This document describes setting up single sign-on with SuperOffice Customer Service and IIS web server.
We assume you already have SuperOffice Customer Service running.
If you want to use single sign-on with Customer Service you need to have Customer Service and NetServer installed on the same server. Using remote web services (NetServer) will not work, the server where Customer Service is installed need to be in the same domain as PCs.
If you installed Customer Service in DMZ the server is usually not added to the domain and therefore single sign-on can not work.
Preparing for Single sign-on
Navigate to system settings, make sure the check box for using web server authentication is checked, and save the settings "Use user authentication from web server"
All users that will be using single sign-on must be mapped to a domain user, using the SuperOffice administrator application, soAdmin.exe. You do that by starting soAdmin.exe from the SuperOffice client install folder, navigating to the user, click the “task” menu button, select “change authentication type”, and select Active Directory in the authentication type dialog. Press OK to save.
You will then get a dialog that lets you navigate the Active Directory, and choose the AD user corresponding to the SuperOffice user.
Please note: there is a bug in 7.1 which requires the username in SOadmin to be identical to the Active directory user name: http://devnet.superoffice.com/Issue-Center/Product-Issue/?bid=7748
Preparing IIS for Single sign-on
Start Internet Information Services (IIS) Manager
Navigate to the scripts (or bin) folder under your site, and double click “Authentication”.
Enable windows authentication, and turn off anonymous login. (You could instead create another site for this, so you have one site with anonymous access and one with windows authentication, but we don’t do that in this example.)
Now you need to make an actual copy of your SuperOffice Web services (NetServer) directory, as Customer Service doesn’t use integrated login when talking to NetServer in the general case, but we must use integrated login to NetServer at some point during the login process with single sign-on. The way this is done in this document requires a different web.config file for the two cases, and so you must have two separate NetServer directories, not just two different sites mapping to the same directory.
Create a new virtual directory or application in IIS manager, pointing it to the NetServer copy. Call the application directory NetServerAD or similar, and this application directory must be set to only windows authentication just as the Customer Service scripts site.
You need to change the web.config file on the copy NetServer site. There are slightly different changes to be made, depending on what version of SuprOffice you use.
For version 7.0 and 7.1 ( jump to 7.5)
You need an extra binding configuration, and this should be used with the SoPrincipal service:
The binding configuration should look like this with the binding2 section added:
<binding name="binding1" maxReceivedMessageSize="1000000">
<binding name="binding2" maxReceivedMessageSize="1000000">
<transport clientCredentialType="Windows" />
The service declaration for the SoPrincipal service should look like this:
<service name="SuperOffice.CRM.Services.WcfService.WcfSoPrincipalService" behaviorConfiguration="SoWcfBehavior">
<endpoint binding="basicHttpBinding" bindingConfiguration="binding2" contract="WcfPrincipalService" />
<endpoint address="mex" binding="basicHttpBinding" bindingConfiguration="binding2" contract="IMetadataExchange"/>
There is really only one change to make. There should already be a section in your Web.config:
<!-- Windows Authenticated services -->
<transport clientCredentialType="Windows" />
Under system.servicemodel - protocolMapping, there should be a scheme="http" with an empty bindingConfiguration parameter. Add the name WindowsAuth to the bindingConfiguration parameter of the http protocol mapping shceme:
<!-- Services configuration -->
<!-- Make sure that http uses defualt binding and https uses bindingHttps binding -->
<add scheme="http" binding="basicHttpBinding" bindingConfiguration="WindowsAuth" />
<add scheme="https" binding="basicHttpBinding" bindingConfiguration="bindingHttps" />
Verify the changes
Test the application in a browser by navigating to it (for example http://localhost/NetServerAD/SoPrincipal.svc). It should give you an url to the SOAP WSDL and some code samples, not an error page.
In the database, make sure the registry table entry with reg_id = 245 specifies the correct NetServerGetTicket.exe application. It is to be found in the scripts(bin) folder of new Customer Service installations.
The NetServerGetTicket.exe also have a config file that needs to be changed. Edit the NetserverGetTicket.exe.config file and change the endpoint address to point to the SoPrincipal service of the integrated login copy of NetServer on your IIS site.
You should now have a working Integrated login/ Single sign-on setup. Remember to configure the Customer Service site as local intranet site, or trusted site with automatic login, in the web clients accessing it.
Note: you should verify that this is working from a client and NOT the server which may give you HTTP 401.1 - Unauthorized: Logon Failed when you try to access the site: http://support.microsoft.com/kb/896861.