This discussion is archived
1 2 Previous Next 15 Replies Latest reply: Oct 30, 2013 9:11 AM by JasonP-CAG RSS

System Account tied to RSO

1005034 Newbie
Currently Being Moderated
Is it ok to change the configuration for system accounts to use an alternative user? In most cases, this would be prodikaadmin. While testing Reduced Sign-On, the prodikaadmin account cannot be used to login to the UI (since it's not currently setup in active directory) and is causing other issues based on what was configured in the Setup Assistant tool. Would adding prodikaadmin to an active directory group resolve this? Or what is the recommended process?

Thanks!
  • 1. Re: System Account tied to RSO
    Ron M Pro
    Currently Being Moderated
    Are you using an LDAP authentication strategy (specified in EnvironmentSettings.config)? If so, there are a couple of options, though clients may have other suggestions.
    1. You could add the prodikaadmin user to your active directory group.
    2. You could use the CompositeAuthenticationStrategy, which allows you to set up multiple strategies - one for LDAP users and the other for PLM4P users. This would basically try to authenticate to LDAP and failing that, would then try to authenticate to the PLM4P app.
  • 2. Re: System Account tied to RSO
    JasonP-CAG Newbie
    Currently Being Moderated
    I had a similar question. I have setup both Prodika and LDAP and validated this worked correctly to signin, however, I am unable to setup new users and get the following error on the server.

    Unable to cast object of type 'Xeno.Prodika.Services.AuthenticationBridgeService.CompositeAuthenticationStrategy' to type 'Xeno.Prodika.Services.AuthenticationBridgeService.IAuthenticationStrategyAdmin'.

    I have been unable to locate any config within the environmentalvariables or environmentalsettings that talks about the composite settings.
  • 3. Re: System Account tied to RSO
    Ron M Pro
    Currently Being Moderated
    This bug is fixed in hotfix 6.1.1.0.11. It is a new CompositeAuthenticationStrategy that handles this.
  • 4. Re: System Account tied to RSO
    JasonP-CAG Newbie
    Currently Being Moderated
    Ron, thank you for the information, is there a scheduled release date for the patch 6.1.1.0.11? Thanks.
  • 5. Re: System Account tied to RSO
    Matt J Journeyer
    Currently Being Moderated
    It released a few minutes ago. if you don't see it now, give it 30 minutes.

    thank you,

    -M
  • 6. Re: System Account tied to RSO
    JasonP-CAG Newbie
    Currently Being Moderated
    Thank you Matt, we applied the patch and it resolved the issue with RSO.

    Thanks,
    Jason
  • 7. Re: System Account tied to RSO
    JasonP-CAG Newbie
    Currently Being Moderated
    Matt,

    We not been able to successfully apply the patch. The question we have is from the files provided LDAPAuthenticationStrategyFactory.cs and LDAPAuthenticationStrategy.cs due we need to generate our own LDAPIntegrationLib.dll file. If this is the case are there instructions on how to create the .dll file. Please let me know if this is incorrect.

    Thanks,
    Jason
  • 8. Re: System Account tied to RSO
    Ron M Pro
    Currently Being Moderated
    The Extensibility Pack has a reference LDAP Authentication Strategy (and factory class) that you could take as a sample, modify what is needed, compile and then deploy it.
    See ReferenceImplementations\LDAPIntegration
  • 9. Re: System Account tied to RSO
    JasonP-CAG Newbie
    Currently Being Moderated
    Are there instructions on how to complie the files into a .DLL file? We do not have visual basic on our application server. When our web development team tries to compile the file on another computer with visual basic it is looking for reference files that is not in the files provided. Is it possible to provide the compiled .DLL file as part of the patch, or provide additional instructions on how to compile the file not on the application server directly.
  • 10. Re: System Account tied to RSO
    Ron M Pro
    Currently Being Moderated
    The Visual Studio project, ReferenceLDAPIntegration, in the ExtensibilityPack is a C# project, not a VB project. But either way, you should be able to compile the project using the .dll assemblies indicated in the References section/folder by re-adding them from your PLM4P/SharedLibs folder. I believe you need to have CoreAppPlatform.dll, GeneralServices.dll, and ProdikaCommon.dll, along with the other System... .NET assemblies provided by Microsoft.

    h4. Remember that the code provided is a reference implementation, and may need to be customized to suit your specific LDAP requirements.

    Once you have it compiled, you will need to add the following (customized as needed, of course) to the EnviromentSettings.config, as described in the Hotfix 6.1.1.0.11 readme file.
    <AuthenticationStrategy id="LDAP" factory="Your.Namespace.LDAPAuthenticationStrategyFactory,YourDLL" ldapServer="LDAP://YOUR_LDAP_SERVER:389" userDomain="??" />
    and then push your custom dll into all of the web application bin directories

    +The reference ldap authentication factory class, LDAPAuthenticationStrategyFactory, reads the XML attributes, looking for the ldapServer and userDomain attributes, and then passes that data to the LDAPAuthenticationStrategy, which then uses these entries as part of the LDAP authentication process.+
  • 11. Re: System Account tied to RSO
    JasonP-CAG Newbie
    Currently Being Moderated

    I'm having a hard time getting the structure correct for CompositeAuthenticationStrategy.  I am able to setup LDAP authentication similar to below and it works correctly:

     

    <Services>

        <AuthenticationService configChildKey="name">

        <envvar name="UseTrustBridge" value="true" configAttributeOverrideBehavior="Replace"/>

        <envvar name="AuthenticationStrategy" value="LDAP"

        configAttributeOverrideModifier="IsLocked"/>

         <envvar name="AuthenticationStrategies">     

         <AuthenticationStrategy id="LDAP" factory="Class:Oracle.Agile.PLMforProcess.Reference.LDAPIntegration.LDAPAuthenticationStrategyFactory, ReferenceLDAPIntegration"

       ldapServer="LDAP Server"

       userDomain="Domain" />

    </envvar>    

    </AuthenticationService>

     

    However how do I setup LDAP authentication but then if that fails check, authenticate against PLM4P.

