How to enable pass through web client authentication with multiple DRA REST servers

  • Document ID:7023753
  • Creation Date:28-Feb-2019
  • Modified Date:08-Mar-2019
    • Micro Focus Products:
      Directory and Resource Administrator

Environment

Directory Resource Administrator 9.2.x

Situation

When using the DRA Web Client UI it is possible to configure the authentication method to be Windows Authentication. This method allows the Web Browser to read the credentials of the logged on user, and pass them securely to the IIS Sever. The IIS Server will then pass those credentials over to the selected DRA REST and DRA HOST Services. These services sit between the Web Client and the DRA Administration Service used to perform the DRA operations. By default the IIS Server will not allow these credentials to be passed to services on a remote OS. If the request from the IIS Server hosting the DRA Client fails to include the user credentials, the REST and HOST Service will deny the connection. They will report an error regarding an invalid user name and password.

Resolution

The following steps outline the process used to configure DRA Rest Services, IIS Server settings, and AD object settings. This configuration will allow the DRAClient Web application to use any DRA REST or DRA Host Service.

Create Service Principal Names (SPNs) linking each DRA REST and DRA Host Server to the DRA Service Account

1. Open an Administrator CMD prompt, in the context of DRA service (or other Domain Admin level account).

    Note: The CMD prompt can be run from any Member Server within the AD Domain hosting the DRA Server(s)

2. Create a SPN for each DRA REST and HOST server

a. Create a DRA REST Service SPN, using both the flat name and FQDN of the computer name of each DRA REST server.
i. "SetSpn –U –A NetIQDRARest/<FQDN of REST server> <DomainName>\<service account name>"
            Example: DRA REST server with a FQDN of HouDRA01.Houts.lab, and Service account Houts\Dra.Service
            "Setspn –U –A NetIQDRARest/HouDra01.houts.lab Houts\dra.service"
            ii. SetSpn –U –A NetIQDRARest/<flat name of REST server> <DomainName>\<service account name>"
            Example: DRA REST server flat name of HouDRA01, and Service account Houts\Dra.Service
            "Setspn –U –A NetIQDRARest/HouDra01 Houts\dra.service"
            iii. Repeat the above step for every Windows OS Name hosting the NetIQ DRA REST Service
        b. Create a DRA HOST Service SPN, using both the flat name and FQDN of the computer name of each DRA HOST server
i. "SetSpn –U –A NetIQDRAHost/<FQDN of HOST server> <DomainName>\<service account name>"
            Example: DRA HOST server FQDN of HouDRA01.houts.lab, and Service account Houts\Dra.Service
"Setspn –U –A NetIQDRAHost/HouDra01.houts.lab Houts\dra.service
ii. "SetSpn –U –A NetIQDRAHost/<flatname of HOST server> <DomainName>\<service account name>"
            Example: DRA HOST server flat name of HouDRA01, and Service account Houts\Dra.Service
"Setspn –U –A NetIQDRAHost/HouDra01 Houts\dra.service"
            iii. Repeat the above step for every Windows OS Name hosting the NetIQ DRA HOST Service
Enable delegation for the REST and HOST Service account

1. Use ADUC to search for the AD account running the NetIQ DRA REST or HOST Service on each service instance
a. You will need to perform these operations using an AD account with Domain Admin rights
2. From the account properties window, select the Delegation Tab

3. From the Delegation Tab, choose the option for Trust this user for delegation to the specified services only' and 'Use any authentication protocol'.

4. Use the ADD Button add a service to the delegation

5. From the Add Services window, search for the DRA REST and HOST Service account

6. From the Add Services window, select the Service Types of NetIQDRARest or NetIQDRAHost, whose user or computer name value equals both the flat name and FQDN of each OS hosting the DRA REST OR HOST Service.

Enable delegation for the IIS server computer account

1. Use ADUC to search for the Computer account of each IIS Server used to host the DRAClient Web Application
a. You will need to perform these operations using an AD account with Domain Admin rights
2. From the account properties window, select the Delegation Tab

3. From the Delegation Tab, choose the option for Trust this user for delegation to the specified services only' and 'Use any authentication protocol'.

4. Add a service to the delegation tab, using the Add button

5. From the Add Services window, search for the DRA REST and HOST Service account

6. From the Add Services window, select the Service Types of NetIQDRARest or NetIQDRAHost, whose user or computer name value equals both the flat name and FQDN of each OS hosting the DRA REST OR HOST Service.

Update the application configuration files used by the DRA REST server

1. Modify the NetIQRestProxy\restProxy.config file on each DRA REST Server
a. Default path: %ProgramData%\NetIQRestProxy\restProxy.config
b. Create a backup copy of the file
c. Change line 9, which starts with <consoleConfiguration to be:
i. <consoleConfiguration autoLogoutAfter="20" allowCustomJavaScript="false" taskEnumTimerMsDelay="750" restServerSpn="<SPN of a remote DRA REST Server>">
ii. The format for the SPN will look like NetIQDRARest/houdvdr890.drdom691.lab
iii. The Server name should be any DRA REST Sever , other than the local host
d. These steps must be done on every DRA REST Server
2. Modify the DRA Rest Service Configuration file on each DRA REST Server
a. Default path: C:\Program Files (x86)\NetIQ\DRA Extensions\ NetIQ.DRA.RestService.exe.config
b. Create a backup copy of the file
c. Change line 7, which starts with <customAppSettings to be:
i. <customAppSettings hostServerSpn="<SPN of a remote DRA REST Server>">
ii. The format for the SPN will look like NetIQDRARest/houdvdr890.drdom691.lab
iii. The Server name should be any DRA REST Sever , other than the local host
d. Change line 45, which starts with <servicePrincipalName to be:
i. <servicePrincipalName value="<SPN of a remote DRA REST Server>">
ii. The format for the SPN will look like NetIQDRARest/houdvdr890.drdom691.lab
iii. The SPN name should be the same name as the value used in line 7
e. These steps must be done on every DRA REST Server

Configure the DRA Client web application configuration to use Windows Authentication

1. Locate the Web.Config file for the DRA REST Web Application
a. Default path: C:\inetpub\wwwroot\DRAClient\rest\Web.Config
b. Backup the file
c. Change line 33, which starts with “<authentication mode=” TO:
d. <authentication mode="Windows" />
e. These steps must be done on every IIS Server

Configure each IIS server to use Windows Authentication
1. Use Windows IIS Manger to change the Authentication for the REST Web Application
a. Navigate within IIS Manager down to: Server Name – Default Web Site – DRAClient – Rest
b. Use the authentication option to enable only Windows Authentication, and disable all other Authentication types
c. Edit the Providers option of Windows Authentication to ensure Negotiate Provider is at the top of the list

Restart the Services

1. Restart the NetIQ DRA Rest Service on every DRA REST Server

2. Restart the IIS service on every IIS server











Cause

The default behavior of IIS and the DRA REST service is to not allow impersonation or passing of the Windows User credentials to a remote machine. Without this ability, the IIS Server , DRA REST Server and DRA Host Server must reside on the same OS; when using Windows Authentication.

Additional Information

Technical support recommends that you create a backup of all configuration files, before making any changes. In addition any DRA REST Service upgrades may also revert the configuration files back to the default settings.