NT single logon

[lyanch]

My apologies if this gets lengthy.

We are having a great deal of problems getting NT single logon to work correctly.

System basics:

All services run under the domain admin account.
Almost all patches have been applied (with no problems elsewhere)
The guest account is disabled
Logon.csp has been changed to "secWindowsNT" .. also this is the only csp file we have changed
NT authorizations is checked yes in CMC
IIS is set up correctly (challenge only)
The NT accounts were loaded with NT logon = domain admin and CE logon = administrator
The server is NT server (not 2000).
The server DB is SQL Server (have tried changing that)


Things that *might* be different.

CE is not installed on the C drive but to D:/programs etc
We have two domains (but the problem exists even with just the "default" domain)
CE did NOT automatically create a "Crystal NT Users" group within CE when installed.
We do not use the IUSER account in NT (NTFS Permissions doc)

Symptoms:

User can logon using their NT name and pw, but it never does so automatically, you always get the logon screen from launchpad.
Using a URL as the report access method only works if the user name and pw is sent, ie can't leave user and pw blank. If you do, you get a logon screen.

Additional symptoms that I *think* are related:

After following all the directions to get "wide paper" reports to display correctly in non HTML viewers the domain admin must still (on the server) open the report, go to printer setup and apply then save for the printer driver to be used correctly. I can open the report with a non domain admin account and the report appears to be fine, it even appears to be fine from the domain admin account, but until you do another save it won't function correctly. I think this is related because it also seems to deal with permission issues.

I, of course, have all this into support as well and will post the solution if they can ever manage to provide one. I was hoping some real world installations might pose some suggestions of things to look at.

Thanks in advance

Lisa

 

[rhinok]

I have users logon to CE 8 Pro on a NT Server via four methods:[ol][li]'Get Latest Instance' Method(SSO):

http://myserver/crystal/enterprise/mydirectory/getinstance.csp

(I skip the html screen and jump straight to the one report we access in this manner - download CE8_GETINSTANCE.ZIP from Crystal Decisions)[/li][li]Managed Reports via URL (SSO):

http://myserver/crystal/enterprise/viewrpt.cwr?id=nnn&apsauthtype=secWindowsNT

(notice, I don't include user or password information at all)[/li][li]Via ePortfolio using logonform.csp when the user connects from the non-secured intranet[/li][li]Via ePortfolio using SSO when the user connects from a secured application (why make them log in twice?). In order to do this[ul][li]I copied logonform.csp and renamed it SSOlogon.csp[/li][li]I modified SSOlogon.csp slightly and saved it in the Seagate Software\Web Content\Enterprise\eportfolio\en directory (the code is below)[/li][li]I point that particular URL to SSOlogon.csp (

http://myserver/crystal/enterprise/ePortfolio/en/SSOlogon.csp)

[/li][/ul][/ol]SSOlogon.csp:

<!-- 
	File Version Start - Do not remove this if you are modifying the file 
	Build: 8.0.2
	File Version End
-->

<%
Option Explicit

Dim L_PASSWORD_EXPIRED

'*********************************************************************
'VBSCRIPT STRING VARIABLES FOR LOCALIZING
'*********************************************************************
L_PASSWORD_EXPIRED = &quot;Password Expired&quot;
'*********************************************************************
%>

<!-- #include file=&quot;handleerror.csp&quot; -->

<%
Dim DEBUG
DEBUG = False

On Error Resume Next

'PREVENT BROWSER FROM CACHING THE PAGE
Response.ExpiresAbsolute = Now() - 1

Dim GUEST_ID
GUEST_ID = 11

'********************************************
'*** DEFAULT GUEST USER LOGON INFORMATION ***
'********************************************
Dim defaultaps
Dim defaultusr
Dim defaultpwd
Dim defaultaut

defaultaps = Request.ServerVariables(&quot;WCS_NAME_SERVER&quot;)
defaultusr = &quot;&quot;
defaultpwd = &quot;&quot;
defaultaut = &quot;secWindowsNT&quot;

'********************************************

Dim aps
Dim usr
Dim pwd
Dim aut

aps = defaultaps
usr = Request.Form(&quot;usr&quot;)
pwd = Request.Form(&quot;pwd&quot;)
aut = Request.Form(&quot;aut&quot;)

If( aut = &quot;&quot; ) Then
	aut = defaultaut
End If

If( DEBUG ) Then
	Response.Write &quot;User: &quot; & usr & &quot;<br>&quot;
	Response.Write &quot;Password: &quot; & pwd & &quot;<br>&quot;
	Response.Write &quot;APS: &quot; & aps & &quot;<br>&quot;
	Response.Write &quot;Authentication: &quot; & aut & &quot;<br>&quot;

