Hello,I am trying to get SSO to work where I am automatically logged in through Active Directory when visiting the osTicket subdirectory.  I am presently able to log in when entering in my Active Directory username and password, but would like for the system to automatically log me and everyone else (including those submitting new tickets) into the system since I only want people who are authenticated to be able to place tickets (which is everyone).  I know I will hear a *lot* of flack if I require them to login before submitting tickets since even the antiquated system we use doesn't require that (it uses automatic authentication).I am running SuSE with Apache 2.4 with both auth-ldap and auth-passthru installed/enabled.I also wanted to mention that the passthru phar file is bad on the website.  It's missing some of the config when I downloaded it.  I have recompiled it and have attached it to this ticket.Thanks for any help.Ryan

[auth-passthru.zip](https://forum.osticket.com/assets/files/migrated/FileUpload/76/fa58da8f57cc0286750fe40966835f.zip)

May be why pass thru isn't working on my Windows 2008 R2. Not as much of a code monkey I once was and would love to have that recompiled phar for pass thru...Had s similiar post here earlier today here

For some reason this system is hiding my file attachment.  In any case, here it is again recompiled:https://drive.google.com/file/d/0Bw_5YYgWk73pWHBCV1ZMT2JodW8/edit?usp=sharingHowever, I still would like to know how to fix the issue I am having where I am not being automatically authenticated into the system without having to enter in my credentials.  Anyone know how to fix this issue?

Many thanks...I'll let you know what I can find. Disregard my PM.

One note...if you already have the plugin installed, I would recommend disabling it and then deleting it using the web portal (or at least that's what I did).  Then I went in and uploaded the new .phar, clicked Add plugin...Install, and it suddenly now shows two options for enabling for client and staff.  Only problem is that it still doesn't work correctly for me...

Exactly what I found as well.

hey @[deleted],I have a similar requirement as yours. AD authentication is working for me.I installed the Passthru plugin which you have uploaded. However, I do not see any config settings.When I click on the plugin, I get following message.This plugin has no configurable settingsEvery plugin should be so easy to useAm I missing something important here? Do I need to edit Apache conf file before installing HTTP Passthru plugin? could you please advise?osTicket Versionv1.9.0-3-gae5e138 (ae5e138)Server SoftwareApache/2.2.22 (Ubuntu)

I will post a little tutorial about SSO + AD + apache, but not now (no time), maybe later or tomorrow.Only one thing: Download the plugin php files from github and build the .phar from them to make sure you have staff AND CLIENT passthru-auth working. Currently passthru-auth phar only includes staff login! So you need to build you own .phar from the github files (https://github.com/osTicket/core-plugins/tree/develop/auth-ldap)PS: SSO (with AD + apache on openSuse) is working fine here

hey @[deleted],

I have a similar requirement as yours. AD authentication is working for me.

I installed the Passthru plugin which you have uploaded. However, I do not see any config settings.

When I click on the plugin, I get following message.

This plugin has no configurable settingsEvery plugin should be so easy to use

Am I missing something important here? Do I need to edit Apache conf file before installing HTTP Passthru plugin? could you please advise?

osTicket Versionv1.9.0-3-gae5e138 (ae5e138)Server SoftwareApache/2.2.22 (Ubuntu)

Did you download the version I have uploaded?  I actually inadvertently uploaded the wrong version of the phar file initially (I had uploaded the bad one from the website).  If you click on the link from my thread above, it will download the correct version.  You can confirm by verifying the file matches the below signature(s):MD5: 4dea9c5f1dbbfd2db2a341120ba34851SHA1: ef7b8709aeb2202fcae870a197ad5b79f2004b32SHA256: de84b10038a48dc4243af14ddcfe3f4b46e776688fef349fdeac71523d912081CRC32: ca81f655Hope this helps.

Did you download the version I have uploaded?  I actually inadvertently uploaded the wrong version of the phar file initially (I had uploaded the bad one from the website).  If you click on the link from my thread above, it will download the correct version.  You can confirm by verifying the file matches the below signature(s):  MD5: 4dea9c5f1dbbfd2db2a341120ba34851 

SHA1: ef7b8709aeb2202fcae870a197ad5b79f2004b32 SHA256: de84b10038a48dc4243af14ddcfe3f4b46e776688fef349fdeac71523d912081 

CRC32: ca81f655

Hope this helps.

