cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Learn all about the Community Ranking System, a fun gamification element of the PTC Community. X

Windchill Basic authentication and SSO together

tchao
10-Marble

Windchill Basic authentication and SSO together

Has anyone set your WC environment to have some users using Basic Authentication and some users using SSO?

There is a PTC KB article said it is doable, but it did not provide the steps.

Has anyone done ever done with this kind of configuration?

21 REPLIES 21
jbailey
17-Peridot
(To:tchao)

It can be done... What is the use case?

Do you have a SAML IdP in your organization already (either internal or third party)?

HelesicPetr
22-Sapphire I
(To:jbailey)

Hi @jbailey 

I have one use case.

Users use SSO from client computers and administrator use basic login from Server side not from client computer. 

PetrH

Why would administrators need to use basic login?

HelesicPetr
22-Sapphire I
(To:jbailey)

@jbailey 

Because it is demilitarization zone where is not available connection to a server provided the SSO 😄 for example IBM WebSEAL

PetrH

In our case, the access with Basic authentication are also internal and we don't have DMZ in our case.

tchao
10-Marble
(To:jbailey)

Not for administrators.  All users is getting connection with LDAPS OK, but the middleware failed for unknown reasons.

jbailey
17-Peridot
(To:tchao)

So for your middleware... any LDAP certs need to be imported in the middleware keystores as well. Did you try running the openssl command from your server that the middleware is on? 

 

tchao
10-Marble
(To:jbailey)

I thought they should have because this is all internal.  But it is worth a try to ask the middleware admin.

jbailey
17-Peridot
(To:tchao)

Also what errors are showing up in the logs for the middleware?

tchao
10-Marble
(To:jbailey)

From Apache error log and Wireshark, we are getting the error messages below:

1. User Authentication Failed (from Wireshark)

2. Cannot connect to ldaps server 

What's strange is regular user login fine and Creo registering fine.  But the backend ETO app access will have the above errors.

 

jbailey
17-Peridot
(To:tchao)

Is the username / password in an enterprise AD or something like Windchill DS?

 

I also do find it odd that an end user client can connect via username/password but not your middleware client. Was this working in your ADFS configuration? 

 

tchao
10-Marble
(To:jbailey)

Yes.  We are changing our SSO from ADFS to PingOne with MFA.

Our user cases are like this:

- Regular users will be with PingID + MFA

- Services integration will use Basic authentication (such as middleware and Engineering to Order Configurator tool, etc).

In the second item above works well with LDAP connection, but we are getting authentication fail with LDAPS connection and PTC is not able to provide a solid case where were the root cause of this denial....

 

Any implementation steps high level are very much appreciated!

jbailey
17-Peridot
(To:tchao)

So with Ping they should be able to set up an auth flow that directs users to the appropriate authentication method.

What is the error you see when LDAPs fails? if there is anything with PKIX in the error then it is an issue with certificate trust (the LDAP server certificate is not in the offending keystore).

jbailey
17-Peridot
(To:jbailey)

Also, from the machine that is trying to connect to your DS via ldaps.... The windchill server will have openssl on it... in a command prompt you can run the following command and see what it returns (should come back with a server cert in pem format along with connection info)

 

openssl s_client -connect <ldap server fqdn like: myAD.mycorp.com>:636 

tchao
10-Marble
(To:jbailey)

Try the openssl command, but the command ends there after hitting enter.

It seems that it is being blocked somewhere, but our firewall and NetScaler set it to pass through.  Not sure if PTC cloud allows this....

tchao
10-Marble
(To:tchao)

After a while, the openssl got this back:


socket: Bad file descriptor
connect:errno=9

jbailey
17-Peridot
(To:tchao)

This sounds like the problem. When a user attempts to authenticate, apache (or IIS) sends the username/password to LDAP for verification... which means that your Windchill web server (and the application portion) needs to have outbound access to the Active Directory (or other LDAP v3 DS), and the server where the AD/DS resides needs to have inbound access from the Web/App server. You could potentially have two firewall issues here... inbound and outbound on both sides.

tchao
10-Marble
(To:jbailey)

They are all traffic inside the corp network. I am assuming they should not be any issue, but it is worthy to check it again to make sure.

Thanks,

jbailey
17-Peridot
(To:tchao)

Also, I would recommend at some point to consider Oauth for your integration authentications. I know some tools may not support that, however that is a much more secure method.

HelesicPetr
22-Sapphire I
(To:tchao)

Hi @tchao 

It is configurable on a HTTP Server (apache) side so I would contact Apache support for that. 

 

in another word> I know it is possible but I've never needed it:D

PetrH

It can be done with PTC provided tools as well (PingFederate). I have an entirely SAML authentication policy that allows admins to use secondary accounts for separation of duties.

Announcements


Top Tags