End If

'********************************************

'IF THERE ISN'T AN EXISTING SESSION
If( TypeName(Session(&quot;IStore&quot;)) <> &quot;ISInfoStore&quot; ) Then
	Call LogonUser(usr, pwd, aps, aut)

'IF THERE IS AN EXISTING SESSION
Else
	If( DEBUG ) Then Response.Write( TypeName(Session(&quot;IStore&quot;)) & &quot;<br>&quot;) End If

	'****************************************
	'LOGOFF CURRENT USER ACCOUNT
	'****************************************
	If( Request.QueryString(&quot;action&quot;) = &quot;logoff&quot; ) Then
		Call LogoffUser()
		Call LogonUser(usr, pwd, aps, aut)

	'****************************************
	'EXIT TO LAUNCHPAD
	'****************************************
	ElseIf( Request.QueryString(&quot;action&quot;) = &quot;exit&quot; ) Then
		Session.Abandon
		Response.Redirect &quot;/crystal/enterprise/&quot;

	'****************************************
	'ASSIGN NEW PASSWORD
	'****************************************
	ElseIf( Request.QueryString(&quot;action&quot;) = &quot;newpwd&quot; ) Then
		Dim newpwd
		Dim oldpwd
		newpwd = Request.Form(&quot;newpwd&quot;)
		oldpwd = Request.Form(&quot;oldpwd&quot;)

		If( DEBUG ) Then
			Response.Write &quot;new password = &quot; & newpwd & &quot;<br>&quot;
			Response.Write &quot;old password = &quot; & oldpwd & &quot;<br>&quot;
		End If

		Session(&quot;IStore&quot;).EnterpriseSession.UserInfo.Password(oldpwd) = newpwd
		If( Err.Number = 0 ) Then
			If( Session(&quot;IStore&quot;).EnterpriseSession.UserInfo.UserID = GUEST_ID ) Then
				Response.Redirect &quot;available.csp?pageView=guest&quot;
		   	Else
				Response.Redirect GetPersonalPage(true, 0)
		   	End If
		Else
			Session(&quot;ErrMessage&quot;) = Err.Description
			Response.Write Err.Number & Err.Description
			Response.Redirect &quot;newpwdform.csp&quot;
	   	End If

	'****************************************
	'SIGN UP NEW USER
	'****************************************
	ElseIf( Request.QueryString(&quot;action&quot;) = &quot;newusr&quot; ) Then
		Dim fname
		Dim newusrparams
		fname = Request.Form(&quot;fullname&quot;)

		usr = Trim(Request.Form(&quot;username&quot;))
		pwd = Request.Form(&quot;password&quot;)
		
		Call CreateNewUser(fname, usr, pwd)
		If( Err.Number <> 0 ) Then
			Session(&quot;ErrMessage&quot;) = Err.Description
			newusrparams = Server.URLEncode(&quot;fullname=&quot; & fname & &quot;&username=&quot; & usr)
			Response.Redirect &quot;signup.csp?&quot; & newusrparams
		Else
			Call LogonUser(usr, pwd, aps, aut)
		End If

	Else
		'IF USER IS GUEST THEN REDIRECT TO GUEST VIEW
		If Session(&quot;IStore&quot;).EnterpriseSession.UserInfo.UserID = GUEST_ID Then
			If( Err.Number = 0 ) Then
				Response.Redirect &quot;available.csp?pageView=guest&quot;
			Else
				Err.Clear
				Call LogoffUser()
				Call LogonUser(usr, pwd, aps, aut)
			End If

		'OTHERWISE REDIRECT TO PERSONAL VIEW
		Else
			Response.Redirect GetPersonalPage(true, 0)

		End If

	End If

End If

'********************************************
'*** CreateNewUser Sub
'********************************************
Sub CreateNewUser( fullname, userName, password )
	Dim es
	Dim pmgr

	'SET OUR ENTERPRISE SESSION
	Set es = Session(&quot;IStore&quot;).EnterpriseSession

	'CHECK IF APSADMIN PLUGIN IS INSTALLED.  IF NOT INSTALL IT.
	Set pmgr = es.PluginManager
	Dim testplugin
	Set testplugin = pmgr.InstalledPluginInfo(&quot;CrystalEnterprise.APSAdmin&quot;)
	If Err.Number <> 0 Then
		pmgr.InstallPlugin(&quot;CrystalEnterprise.APSAdmin&quot;)
		Err.Clear
	End If

	'CREATE AN ADMIN HELPER OBJECT
	Dim WCSah
	Set WCSah = CreateObject(&quot;CrystalEnterprise.FW_WCSAdminHelper&quot;)

	'CREATE THE NEW USER
	Call WCSah.CreateNewUser ( es, username, fullname, &quot;&quot;, password )
End Sub


