1 2 Previous Next 18 Replies Latest reply on Jan 10, 2017 8:16 AM by Greg Nevel

    Smart IT 1.5 mobile deployment for iOS/Android

    Greg Nevel
      Share:|

      We followed instructions as below no problem.

      Smart IT is installed on a few devices, but we cannot get them to connect after entering the servername:port.

       

      Deploying Smart IT to your users - BMC Remedy with Smart IT 1.5 - BMC Documentation

       

      Can someone from BMC provide guidance on authentication?

      We're using AD for the desktop ITSM solutions.

        • 1. Re: Smart IT 1.5 mobile deployment for iOS/Android
          Herve Roux

          Hi Greg,

          Before digging to much into the issue, double check first that people are not using the App package from the APP Store / Google Play. They need to install the one you have setup like in the Doc you mentioned. Which mean most of the time allowing external app to be installed on the phone.

          This one gave me a lot of headache! The version in the stores is for demo purpose and a lot of people which are supposed to test / use it, tends to get the app from there. The joy of BYOD!

          Once you made sure of it you might start digging in.

          Hope this could help.

          Regards

          Herve

          • 2. Re: Smart IT 1.5 mobile deployment for iOS/Android
            Greg Nevel

            Thanks for your reply Herve.

            We are downloading the client from our servers and it loads on the devices, but we are unable to authenticate.

            We've added an LDAP realm authentication chain and LDAP user store in Atrium SSO to no avail.

            • 3. Re: Smart IT 1.5 mobile deployment for iOS/Android
              Herve Roux

              Just out of my head some questions to ask yourself:

              • Did you managed to log in using the "universal" web client on regular browser? It should allow you to validate your ASSO integration with Smart IT.
              • Which auth scheme is ASSO using? Is the SSO certificate properly installed in the truststore of SmartIT?
              • Is MyIT working or is it only Smart IT giving you issues?
              • 4. Re: Smart IT 1.5 mobile deployment for iOS/Android
                Greg Nevel

                #1. Yes, we're working successfully using the universal web client.

                #2. Kerberos is in use for the universal client.

                     #2 a. I'm not sure what you mean in regards to the SmartIT truststore. Our ASSO server is signed internally for local workstations to trust.

                #3. We've not deployed MyIT, only Smart IT

                • 5. Re: Smart IT 1.5 mobile deployment for iOS/Android
                  Herve Roux

                  Some more questions:

                  • Do you get redirected within the App to the ASSO Login page?
                  • If yes, what is the exact error message when the user try to log in?
                  • Can you log using a local account with the app? (you might need to configure the AR provider in your ASSO Realm if not already setup)
                  • Was the app working before enabling ASSO integration?

                   

                  If you are able to get in using a local account this is clearly a Kerberos auth issue (the ASSO Kerberos logging might give you some more insight, SPNs mapping maybe... An interesting test could be logging using the web interface from a WS outside the domain or from a mac/linux).

                   

                  Regarding the Truststores, I was referring to the SSL certificates of tomcats running Smart IT & ASSO (or the Load Balancers). I actually recall some issues with the server certificates and the app even outside the ASSO context. A Comodo certificate was giving us issues with Android devices. After some nasty troubleshooting we found out that the intermediate certificate was not included in the Android OS (but was on Windows, IOS...) and that the app was unable to verify the certificate chain. Adding the intermediate certificate on the F5 (the smart-it one) fixed the issue.

                   

                  You might actually have a better change to make it work with a self-signed certificate than with a broken chain one. You have plenty of web tool to check your URLs compliance. Internally you can use OpenSSL to check which certificates are sent by the servers. Ideally it should present the whole chain up to the CA.

                   

                  PS C:\Users\herve> openssl s_client -showcerts -connect itsmdev9.itsm4outlook.com:8443

                  Loading 'screen' into random state - done

                  CONNECTED(0000010C)

                  depth=0 /C=US/ST=Texas/L=Austin/OU=AtriumSSO Server/O=BMC Software/CN=ITSMDEV9.itsm4outlook.com

                  verify error:num=18:self signed certificate

                  verify return:1

                  depth=0 /C=US/ST=Texas/L=Austin/OU=AtriumSSO Server/O=BMC Software/CN=ITSMDEV9.itsm4outlook.com

                  verify return:1

                  ---

                  Certificate chain

                  0 s:/C=US/ST=Texas/L=Austin/OU=AtriumSSO Server/O=BMC Software/CN=ITSMDEV9.itsm4outlook.com

                    i:/C=US/ST=Texas/L=Austin/OU=AtriumSSO Server/O=BMC Software/CN=ITSMDEV9.itsm4outlook.com

                  -----BEGIN CERTIFICATE-----

                  ...

