Community Tip - Your Friends List is a way to easily have access to the community members that you interact with the most! X
Has anyone set your WC environment to have some users using Basic Authentication and some users using SSO?
There is a PTC KB article said it is doable, but it did not provide the steps.
Has anyone done ever done with this kind of configuration?
It can be done... What is the use case?
Do you have a SAML IdP in your organization already (either internal or third party)?
Hi @jbailey
I have one use case.
Users use SSO from client computers and administrator use basic login from Server side not from client computer.
PetrH
Why would administrators need to use basic login?
Because it is demilitarization zone where is not available connection to a server provided the SSO 😄 for example IBM WebSEAL
PetrH
In our case, the access with Basic authentication are also internal and we don't have DMZ in our case.
Not for administrators. All users is getting connection with LDAPS OK, but the middleware failed for unknown reasons.
So for your middleware... any LDAP certs need to be imported in the middleware keystores as well. Did you try running the openssl command from your server that the middleware is on?
I thought they should have because this is all internal. But it is worth a try to ask the middleware admin.
Also what errors are showing up in the logs for the middleware?
From Apache error log and Wireshark, we are getting the error messages below:
1. User Authentication Failed (from Wireshark)
2. Cannot connect to ldaps server
What's strange is regular user login fine and Creo registering fine. But the backend ETO app access will have the above errors.
Is the username / password in an enterprise AD or something like Windchill DS?
I also do find it odd that an end user client can connect via username/password but not your middleware client. Was this working in your ADFS configuration?
Yes. We are changing our SSO from ADFS to PingOne with MFA.
Our user cases are like this:
- Regular users will be with PingID + MFA
- Services integration will use Basic authentication (such as middleware and Engineering to Order Configurator tool, etc).
In the second item above works well with LDAP connection, but we are getting authentication fail with LDAPS connection and PTC is not able to provide a solid case where were the root cause of this denial....
Any implementation steps high level are very much appreciated!
So with Ping they should be able to set up an auth flow that directs users to the appropriate authentication method.
What is the error you see when LDAPs fails? if there is anything with PKIX in the error then it is an issue with certificate trust (the LDAP server certificate is not in the offending keystore).
Also, from the machine that is trying to connect to your DS via ldaps.... The windchill server will have openssl on it... in a command prompt you can run the following command and see what it returns (should come back with a server cert in pem format along with connection info)
openssl s_client -connect <ldap server fqdn like: myAD.mycorp.com>:636
Try the openssl command, but the command ends there after hitting enter.
It seems that it is being blocked somewhere, but our firewall and NetScaler set it to pass through. Not sure if PTC cloud allows this....
After a while, the openssl got this back:
socket: Bad file descriptor
connect:errno=9
This sounds like the problem. When a user attempts to authenticate, apache (or IIS) sends the username/password to LDAP for verification... which means that your Windchill web server (and the application portion) needs to have outbound access to the Active Directory (or other LDAP v3 DS), and the server where the AD/DS resides needs to have inbound access from the Web/App server. You could potentially have two firewall issues here... inbound and outbound on both sides.
They are all traffic inside the corp network. I am assuming they should not be any issue, but it is worthy to check it again to make sure.
Thanks,
Also, I would recommend at some point to consider Oauth for your integration authentications. I know some tools may not support that, however that is a much more secure method.
Hi @tchao
It is configurable on a HTTP Server (apache) side so I would contact Apache support for that.
in another word> I know it is possible but I've never needed it:D
PetrH
It can be done with PTC provided tools as well (PingFederate). I have an entirely SAML authentication policy that allows admins to use secondary accounts for separation of duties.