'********************************************
'*** GetDesktopSettings Function
'*** - get the desktop settings from UserInfo.ProfileString
'*** - set the cookies for each setting
'*** - returns the &quot;view&quot; setting
'********************************************
Function GetDesktopSettings(SessionObj)
	If( DEBUG ) Then Response.Write &quot;Getting desktop settings!<br>&quot; End If
	
	GetDesktopSettings = -1

	Dim strDesktopSettings
	strDesktopSettings =SessionObj.UserInfo.ProfileString(&quot;desktopsettings&quot;)
	If( DEBUG )	Then Response.Write &quot;strDesktopSettings: &quot; & strDesktopSettings & &quot;<br>&quot; End If

	If( strDesktopSettings = &quot;&quot; ) Then
		If( DEBUG ) Then Response.Write &quot;desktopsettings haven't been set yet!<br>&quot; End If
		'SET DEFAULT SETTINGS VALUES
		strDesktopSettings = &quot;ePortfolio_view=0&ePortfolio_csn=0&ePortfolio_vwm=0&ePortfolio_dv0=1&ePortfolio_dv1=1&ePortfolio_dv2=1&ePortfolio_dv3=1&ePortfolio_dv4=1&ePortfolio_cbr=1&ePortfolio_vwr=0&ePortfolio_rpp=6&ePortfolio_expo=0&ePortfolio_zone=0&quot;
	End If

	Dim ss
	ss = Split(strDesktopSettings, &quot;&&quot;)

	If( DEBUG ) Then
		Response.Write &quot;LBound = &quot; & LBound(ss) & &quot;; UBound = &quot; & UBound(ss) & &quot;<br>&quot; & vbCrLf
	End If

	Dim i
	Dim sss
	For i = LBound(ss) to UBound(ss)
		If( DEBUG ) Then
			Response.Write &quot;Setting desktop settings cookies!<br>&quot;
			Response.Write ss(i) & &quot;<br>&quot;
		End If
		sss = Split(ss(i), &quot;=&quot;)
		Response.Cookies(&quot;ePortfolio_prefs&quot;)(sss(0)) = sss(1)
		Response.Cookies(&quot;ePortfolio_prefs&quot;).Path = &quot;/&quot;

		If sss(0) = &quot;ePortfolio_view&quot; Then
			GetDesktopSettings = CLng(sss(1))
		End If
		
		'SET TIMEZONE VALUE.
		If sss(0) = &quot;ePortfolio_zone&quot; Then
			SessionObj.TimeZone = Int(sss(1))
		End If
	Next

End Function

'FUNCTION WHICH STORES USERNAME AND AUTHENTICATION TYPE IN A COOKIE
Sub SetCookies_LogonInfo( username, authentication )
	If( DEBUG ) Then Response.Write &quot;Setting logon info cookies!<br>&quot; End If
	
	Dim expDate
	expDate = DateAdd(&quot;yyyy&quot;, 1, Now)

	Response.Cookies(&quot;ePortfolio_lastusr&quot;) = username
	Response.Cookies(&quot;ePortfolio_lastusr&quot;).Expires = expDate
	Response.Cookies(&quot;ePortfolio_lastusr&quot;).Path = &quot;/&quot;

	Response.Cookies(&quot;ePortfolio_lastaut&quot;) = authentication
	Response.Cookies(&quot;ePortfolio_lastaut&quot;).Expires = expDate
	Response.Cookies(&quot;ePortfolio_lastaut&quot;).Path = &quot;/&quot;
End Sub

'FUNCTION WHICH LOGS OFF THE CURRENT USER
Sub LogoffUser()
	Response.Cookies(&quot;ePortfolio_logontoken&quot;) = &quot;&quot;
	Session(&quot;IStore&quot;) = Nothing
	Session(&quot;lastFiveRptName&quot;) = Nothing
	Session(&quot;ErrMessage&quot;) = Nothing
	Session(&quot;collection&quot;) = Nothing

	If( DEBUG ) Then
		Response.Write &quot;Logoff called!<br>&quot;
		Response.Write IsObject(Session(&quot;IStore&quot;)) & &quot;<br>&quot;
		Response.Write TypeName(Session(&quot;IStore&quot;)) & &quot;<br>&quot;

		If( Err.Number <> 0 ) Then
			Response.Write &quot;*** ERROR! &quot; & Err.Number & Err.Description & &quot;<br>&quot;
		End If
	End If
End Sub

'FUNCTION WHICH LOGS ON A NEW USER
Sub LogonUser( username, password, apsname, authentication )
	If( DEBUG ) Then Response.Write &quot;Logon called!<br>&quot; End If

	Dim sm
	Dim es
	Dim ltm
	Dim viewSetting

	On Error Resume Next

	'INSTANTIATE INFOSTORE OBJECT FOR SESSION
	Set sm = CreateObject(&quot;CrystalEnterprise.SessionMgr&quot;)
	If CheckErrorGeneral() Then Exit Sub End If

