I’d like to mention that this article was co-Written with Frederic Esnouf whom i thank for his help.he also published it on his blog: http://blogs.technet.com/b/fesnouf/archive/2010/10/01/implementing-uag-sso-with-scom.aspx.
I decided to write this article after trying to follow a small post that he’d made earlier and encountering few problems.
We’ve seen in previous articles how to implement SSO through UAG for non-default websites. Those solutions however do not apply for all encountered form login website and you might encounter some issues implementing this solution for some forms.
We will go through the implementation of the SSO solution for the SCOM Form login website and walkthrough the troubleshooting process that could be followed in case of problems.
1- Web publishing
Below is the SCOM forms login page that we need to avoid manually login on to.
![clip_image002[7]](http://myitforum.com/cs2/blogs/forefrontsecurity/clip_image0027_thumb_59FC47F4.jpg "clip_image002[7]")
We will start by creating a new “Other Web Application (application specific hostname)” publishing
![clip_image004[7]](http://myitforum.com/cs2/blogs/forefrontsecurity/clip_image0047_thumb_1EC86C29.jpg "clip_image004[7]")
Follow the wizard’s steps and note the «Application type » specified.
On the authentication step, activate the single sign-on checkbox, select an authentication server and choose “HTML form” as the authentication method.
Once the configuration is done and activated, the SCOM form login website will be accessible on this address: https://scom.xxx.fr/, you will have to authenticate and login manually though.
Next step is to create the Custom XML file that will enable the SSO access to the SCOM page,
The file should be called formlogin.xml and stored in the following folder:
« C:\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\WizardDefaults\FormLogin\CustomUpdate\ »
Below is the custom formlogin.xml file that was created for the SCOM page SSO:
| <WHLFILTFORMLOGIN ver="1.0"> <APPLICATION> <APPLICATION_TYPE>ScomWI</APPLICATION_TYPE> <USAGE description="form_login"> <PRIMARY_HOST_URL>.*login\.aspx.*</PRIMARY_HOST_URL> <SCRIPT_NAME source="file">Autosubmit_Scom.js</SCRIPT_NAME> <USER_AGENT> <AGENT_TYPE search="group">all_supported</AGENT_TYPE> <POLICY>multiplatform</POLICY> <SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME> </USER_AGENT> <LOGIN_FORM> <NAME>form1</NAME> <METHOD>POST</METHOD> <CONTROL handling="real_value"> <TYPE>USER_NAME</TYPE> <NAME>Login1$UserName</NAME> <DEF_VALUE>siteuser</DEF_VALUE> </CONTROL> <CONTROL handling="real_value"> <TYPE>PASSWORD</TYPE> <NAME>Login1$Password</NAME> <DEF_VALUE>sitepass</DEF_VALUE> </CONTROL> <CONTROL handling="real_value"> <TYPE>submit</TYPE> <NAME>Login1$LoginButton</NAME> <DEF_VALUE>Log In</DEF_VALUE> </CONTROL> </LOGIN_FORM> </USAGE> </APPLICATION> </WHLFILTFORMLOGIN> |
<APPLICATION_TYPE> must be the same as the application type entered during the Publishing.
<PRIMARY_HOST_URL> must be equal to the Forms’ web address to which you would like to apply the script.in our case the address is https://scom.xxx.fr/login.aspx?ReturnUrl=%2fdefault.aspx, through REGEX syntax the address can be reduced to .*login\.aspx.*
<SCRIPT_NAME source="file">Autosubmit_Scom.js</SCRIPT_NAME> is the JavaScript file that will allow us to submit the filled out form and login. We will view it in more details later on.
<NAME>form1</NAME> must be equal to the form’s name
This parameter can be found by browsing the web page’s source code for the following element:
| <form name="form1" method="post" action="login.aspx?ReturnUrl=%2fdefault.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1"> |
<NAME>Login1$UserName</NAME> must be equal to the form’s field that the script will fill with the Username.
