SuperOffice CRM Web supports Single sign-on using Windows Authentication. This document describes how to configure this.
Here is a checklist for CRM 8:
- Web server is enlisted in Active Directory
- The hostname used for accessing is registered in DNS (not hosts file)
- Remote Netserver (where Web and Netserver are on different servers) is not supported due to Kerberos double-hop issues
- Users are configured with Active Directory authentication in SuperOffice
- The IIS site where SuperOffice is located is configured to use Windows Authentication
- Customer Service & Pocket CRM must use a separate Netserver site where Windows Authentication is turned off. It can point to the same physical path as Netserver for Sales but with its own IIS Application with Windows auth turned off.
- You should now be able to test with your browser to see if SSO works for users.
- To enable SSO with Mail Link and TrayApp, you will need to change the protocolMapping to use WindowsAuth in the web.config file - see below.
You will need to add the site to trusted sites in IE if you are using IE and if IE thinks that the site is not local intranet. Other browsers don't need configuration to give a SSO experience.
Testing SSO on the same server as SuperOffice usually fails. Accessing the site from Internet will prompt the user for credentials since the KDC is unavailable.
Single sign-on with Windows authentication
The following process is carried out when a windows user is automatically signed in to SuperOffice Web:
- Authenticate the user with IIS
- Pass the IIS Authentication on to CRM Web
- Authenticate the Windows user with CRM Web
Authenticate the user with IIS
Windows 2016 Server
- Open Server Manager
- Make sure Windows Authentication is checked.
- Open Internet Information Server (IIS) Manager.
- Select the SuperOffice CRM Web site again and double-click on the 'Authentication' Feature:
- Make sure that only Windows Authentication is enabled. We do not recommend other authentication methods such as Basic and Digest.
To enable Single sign-on for Web Tools (MailLink and Web Extensions) the bindingConfiguration must be changed to WindowsAuth (and WindowsAuths for https) in Web.config.
SuperOffice 8.4 R04 and newer includes support for Netserver communicating with Customer Service (for instance through the ticket or crmscript agent).
In order to support this functionality for Single sign-on scenarios, we have to use an impersonation user which is used for the communication between Netserver and Service.
The impersonation user must exist in Active Directory but does not need to be SuperOffice user.
Steps to configure in the web.config file:
1. Configure the installation as SSO
2. Make sure the symmetricKey and symmetricSecret values are the same between SuperOffice Web and Customer Service config files
<section name="CustomerService" type="System.Configuration.NameValueSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
4. Add the section CustomerService under SuperOffice
<add key="ImpersonateCsUser" value="True" />
<add key="CsUserName" value="" />
<add key="CsPassword" value="" />
<add key="CsDomain" value="" />
5. Update the values to be correct for the installation:
- ImpersonateCsUser must be set to True
- CsUserName is the AD user to impersonate
- CsPassword is the corresponding password
- CsDomain is the Active directory Domain where the user is registered
Other configuration options
Single sign-on for Web Tools alone
- Open IIS Manager
- Select the Services folder in the CRM Web site
- Enable Windows Authentication in Authentication. Disable other authentication methods.
- Apply the configuration changes related to bindings and WindowsAuth.