Single Sign on with Multiple APS's. How ? 1

[rictorsan]

Can anyone tell me if (and how)single sign on via NT authentication mapping is possible when a site uses multiple APS's ?

Does CE have any code that automatically defaults the user to the login page, to supply an APS, or would I need to build in functionality that exposes an APS selection dropdown when a user hits the CE URL.

Wondering if anyone has dealt with this issue and how they resolved it.

Thanks,

rictorsan

 

[Burgovision]

Off the top of my head I'm sure you could quite simply change the logonform page from defaulting the APS and make it a select. However... incorporating SSO into that would be quite a headache I'd imagine.

I'm curious as to why you have two APS's running on the same server....

anyway... you could have two instances of the application. create a virtual directory for each and so each has a different path. we have a development and a production installation this way (although on different servers) but you could just have two installations on the same server.

 

[Rooble]

Are you using CE 8.0 or 8.5. In either case it is possible to have multiple APS's but essentially the APS database remains only one and therefore it is possible to have SSO in that case as the security info of the users resides in the uniques APS database.

Any questions let me know...

Rooble

 

[Burgovision]

85. So why have more than one APS if it's the same APS Db?

Anyway.... there's a simple answer. The inital URL takes the user to a form on which they select the APS. Just make sure the name of the form object matches the name of the form object on the logonform page. Submit to the standard logonform page. This then continues as per usual with it's SSO, it just so happens that you have already passed in the APS name before it begins processing it's scripts.

This is of course theoretical!

 

[Rooble]

Multiple APS's are just to take care of the fail over tolerance when you cluster them.

~rooble

 

[Burgovision]

So in that case you don't really want the user to select the APS do you...

Then you will probably just have to amend the logonform to try the failover APS if connection to the primary APS fails - and then continue with authentication.

I've done a fair amount of hunting around and haven't seem anything to that effect.

In the logon.csp there's a variable
var defaultaps = Request.ServerVariables.Item("WCS_NAME_SERVER"
and then var aps = defaultaps;
This gets passed to: LogonUser(usr, pwd, aps, aut);
In this function there is an object created first up...
sm = Server.CreateObject("CrystalEnterprise.SessionMgr"
so I guess you can assume if this fails then it can't connect to the server and can try it again but pass in a different value to the variable 'aps'.

 

[roatis]

Ok. Let's start from the top.

Multiple APS are used for redundancy. This is called a cluster. Create an APS cluster in the CCM and point all of your APS machines to this cluster. if one APS dies, the other(s) with pick up the routing and name server tasks.

The users log onto the cluster regardless of the APS machine they select from the drop-down. You can also edit the logonform.csp to show only the cluster name.

The single sign-on property will be written to the system db, and ALL of the APS machines will use it.

Coding the URL to accomplish this is a security hazard since clear text can be sniffed.

Cluster the APS machines and turn on SSO in either the CCM or the CMC. Don't forget to set the IIS variables, as well.

Drop me a note if you need further help.
Rod Oatis
Venturi Technology Partners
Crystal Decisions Certified
Trainer/Consultant/Developer/Implementor
Rod_Oatis@hotmail.com