Hello @[deleted],It appears that, I had downloaded the problematic phar file earlier.I downloaded the new file from google drive (mentioned in your post above), post installing the plugin, I can see the plugin options.ConfigurationUnnamed:Authentication ModesAuthentication modes for clients and staff members can be enabled independently. Client discovery can be supported via a separate backend (such as LDAP)Staff Authentication: Enable authentication of staff membersClient Authentication: Enable authentication and discovery of clientsThanks so much, appreciated.

So here is a little tutorial to setup client + staff SSO using apache (we use opensuse), kerberos, samba an AD.Requirements:- osTicket is installed, configured and working- LDAP-Plugin (currently v0.5) is installed, configured and enabled- HTTP-Passthru-Plugin (currently v0.1, but to include client user auth, download + create .phar from github repo files, instructions below) is installed, configured and enabledHTTP Passthru Plugin- Download the raw files from github (https://github.com/osTicket/core-plugins) using wget to a folder with a subdirectory called "directory"- wget https://github.com/osTicket/core-plugins/raw/develop/auth-passthru/authenticate.php- wget https://github.com/osTicket/core-plugins/raw/develop/auth-passthru/config.php- wget https://github.com/osTicket/core-plugins/raw/develop/auth-passthru/plugin.php- Move all files to the subdirectory called "directory"- Build phar with this command:php -r '$phar = new Phar("auth-passthru.phar"); $phar->buildFromDirectory("./directory");'- Done. Phar is now up to date and can be installed, configured and enabledPackages:- First install ntp, kerberos and samba packages on your webserverzypper install samba samba-client samba-libs samba-winbind krb5 krb5-appl-clients krb5-client pam_krb5 apache2-mod_auth_kerb apache2-mod_auth_ntlm_winbind- Maybe not all of the packages above are needed, but I installed them all and it's working, but some are may used by other stuff running on the same webserverNTP- Configuring ntp on the webserver to make sure the webserver and the domain controller / kdc server are in syncvi /etc/ntp.conf- Add the following line (replace your.timeserver.com with the address of your timeserver)server   your.timeserver.comKerberos- Edit krb5.conf file:vi /etc/krb5.conf- My krb5.conf looks like:    default_realm = EXA.MPLE.COM    kdc_timesync = 1    ccache_type = 4    forwardable = true    proxiable = true    fcc-mit-ticketflags = true    default_keytab_name = FILE:/etc/krb5.keytab    exa.mple.com = {        kdc = kdc-server.exa.mple.com        master_kdc = kdc-server.exa.mple.com        admin_server = kdc-server.exa.mple.com        default_domain = exa.mple.com    }    .exa.mple.com = EXA.MPLE.COM    exa.mple.com = EXA.MPLE.COM    kdc = FILE:/var/log/krb5/krb5kdc.log    admin_server = FILE:/var/log/krb5/kadmind.log    default = SYSLOG- Now check if you are able to authenticate to AD using Domain Account (here: EXA.MPLE.COM\administrator) :kinit administratorPassword for administrator@EXA.MPLE.COM:- Verify that authentication was successful:klistTicket cache: FILE:/tmp/krb5cc_0Default principal: administrator@EXA.MPLE.COMValid starting     Expires            Service principal05/08/09 22  05/09/09 08  krbtgt/EXA.MPLE.COM@EXA.MPLE.COMrenew until 05/09/09 22Samba- Configure samba now:vi /etc/samba/smb.conf- Here my samba config:        netbios name = webserver-hostname        realm = EXA.MPLE.COM        security = ADS        encrypt passwords = yes        password server = kdc-server.exa.mple.com        workgroup = EXAMPLE-DOMAIN        usershare allow guests = No        wins server =        wins support = No- Join the domain:net ads join -U administratorUsing short domain name -- EXAMPLE-DOMAINJoined 'webserver-hostname' to realm 'exa.mple.com'`

