Deploy SSO with CAS 2.0

The Central Authentication Service (CAS) is a single sign-on (SSO) protocol that enables a user to access multiple applications using one set of credentials. This protocol works in conjunction with the CAS server, which handles all the user connections to your Microsoft Exchange and LDAP servers.

You can deploy CAS server into Apache Tomcat or your own Web Help Desk server.

Deploy CAS Server on Apache Tomcat

Before you deploy single sign-on with CAS 2.0 in your Web Help Desk deployment, configure the CAS module for LDAP and Active Directory communications.

  1. Download the Jasiq CAS server web application file.
  2. Update the file using the text files located in Configure the CAS module for LDAP and Active Directory. When completed, set it up based on your system configuration.
  3. Download and apply the dependencies.
  4. Deploy the CAS server on your Apache Tomcat server.
  5. Complete your CAS server deployment.

Download the Jasiq CAS Server web application file

  1. Download the cas-server-webapp-3.5.2.zip file from the Apero website.
  2. Open the ZIP file and navigate to cas-server-3.5.2\modules.
  3. Extract cas-server-webapp-3.5.2.war from the modules directory.

Update the file

  1. Rename the cas-server-webapp-3.5.2.war file to cas.zip.
  2. Open the ZIP file as an archive.
  3. Open the WEB-INF directory.

  4. Open the deployerConfigContext.txt file in Notepad.
  5. Open a web browser and access the following KB article in the SolarWinds Success Center:
    Configure the CAS module for LDAP and Active Directory
  6. Download the following files attached to the article:

    • deployerconfigcontext.txt
    • casproperties.txt
  7. Open the deployerconfigcontext.txt file in Notepad.
  8. Copy the file contents to the deployerConfigContext.txt file to overwrite the existing content.
  9. In the updated deployerConfigContext.txt file, update the file variables for your deployment.
    1. Locate the following argument:

      <property name="url" value="ldap://127.0.0.1:389" /> 
      <!-- use ‘ldaps://’ for ssl connection -->
    2. Replace the value variable with the IP address of your LDAP server.
    3. Locate the following argument:

      <property name="userDn" value="ldap_admin@yourdomain.com" />
    4. Replace the value variable with the email address of your LDAP administrator.
    5. Locate the following argument:

      <property name="password" value="ldap_admin_password" />
    6. Replace the value variable with your LDAP admin password.
    7. Locate the following argument:

      p:filter="sAMAccountName=%u" p:searchBase="DC=yourdomain,DC=com"
    8. Ensure that the LDAP p:filter search filter matches your LDAP configuration settings.
    9. Replace the p:searchBase variables with your domain settings.
    10. Close the file.
  10. Open the cas.properties file in Notepad.

  11. Open the casproperties.txt file you downloaded from the KB article.
  12. Copy and paste the cas.properties.txt file contents to the cas.properties file.
  13. In the updated casproperties.txt file, update the file variables for your deployment.
    1. Locate the following argument:

      server.name=http://localhost:8080
    2. Replace the server.name variable with a Web Help Desk server address. For example:

      http://whd.yourdomain.com
    3. Locate the following argument:

      host.name=cas01.yourdomain.com
    4. Replace the host.name variable with the provided prefix and your domain name.
    5. Close the file.

Download and apply the dependencies

  1. Download the following dependencies in JAR format:
  2. Open the cas.zip file and navigate to the WEB-INF/lib/ directory.
  3. Copy all dependencies to the directory.
  4. Rename the cas.zip file to cas.war.

Deploy CAS server on Apache Tomcat

  1. Stop the Web Help Desk Service.
    1. Open File Explorer and navigate to the <WebHelpDesk><helpdeskmanager> directory.
    2. Right-click whd_stop.bat and select Run as administrator.

      The Web Help Desk service is stopped.

  2. Copy the cas.war file to the /bin/webapps directory on your Apache Tomcat deployment.
  3. Start the Web Help Desk Service.
    1. Open the <WebHelpDesk><helpdeskmanager> directory.
    2. Right-click whd_start.bat and select Run as administrator.

      The Web Help Desk Service is started.

      CAS 2.0 is now accessible from the following URL:

      https://webhelpdesk:port/cas

      https://helpdeskmanager:port/cas

  4. Verify that the HTTPS port is enabled on Apache Tomcat.

Complete your CAS server deployment

Configure a Group Policy Object (GPO) to push the appropriate Windows login credentials to your Internet Explorer settings. This process enables authenticated users to access the Web Help Desk server without having to log in. GPOs define the settings for your Windows server configuration, and Group Policies apply these settings.

See Configure a GPO to push Internet Explorer settings for more information.

Enable SSL on Web Help Desk

  1. On your Web Help Desk system, open File Explorer and navigate to:

    <WebHelpDesk>/conf

    <helpdeskmanager>/conf

  2. In the conf directory, open the whd.conf file using a text editor.
  3. In the file, comment out the following entry:

    HTTPS_PORT=443

  4. Save and close the file.
  5. Use Porteclé to create a new certificate.

    See Generating a New Certificate in Porteclé for more information.

  6. Insert the certificate to the following location:

    /conf/keystore.jks

  7. Restart Web Help Desk.

Deploy CAS 2.0 on the Web Help Desk server

  1. Log in to Web Help Desk as an administrator.
  2. Click Setup > General > Authentication.
  3. Click the Authentication Method drop-down menu and select CAS 2.0.
  4. In the CAS login URL field, enter:

    https://fqdn:port/cas/login

  5. In the CAS validate URL field, enter:

    https://fqdn:port/cas/serviceValidate

  6. Under Verification certificate, click Upload and select a certificate that uses CAS for signing the responses.

    Select keystore.jks to upload the Web Help Desk Tomcat certificate.

  7. In the Logout URL field, enter:

    https://fqdn:port/cas/logout

  8. Click Save.

    You can now log in using CAS 2.0.

Configure a GPO to push Internet Explorer settings

Configure a Group Policy Object (GPO) to push the appropriate Windows login credentials to your Internet Explorer settings. This process allows authenticated users to access the Web Help Desk server without having to log in. GPOs define the settings for your Windows server configuration, and Group Policies apply these settings.

  1. Log in to the Web Help Desk domain using the Domain Administrator account.
  2. Click Start and select Run.
  3. In the Run field, enter the following command and then click OK:

    mmc

    The Microsoft Management Console displays.

  4. In the File menu, click Add/Remove Snap-In > Add.
  5. In Available snap-ins, double-click Group Policy Management Editor and then click OK.
  6. In Select Group Policy Object, click Browse.
  7. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
  8. Click Finish, and then click OK.
  9. In the Default Domain [yourdomain.com] Policy console tree, expand the following path:

    User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Connection

  10. Double-click Automatic Browser Configuration.
  11. Clear the Automatically Detect Configuration Settings check box, and then click OK.
  12. In the Default Domain [yourdomain.com] Policy console tree, expand the following path:

    User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, Security Zones and Content Ratings

  13. Click Import the current security zones and privacy settings.
  14. When prompted, click Continue and then click Modify Settings.
  15. In the Internet Properties dialog box, click the Security tab.
  16. Click Local Intranet, and then click Sites.
  17. In the Add this website to the zone field, enter:

    *.yourdomain.com

  18. Click Add.
  19. Select the Require server verification (https) for all sites in this zone check box.
  20. Click Close.
  21. Click OK.