     

    <envvar name="AuthenticationStrategy" value="PLM4PAndLdap" configAttributeOverrideBehavior="Replace"/>
    <envvar name="AuthenticationStrategies" configChildKey="id" handler="Class:Xeno.Prodika.Services.AuthenticationBridgeService.AuthenticationStrategiesContextItemHandlerFactory,GeneralServices">

    <AuthenticationStrategy id="Prodika"
    factory="Class:Xeno.Prodika.Services.AuthenticationBridgeService.ProdikaAuthenticationStrategyFactory,GeneralServices"
    useRawAuthentication="false" />

    <AuthenticationStrategy id="LDAP" factory="Class:Oracle.Agile.PLMforProcess.Reference.LDAPIntegration.LDAPAuthenticationStrategyFactory, ReferenceLDAPIntegration"
       ldapServer="LDAP Server"
       userDomain="Domain" />

    <AuthenticationStrategy id="PLM4PAndLdap"
    factory="Class:Xeno.Prodika.Services.AuthenticationBridgeService.CompositeAuthenticationAdminStrategyFactory,PLM4PAuthenticationUtilHotfix"
    allMustPass="false">
    <IncludedStrategy id="LDAP" />
    <IncludedStrategy id="Prodika" />
    </AuthenticationStrategy>
    </envvar>

  • 12. Re: System Account tied to RSO
    Ron M Pro
    Currently Being Moderated

    Can you describe what issue you are seeing? Can you include the error?
    I am assuming you have the hotfix code deployed - is that right?

  • 13. Re: System Account tied to RSO
    JasonP-CAG Newbie
    Currently Being Moderated

    Ron,

     

    In our Dev environment we have prodika authentication with no RSO LDAP integration.  However we have RSO LDAP integration turned in Prod.  When we create new users in Dev and then import to Prod I get the following error.  It prompts the user to change there pwd and then gives the following error.  It should not be prompting them to change there pwd it should be validating agains LDAP authentication.

     

     

    Exception information:

     

    Exception type: InvalidCastException

     

    Exception message: Unable to cast object of type 'Oracle.Agile.PLMforProcess.Reference.LDAPIntegration.LDAPAuthenticationStrategy' to type 'Xeno.Prodika.Services.AuthenticationBridgeService.IAuthenticationStrategyAdmin'.

     

     

    Is impersonating: False

     

    Stack trace: at Xeno.Prodika.Services.Authentication.AuthenticationService.GetVerificationPassword(String userID, String pwd)

     

    at Xeno.Web.UI.Common.Expired.get_isOldPwdValid()

     

    at Xeno.Web.UI.Common.Expired.Page_Load(Object sender, EventArgs e)

     

    at System.Web.UI.Control.OnLoad(EventArgs e)

     

    at System.Web.UI.Control.LoadRecursive()

     

    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

     

    Any ideas why we are experiencing this issue?

  • 14. Re: System Account tied to RSO
    Ron M Pro
    Currently Being Moderated

    Unfortunately, our reference LDAP authentication strategy was not updated for the 6.1.1.1 release. It is missing some code. However, we have a way that you can get around this.

     

    For your Prod environment, you will have to change your authentication configuration a little bit. We basically have an Authentication strategy that is composed of other authentication strategies, and it will handle the scenario where one of the authentication strategies (in this case, your LDAP one) doesn’t implement the new interface methods. Basically, it wraps your LDAP authentication safely, so that you don’t need to make any code changes in your LDAP class.

     

    Here is what you should try:

     

    You are going to change your AuthenticationStrategy to a new one, we’ll call CompositeLDAP.

    You’ll add this CompositeLDAP as a new Authentication strategy to the AuthenticationStrategies node. This composite strategy has subnodes to say which of the other authentication strategies this should wrap/use.

    So here we add a new IncludedStrategy node, and reference your RSO LDAP one. If your prod environment also used Prodika authentication for a prodikaadmin type user, then you would add another IncludedStrategy with the id of “Prodika”, but then you would have to change the allMustPass attribute value to false.

     

    <AuthenticationService configChildKey="name">

                            <envvar name="UseTrustBridge" value="true" configAttributeOverrideBehavior="Replace"/>

                                    <!-- Uncomment the following and fill in the LDAP server configuration to enable LDAP authentication -->

                                    <envvar name="AuthenticationStrategy" value="CompositeLDAP" configAttributeOverrideModifier="IsLocked"/>

                                    <envvar name="AuthenticationStrategies">
                                              <AuthenticationStrategy id="LDAP" ldapServer="LDAP://LDAP_SERVER:PORT" userDomain="DOMAIN"/>         

     

                                              <AuthenticationStrategy id="CompositeLDAP" 

    factory="Class:Xeno.Prodika.Services.AuthenticationBridgeService.CompositeAuthenticationStrategyFactory,GeneralServices"

    allMustPass="true">

    <IncludedStrategy id="LDAP" />

    </AuthenticationStrategy>

    </envvar>

                                    <envvar name="EncryptionScheme" value="SHA256" configAttributeOverrideModifier="IsLocked"/>

    </AuthenticationService>

     

    Hope that isn’t too confusing.

     

    Give this a try, and let me know how it goes.

    Regards,

    Ron

1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points