- Create keytab:net ads keytab add HTTP -U administrator- Verify with ktutil:ktutilktutil:  rkt /etc/krb5.keytabktutil:  lslot KVNO Principal---- ---- ---------------------------------------------------------------------   1    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM   2    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM   3    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM   4    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM   5    2    HTTP/webserver-hostname.exa.mple.com@EXA.MPLE.COM   6    2                HTTP/webserver-hostname@EXA.MPLE.COM   7    2                HTTP/webserver-hostname@EXA.MPLE.COM   8    2                HTTP/webserver-hostname@EXA.MPLE.COM   9    2                HTTP/webserver-hostname@EXA.MPLE.COM  10    2                HTTP/webserver-hostname@EXA.MPLE.COM- Give apache the rights to access keytab:chmod 740 /etc/krb5.keytabchgrp www /etc/krb5.keytab- Enable / Load auth_kerb modulea2enmod auth_kerb- Create SSO config file for apache:vi /etc/apache2/conf.d/osticket.conf- Here is my osticket.conf:<Location /osticket/scp/>  AuthType Kerberos  AuthName "Login with your EXAMPLE-DOMAIN username and password"  KrbMethodNegotiate On  KrbMethodK5Passwd On  KrbAuthRealms EXA.MPLE.COM  Krb5KeyTab /etc/krb5.keytab  require valid-user</Location><Location /osticket/>  AuthType Kerberos  AuthName "Login with your EXAMPLE-DOMAIN username and password"  KrbMethodNegotiate On  KrbMethodK5Passwd On  KrbAuthRealms EXA.MPLE.COM  Krb5KeyTab /etc/krb5.keytab  require valid-user</Location>Done. Now test it. Should work.Will add some instructions to enabled domain-wide SSO for Firefox - IE and Chrome do not need any special configuration.Helped me a lot:http://acksyn.org/blog/2009/05/24/active-directory-and-apache-kerberos-authentication/Cheers,Michael

6 days later

Thanks for this tutorial,Working great once set up correctly. The only problem I'm running in to is that everytime after rebooting the osTicket server, I have to reissue "kinit administrator" to get SSO going again. Seems that the ticket cache in /tmp/krb5cc_0 gets removed and needs to be recreated after reboot.Best regards, J.

@[deleted],I followed your instructions but was still unable to get it to work automatically.  When I pull up the website, it prompts me for a username and password.  Once I enter the username and password, it acts as though the password was invalid.This computer was already joined to the domain previously because I am using samba to share some files.  That all is working just fine.  I also installed the Kerberos mod and attempted to follow your instructions for creating the key file and then setting the Directory parameters in the osticket.conf (modified to meet my requirements).  When I run the test, it works for the Administrator account...not sure what else to do.Thanks,Ryan

Hi rblake, I got the same problem (more or less) down the road when setting up SSO yesterday/today. Not sure if the same is going on in your environment but you might want to take a look here and check Access control settings -> Registration method is set to public in your setup. You might want to keep an eye on the user_account table for double entries.Hope that helps :-)J.

Hi @[deleted],Thank you for the message.  However, I just checked and already have it set up to Public.  Also, when I go to the page and login with my credentials manually, it works just fine (after renaming the osticket.conf to osticket.conf.bad and restarting apache to bypass the config).  However, I would really like for users to be able to click on the link and it automatically recognize/authenticate them.Anyone have any suggestions?I even tried this config to no avail:<Location /facilities/>  KrbServiceName HTTP  KrbMethodNegotiate On  KrbMethodK5Passwd On  #KrbSaveCredentials off  KrbAuthRealms DOMAIN.LOCAL  Krb5KeyTab /etc/krb5.keytab  #KrbLocalUserMapping On  #KrbAuthoritative On  AuthType Kerberos  AuthName "Login with your Windows username and password"  require valid-user</Location>

Hi @[deleted],My apache config looks like this:<Location /support/>  AuthType Kerberos  AuthName "Login with your windows user"  KrbMethodNegotiate On  KrbMethodK5Passwd On  KrbAuthRealms DOMAIN.LOCAL  Krb5KeyTab /etc/krb5.keytab  KrbLocalUserMapping Off (I don't think this matters as the passthru plugin strips the @[deleted] automatically)  KrbServiceName HTTP/hostname.domain.local  require valid-user</Location>Did you check the ost_user_account table? username should be your samaccountname, passwd = null and backend ldap.client. Other than that I'm out of suggestions.I just noticed that by going directly navigating to /tickets.php or /login.php logs me in with my windows user straight away, whereas /index.php wants me to click the login link.Hope you get it working.J.

Thank you again @[deleted] ..  I did check and I am seeing the account table showing the users correctly...that part is working...just the auto-auth isn't...This is what I get in the error_log: gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

Write a Reply...