	'SET THE SOCKS SERVER IF ANY
	sm.SOCKSURI = Request.ServerVariables(&quot;WCS_SOCKS_URI&quot;)

	'LOGON USER
	Set es = sm.Logon(username, password, apsname, authentication)

	If( Err.Number = 0 ) Then
		
		viewSetting = GetDesktopSettings(es)

		'STORE THE INFOSTORE SESSION IN OUR SESSION VARIABLE
		Dim iStore
		Set iStore = es.Service (&quot;&quot;, &quot;InfoStore&quot;)
		Session(&quot;IStore&quot;) = iStore

		'IF NOT GUEST LOGON THEN GET USERS DESKTOPSETTINGS
		If (iStore.EnterpriseSession.UserInfo.UserID <> GUEST_ID ) Then		
			Call SetCookies_LogonInfo(username, authentication)
		End If

		'SET THE LOGON TOKEN MANAGER
		Set ltm = es.LogonTokenMgr
		If CheckErrorGeneral() Then Exit Sub End If

		'WRITE THE LOGONTOKEN TO A COOKIE
		Response.Cookies(&quot;ePortfolio_logontoken&quot;) = ltm.CreateLogonToken(&quot;&quot;, 1, 100)
		If CheckErrorGeneral() Then Exit Sub End If

		'CHECK IF PASSWORD HAS EXPIRED FOR ENTERPRISE AUTHENTICATION ONLY
		If( authentication = &quot;secEnterprise&quot; ) Then
			If( es.UserInfo.PasswordExpiry <> 0 ) Then
				If( iStore.EnterpriseSession.UserInfo.UserID = GUEST_ID ) Then		
					'REDIRECT TO GUEST VIEW
					Response.Redirect &quot;available.csp?pageView=guest&quot;
				Else
					Response.Redirect GetPersonalPage(false, viewSetting)
				End If
			Else
				Call SetCookies_LogonInfo(usr, aut)
				Session(&quot;ErrMessage&quot;) = L_PASSWORD_EXPIRED
				Response.Redirect &quot;newpwdform.csp&quot;
			End If
		Else
			Response.Redirect GetPersonalPage(false, viewSetting)
		End If

	'LOGON ERROR
	Else
		'IF ATTEMPTING TO LOG ONTO GUEST ACCOUNT FAILS WE DON'T WANT TO DISPLAY ERROR MESSAGE SO JUST SHOW LOGON FORM
		If( usr = defaultusr And pwd = defaultpwd And aut = defaultaut ) Then
			Response.Redirect &quot;logonform.csp?action=logoff&quot;
		Else
			Call SetCookies_LogonInfo(usr, aut)
			Session(&quot;ErrMessage&quot;) = Err.Description
			Response.Redirect &quot;logonform.csp?action=logonerror&quot;
		End If
	End If
End Sub

'********************************************
'*** GetPersonalPage Function
'*** - returns the URL for the appropriate initial page for the user
'*** - if bUseCookie is true then viewSetting is ignored
'********************************************
Function GetPersonalPage(bUseCookie, viewSetting)
	On Error Resume Next
	Dim view

	If bUseCookie Then
		view = CLng(Request.Cookies(&quot;ePortfolio_prefs&quot;)(&quot;ePortfolio_view&quot;))
	Else
		view = viewSetting
	End If

	If view = 0 Then
		GetPersonalPage = &quot;available.csp?pageView=personal&quot;
	ElseIf (view = -1 Or view = &quot;&quot;) Then
		GetPersonalPage = &quot;available.csp?pageView=subscription&quot;
	Else
		GetPersonalPage = &quot;available.csp?pageView=personal&currID=&quot; & view
	End If
End Function
%>

 

[rci]

You also need to enable NT Single Sign-On on the Web Component Server (use the CMC and go to Servers)

 

[RyanoUK]

There is also a configuration change to make on the Crystal Web Server.

You need to stop it. Display the properties.

On the configuration tab, ensure the Challenge and Response flag is checked.

Also with IIS, make sure on NT Authentication is set. Not other security flags should be checked.

Read the following article.

http://support.crystaldecisions.com/communityCS/TechnicalPapers/ce8_nt_authentication.pdf

Hope this helps

Chris

 

[lyanch]

I should have replied to this a long time ago. As it turn out our problem was directly related to the fact that the server was also a backup domain controller. This was verified by Crystal.. which immediately added BDC's from items it would not support for all future releases, they now want me to upgrade everytime i have a problem.. but then of course won't help me because it is a BDC. Great catch 22.. oh well my new server should be here next week (finally) and i will no longer have the problem... and can actually upgrade!

Lisa