Troubleshooting single sign on with Microsoft Active Directory

The Single Sign On (SSO) capability allows the authentication of users through existing login credentials provided through Microsoft Active Directory integration.

In some instances, SSO may not work after the Active Directory Synchronization Module has been installed on the FileHold server. The FileHold Desktop Application (FDA) or Web Client throws an error of incorrect login and/or password when users attempt to log in using SSO. The cause of this problem with Single Sign On is the mismatch between the domain name in NetBIOS format versus Fully Qualified Domain Name (FDQN).

Use the following procedure to modify the Netbios Domain Name to remedy this issue. This article is intended for skilled Windows Server administrators. Applying this fix is covered by your AD Synchronization implementation and your FileCare Agreement. FileHold professional services are available for customers without a FileCare Policy.

The client and the FileHold server must both be in the same domain for SSO to work correctly.

To resolve the SSO issue

  1. Login to your Active Directory Services Interface as user with Administrative privileges.
  2. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
  3. Right click on the domain and choose Properties. In the General tab, take note of the domain Netbios Name.
Image
Single sign on Net Bios name
  1. In Microsoft SQL ServerManagement Studio, select the ch_userrolemanager database and select the dbo.domains table.
  2. Modify the domain name column to match the domain in the NetBIOS.
Image
Microsoft SQL domains table
  1. Shift and right-click on the Command Prompt, select Run as a Different User and run using the FileHold Service Account credentials.

Image
Command prompt to run AD Synchronization
  1. Run the AD sync scheduled task in the command prompt to verify that there are no errors. Go to C:\Program files\FileHold Systems\Application Server\fileholdadm.
  2. Type the command:

fileholdadm/synchronize

  1. Close and re-open a supported browser and go to the FileHold log in page.
  2. Click Logon with Windows Authentication. You should be logged into FileHold automatically.
  3. In the FileHold Desktop Application, go to File > Connection Options. Select the option to Use my Windows account username and password to logon.

Checking Integrated Windows Authentication (IWA) in the web client

  1. Go to the login page and click the Login with Windows Authentication link.

  2. If the browser does not pop up a dialog to prompt you for a username and password then windows authentication is working. You should be immediately logged in and taken to the main library page.

You must be using HTTPS for IWA to work. If you have set your application server to use HTTP for inter-service communication you may need to modify the reference to the WindowsLogin service in the web client web.config file to use HTTPS. 

 <setting name="WebClient_WindowsLoginService_WindowsLogin" serializeAs="String">
  <value>https://<server-name>/FH/FileHold/UserRoleManager/WindowsLogin.asmx</value>
</setting>

The following links provide some information on diagnosing IWA issues: