Pass-Through Authentication Configuration
In this document I have discussed the challenges that you may face in configuring the Pass-Through Authentication in a practical environment.
Access Requirements:
1. Direct access to the Domain Controller.
2. Direct access to the ServiceDesk Plus server.
Procedure:
(As a best practice, I recommend you to do this activity directly from the Domain Controller)
1. Open ServiceDesk Plus in a browser and go to Admin > Discovery > Windows Domain Scan. Check the entries that are available for your domain. ServiceDesk Plus tends to fetch both the Fully qualified domain name (FQDN) and the pre-windows 2000 format name (NetBios name) of your domain, however the domain controller details would be updated only for one of the entries. (In this document, I have used our test domain environment 'SDPEXCHANGE' to illustrate the scenario.
2. In order for the Pass-Through Authentication to work, we have to use only the pre-windows 2000 format of your domain name. To identify the domain entry which is tied with the user accounts, check the requester list view (Admin > Users > Requester)
To check the pre-windows 2000 format (NetBios) name of you domain, go to Administrativ Tools > Active Directory Users and Computers > Right Click on your domain > Properties.
3. In this case SDPEXCHANGE.COM (FQDN Entry) is tied with the user accounts, thus we have to edit this entry in the domain list and update the NetBios name instead of the FQDN. To achieve this, rename 'SDPEXCHANGE' as 'SDPEXCHANGE_OLD' (fig 1) and then update 'SDPEXCHANGE.COM' as 'SDPEXCHANGE' (fig 2)
4. Once the domain name is updated, the requester list will reflect the updated domain name.
5. Now go to Admin > Users > Active Directory and Import the users once again from you Active Directory.
6. Enable the Pass-Through Authentication, choose the domain 'SDPEXCHANGE'.
7. Computer Account: Pass-Through authentication requires a dedicated computer account to establish a secured channel with the Domain Controller, thus you have to provide a unique computer name which does not exist in you domain as a user or a computer account. I have used the name 'PassThru' and a password that complies with the complexity policy.
8. DNS Server IP / Bind String: Go to the ServiceDesk Plus server and open a command prompt, execute the command 'ipconfig /all'. It will provide you the connection details of that machine. Make a note if the Primary DNS Suffix, which has to updated as the Bind String and the DNS Servers, which has to be updated in the DNS Server IP column. If you have more than 1 DNS server, you can update them in the same field separated by commas (eg., 192.168.1.2,192.168.1.253,192.168.1.252)
9. DNS Site: It is the Site under which your Domain Controller (server) is located. To find it, open Active Directory Sites and Services, expand the Sites and check where the Domain Controller is placed. In my case it is 'Chennai'.
10. Update all the information in the configuration wizard and save. In most case, we might receive an error.
11. Download the script (Click Here) and save it the C:\ of your domain controller and execute the command string as stated in the error message.
12. Now, go back to the Pass-Through Configuration page and save the settings without making any changes.
13. Go to the ServiceDesk Plus server, Stop and Start the application once.
14. Pass-Through uses NT LM v2 for authentication which requires the browser response for the NT LM queries. Thus you have to add the ServiceDesk Plus application URL to the Local Intranet Sites list. In the browser open Internet Options > Security > Local Intranet > Sites > Advanced > Save and Close the browser window.
15. Open a fresh window and launch ServiceDesk Plus.