:02 AM

Hi. When setting up AD sync did you use the pre-2k domain name? Also, was AD sync successful?

Sep 07, 2011 11:17 AM

I've used this article for the general setup/installation which worked great, however, I've been attempting to get the AD auth pass-through working and it doesn't seem work. I get the "Active Directory Authentication in Progress", then get dumped to the login page.

I can login with my test account successfully as a normal user, just unable to get automatic pass-through to take.

Steps I've taken:

1. Process Manager Active-Directory Settings > Active-Directory Authentication selected.

2. DefaultAppPool Managed Pipeline Mode set to "Classic" / Identity configured as domain service account.

3. Added AD server to ServiceDesk > Ran AD sync and imported users.

4. Configured ServiceDesk URL as a site in the Intranet Zone in IE.

 

If there is something I am missing, please let me know. I'd really like to get this working in IE and rollout a GPO to make the configuration changes as necessary to the end-user systems.

Sep 02, 2011 04:07 PM

Great article. Thanks for putting this together. I ran into almost all the same snags, and the information presented here is spot on.

The WF installer needs some TLC from Symantec, as it does not have any built in intelligence for off-box SQL installation. And, there is very little information provided in the "implementation guide".

This is the kind of stuff that should be included in an implementation guide... Actual implementation processes..

 

Thanks again!

Jun 13, 2011 05:17 PM

Updated to reflect SMP support for Windows 2008 R2 SP1

Jun 10, 2011 09:18 PM

I discovered some additional bugs in the WF installation wizard when using a remote SQL server.  I now recommend using the Advanced install option, ignoring the subsequent replication and cubing steps, and most importantly, turn off attempts by the wizard to grant permissions to local-only IIS related accounts that don't exist on a remote SQL server.

All new entries are marked with *NEW*

May 25, 2011 04:44 PM

It won't work.  Just use Scott's guide and setup the AD Server connection after the fact.

May 25, 2011 04:00 PM

There's a SD upgrade article that recommends against using AD authentication mode during the install here:  http://www.symantec.com/docs/HOWTO49691

I can tell that a prior WF .1  installation attempt of mine failed with a SQL related error when I tried to install with AD auth mode enabled.  I don't have any information beyond that, just an educated guess.

May 25, 2011 02:47 PM

Is #16 sub step D documented somewhere? I'm running into a DB creation issue and i'm going through the installer now without the AD setup during the installer. Will report back.

May 25, 2011 02:43 PM

I had to reinstall Workflow 7.1 several times trying to piece together the 7.0 MP2 Passthrough Article with other tips from the forums and learned the hard way some of the points above such as DONT change admin@logicbase.com, DONT mess with authentication, and DONT mess with Active Directory Integration at install.  This guide is essential for anyone new to workflow 7.1's installation.  Two thumbs up sir!

Related Entries and Links

No Related Resource entered.