This parameter can be found by browsing the web page’s source code for the following element:
| <td align="right"><label for="Login1_UserName">Domain\User Name :</label></td><td><input name="Login1$UserName" type="text" |
<DEF_VALUE>siteuser</DEF_VALUE> this value is a constant and will automatically fill the above field with the correct info.
<NAME>Login1$Password</NAME> must be equal to the form’s field that the script will fill with the Password.
This parameter can be found by browsing the web page’s source code for the following element:
| <td align="right"><label for="Login1_Password">Password :</label></td><td><input name="Login1$Password" type="password" |
<DEF_VALUE>siteuser</DEF_VALUE> > this value is a constant and will automatically fill the above field with the correct info.
<NAME>Login1$LoginButton</NAME> must be equal to the form’s login button name.
This parameter can be found by browsing the web page’s source code for the following element:
<<td align="right" colspan="2"><input type="submit" name="Login1$LoginButton" value="Log In"
| <DEF_VALUE>Log In</DEF_VALUE> must be equal to the value that the login button has. |
Once those parameters filled correctly, the Autosubmit_Scom.js script must be edited and copied to the correct location.
The default Autosubmit.js provided by UAG usually submits the filled out form without any problem.
It is located in the following directory
« C:\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\WizardDefaults\FormLogin\ »
It must be copied to « C:\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\WebSites\extranet\conf » and renamed as autosubmit_Scom.js as specified in the formlogin file.
After activating the UAG configuration, accessing the https://scom.xxx.com/ link, we fill out the UAG authentication form and submit the request.
Troubleshooting :
Implementing this solution requires a little knowledge of HTML and Javascript, there are however some tools that can help out troubleshoot problems you might encounter.
Among the issues that might happen:
1- The Scom page is not filled with any login information:
The problem in this case is most probably with the formlogin.xml file that was not filled correctly.
HTTPWatch is a browser plugin that can help you trace the script execution.
By recording the ongoing events you can check and see if the script was executed or not.
In the snapshot below, we located the post event and by looking at the post data noticed that the requested data is being sent to the Scom Form.
![clip_image010[7]](http://myitforum.com/cs2/blogs/forefrontsecurity/clip_image0107_thumb_08EE5DFF.jpg "clip_image010[7]")
Additionally when looking at the Content tab you should see the « FormLoginOnLoad » function at the top and bottom of the HTML code.
| <SCRIPT language="JavaScript"> var gSafeOnload = new Array(); function FormLoginOnload() { for (var i=0; i < gSafeOnload.length; i ++) { gSafeOnload (); }// for i }// FormLoginOnload if (window.onload) { gSafeOnload[0] = window.onload; gSafeOnload[gSafeOnload.length] = FormLoginSubmit; window.onload = FormLoginOnload; } else { window.onload = FormLoginSubmit; } // if window.onload </SCRIPT> |
If either one is missing, then the formlogin.xml was not detected by UAG because of some incorrect information.
2- The form was successfully filled but was not submitted:
The problem in this case lies in the autosubmit_Scom.js script
The submit function can vary from an HTML page to another, meaning that the default submit code might not always work.
In order to trace the behavior of the SCOM login page during the script’s execution we will use internet explorer’s Developer tools which are now integrated with IE 8.
Enable the tools, access SCOM login page and ask the developer tools to monitor the login button’s behavior.
The HTML code will be displayed and by selecting the script tab, you will be able to execute the autosubmit.js content and see the page’s reaction live.
The following functions are but few of the possible functions that could make the HTML page execute a submit.
In our case the example 2, simulating a click on the button was the one that worked, and executing the function in the developer tools script windows allowed us to identify that.
| Par default | Exemple 1 | Exemple 2 |
| function FormLoginSubmit() { document.forms[1].submit(); return false; } | function FormLoginSubmit() { logon(); return false; } | function FormLoginSubmit() { document.form1.Login1$LoginButton.click(); return false; } |
Published By Hicham Bardawil