                  -----END CERTIFICATE-----

                  ---

                  Server certificate

                  subject=/C=US/ST=Texas/L=Austin/OU=AtriumSSO Server/O=BMC Software/CN=ITSMDEV9.itsm4outlook.com

                  issuer=/C=US/ST=Texas/L=Austin/OU=AtriumSSO Server/O=BMC Software/CN=ITSMDEV9.itsm4outlook.com

                  ---

                  No client certificate CA names sent

                  ---

                  SSL handshake has read 1641 bytes and written 282 bytes

                  ---

                  New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

                  Server public key is 2048 bit

                  Compression: NONE

                  Expansion: NONE

                  SSL-Session:

                      Protocol  : TLSv1

                      Cipher    : EDH-RSA-DES-CBC3-SHA

                      Session-ID: 582A40BFEE5803922930BAE315B9B0DC7A934EF8EB0A8BF01DF2D9DFC2922A81

                      Session-ID-ctx:

                      Master-Key: 7E9319DE83D6F4BB3EA7357840A29A172DABDB706B2053DDBAFBAE14E2AC262E73C25C9E537921C2BBD82D99F1D02BD6

                      Key-Arg  : None

                      Start Time: 1479164095

                      Timeout  : 300 (sec)

                      Verify return code: 18 (self signed certificate)

                  ---

                  • 6. Re: Smart IT 1.5 mobile deployment for iOS/Android
                    Herve Roux

                    Actually, I'm not entirely sure that you can perform pure Kerberos Authentication outside a domain. As far as I can recall, a no domain windows browser will fallback to doing NTLM, which I don't think ASSO support. It shall fallback to regular Password Authentication if Kerberos is not happening.

                     

                    BTW, I don't know if RSSO is doing a better job than ASSO with NTLM, but it looks like it is the way BMC is going.

                    • 7. Re: Smart IT 1.5 mobile deployment for iOS/Android
                      Greg Nevel

                      We are now successfully authenticating using a LDAP AD user store on ASSO.

                      This is only working with Android.

                      Smart IT app is installed, we enter our server.domainname.com and port 9000, click connect and we're redirected to the ASSO login page.

                      We enter our domain credentials and voila!, we're in.

                       

                      iOS is a different story.

                      Smart IT app is installed, we enter our server.domainname.com and port 9000, click connect and receive an error:

                      IMG_0002 (002).PNG

                      ASSO version 9.0.00.01

                      • 8. Re: Smart IT 1.5 mobile deployment for iOS/Android
                        Herve Roux

                        I'm not much of a IOS user myself Still you should try to see if the Web Client is loading in Safari or any other browser. Under the hood, the app is loading a web browser frame. You shall receive the same error and with a bit of luck Safari might be a bit more verbose.

                         

                        Almost there

                        • 9. Re: Smart IT 1.5 mobile deployment for iOS/Android
                          Greg Nevel

                          Good thoughts.

                          We are able access via Safari without issues.

                          Within Safari --> we enter http://server.domainname.com/9000/us/smart-it/#/, we get re-directed to ASSO, login with domain credentials and !Voila again.

                          • 10. Re: Smart IT 1.5 mobile deployment for iOS/Android
                            Herve Roux

                            You will probably need to do some network debugging in order to get to the root cause of the issue. I doubt you will find anything useful on the server logs but it might be worth having a look anyway.

                            I see from the screenshot that you are going through VPN. That could be causing some issue with the redirection. A neat trick to test the APPS without the trouble of complex network connectivity is to setup a local IOS emulator on a local machine. Network tracing is much easier as well than with a physical handset.

                            Good luck!

                            • 11. Re: Smart IT 1.5 mobile deployment for iOS/Android
                              Greg Nevel

                              A quick update.

                              iOS requires that our ASSO server has a signed certificate from a third party CA. My company uses Entrust.

                              Imported the CA reply using Keystore explorer (which I highly recommend), restarted ASSO, re-integrated our mid-tiers and the Smart IT server. We are now fully functional with Smart IT 1.5.01 on iOS.

                              1 of 1 people found this helpful
                              • 12. Re: Smart IT 1.5 mobile deployment for iOS/Android

                                Hello,

                                 

                                I have the same problem:

                                - Atrium SSO 8.1

                                - Smart IT 1.5

                                When I try to connect with Smart IT from Android i get "HTTP Status 401"

                                Description:"This request requires HTTP: authentication()".

                                 

                                Can you help?

                                 

                                Best regards,

                                Dino

                                • 13. Re: Smart IT 1.5 mobile deployment for iOS/Android
                                  Greg Nevel

                                  Hello Dino, I'll help as best as I can.

                                  Once difference is we are at Atrium SSO 9.0.00.01

                                   

                                  Does your universal client work? Is so, are you using Kerberos authentication?

                                  If you are currently using Kerberos, then check your realm authentication within Atrium SSO.

                                  We added an LDAP connector in order to authenticate from the mobile device.

                                   

                                  Greg

                                  1 of 1 people found this helpful
                                  • 14. Re: Smart IT 1.5 mobile deployment for iOS/Android

                                    Hi Greg,

                                     

                                    Yes our universal client SSO is working and we have Kerberos authentication.

                                    I will check and add LDAP connector.

                                     

                                    Best regards,

                                    Dino

                                    1 2 Previous Next