07-01-2016 04:31 AM - edited 07-01-2016 04:38 AM
Our GMSC customer has a following problem which is as a blocker for his activity now:
They are using SSO with GMSC and it works properly but only when the computer is a domain machine.
They have a third party users who can connect to their domain from their machines and need to work with GMSC.
They have two cases when they want to work with the GMSC and when the SSO mode is not working:
So is the GMSC SSO mode works via VPN connections?
Is the GMSC SSO-true mode works on machines which are not domain machines?
07-01-2016 05:43 AM
the problem in such a use case is that the remote computer does not have a trust relationship with the domain controller, so any possibility to check information with the domain controller (groups in general) won't work. There is a discussion here:
I don't know if the proposed solutions can work, it is not the configuration SSO is supposed to work on. I'm afraid in such a use case the external users should switch to GMSC internal security mechanism.
07-01-2016 06:29 AM
But there are other applications which can ask domain controller properly.
At least there should be somewhere request for domain user name and password.
Is there any possibility? - maybe on IIS that when the user asks the GMSC (http://host/GMSC) adress than it receive request for domain user name and password and than this credentials are forwarding to the GMSC?
Anyone had this kind of issue?
07-01-2016 06:41 AM
I don't think it's a problem of credential retrieval, I think the problem is in getting the list of AD groups the user belongs to. So there is not much you can do.
It mostly depends on what the application needs to do. If you just need the credentials to access a shared resource, than there should not be problems, but in this case we need to ask the domain controller to get something more, and because there is no trust relationship with the AD that could be an issue.
07-01-2016 07:10 AM
I know that GMSC is not working now like that but maybe GMSC should ask for domain credentials and than use it for asking domain controller about groups and so on.
Other applications do like that.
Maybe is there kind of work around through IIS configuration?
07-04-2016 12:39 AM
I don't think it's a GMSC's problem. Which applications work this way? What are the resources and information they are requesting to the AD domain controller? As I said, if it's just a matter of requesting access to resources using an AD user it's a different case...
10-21-2016 03:23 PM
So to answer your questions.
So is the GMSC SSO mode works via VPN connections? - depends on the VPN connection, if the VPN connection provides access to the domain then yes.
Is the GMSC SSO-true mode works on machines which are not domain machines? - No. Version 2013 had a security bug that was fixed in 14 and higher. SSO should be handled through the domain or other true SSO means.(https://msdn.microsoft.com/en-us/library/aa745042(v=bts.10).aspx)