Hexagon Geospatial
MENU

GeoMedia Smart Client

GeoMedia Smart Client community discussion board is where you can create, contribute and share information and knowledge in regards to configuring as well as working with GeoMedia Smart Client. Find your answers, share your knowledge and help build a strong GeoMedia Smart Client community.
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 38
Registered: ‎12-03-2015

GMSC 2015 - problem with using SSO - computer not in the domain but user has a domain account

[ Edited ]

Hi,

Our GMSC customer has a following problem which is as a blocker for his activity now:

They are using SSO with GMSC and it works properly but only when the computer is a domain machine.

They have a third party users who can connect to their domain from their machines and need to work with GMSC.

 

They have two cases when they want to work with the GMSC and when the SSO mode is not working:

 

  1. The third party users can connect to their domain from their machines (from outside of the domain) by VPN and they have domain accounts and next when they are trying to run GMSC in SSO-true mode the GMSC wants them to give user name and password but the domain account credentials doesn't work.
  2. The fird party users connect their laptops to our customer network (but laptops is not a domain machine) and next when they are trying to run GMSC in SSO-true mode the GMSC wants them to give user name and password but the domain account credentials doesn't work.

So is the GMSC SSO mode works via VPN connections?

Is the GMSC SSO-true mode works on machines which are not domain machines?

Staff
Posts: 927
Registered: ‎10-18-2015

Re: GMSC 2015 - problem with using SSO - computer not in the domain but user has a domain account

Hi Piotr,

 

the problem in such a use case is that the remote computer does not have a trust relationship with the domain controller, so any possibility to check information with the domain controller (groups in general) won't work. There is a discussion here:

 

http://serverfault.com/questions/88208/mimic-the-behavior-of-a-machine-added-to-a-domain

 

I don't know if the proposed solutions can work, it is not the configuration SSO is supposed to work on. I'm afraid in such a use case the external users should switch to GMSC internal security mechanism.

 

HTH,

Stefano

Stefano Turcato
Presale Engineer
Hexagon Geospatial
Contributor
Posts: 38
Registered: ‎12-03-2015

Re: GMSC 2015 - problem with using SSO - computer not in the domain but user has a domain account

Carmelo,

But there are other applications which can ask domain controller properly.

At least there should be somewhere request for domain user name and password.

Is there any possibility?  - maybe on IIS that when the user asks the GMSC (http://host/GMSC) adress than it receive request for domain user name and password and than this credentials are forwarding to the GMSC?

Anyone had this kind of issue?

Regards

Piotr

Staff
Posts: 927
Registered: ‎10-18-2015

Re: GMSC 2015 - problem with using SSO - computer not in the domain but user has a domain account

Piotr,

 

I don't think it's a problem of credential retrieval, I think the problem is in getting the list of AD groups the user belongs to. So there is not much you can do.

It mostly depends on what the application needs to do. If you just need the credentials to access a shared resource, than there should not be problems, but in this case we need to ask the domain controller to get something more, and because there is no trust relationship with the AD that could be an issue.

 

Stefano

Stefano Turcato
Presale Engineer
Hexagon Geospatial
Contributor
Posts: 38
Registered: ‎12-03-2015

Re: GMSC 2015 - problem with using SSO - computer not in the domain but user has a domain account

I know that GMSC is not working now like that but maybe GMSC should ask for domain credentials and than use it for asking domain controller about groups and so on.

Other applications do like that.

Maybe is there kind of work around through IIS configuration? 

 

Staff
Posts: 927
Registered: ‎10-18-2015

Re: GMSC 2015 - problem with using SSO - computer not in the domain but user has a domain account

 I don't think it's a GMSC's problem. Which applications work this way? What are the resources and information they are requesting to the AD domain controller? As I said, if it's just a matter of requesting access to resources using an AD user it's a different case...

 

Stefano

Stefano Turcato
Presale Engineer
Hexagon Geospatial
Highlighted
Moderator
Posts: 237
Registered: ‎02-08-2016

Re: GMSC 2015 - problem with using SSO - computer not in the domain but user has a domain account

Hi

So to answer your questions.

 

So is the GMSC SSO mode works via VPN connections? - depends on the VPN connection, if the VPN connection provides access to the domain then yes.

 

Is the GMSC SSO-true mode works on machines which are not domain machines? - No. Version 2013 had a security bug that was fixed in 14 and higher. SSO should be handled through the domain or other true SSO means.(https://msdn.microsoft.com/en-us/library/aa745042(v=bts.10).aspx)

 

Thanks,

Marc

Do you need immediate support?
If you encounter a critical issue and need immediate assistance please submit a Service Request through our Support Portal.