Impersonate & Security Mode

spadgett · January 13, 2025, 10:32pm

Looking for documentation or help with impersonation and security settings (before going the issue/enhancement route). IntegratedSecurityMode 3 is prompting the admin (after the login request) to sign-in to the host server (additional login image below). This happens in both Slice and Arc and is preventing the admin from impersonating. IntegratedSecurityMode 2 allows for impersonation as expected, but this mode is not a resolution option in this case. Anyone know if this is expected behavior or have suggestions to corrective actions/checks to make?

plim · January 14, 2025, 3:24am

Hi @spadgett,

There are two things going on here,

Windows SSO / Integrated Security Mode 3
Impersonation with Integrated Security Mode 3

The prompt that you are seeing is usually due to a broken Windows SSO. To clarify, that prompt appears when you go to an Arc URL? If so, that has to be addressed first.

Windows SSO may differ and does not always have a straight-forward step-by-step actions.

Here are a list of what we have compiled through the years,

Test on <Server-Name> prior to testing with FQDN
- This means test using the actual Server name and not the FQDN first if it works
- Might be good to test with localhost as well
Check that the following has Delegation privileges
- Service Account
- Host / Machine
Check SPN if there is duplicate or an entry is already created
- You can check like as follows,
  - setspn -F -Q */<fqdn>
  - setspn -F -Q */webserver.contoso.com
- Check if they are part of local intranet
Check System event logs
Using klist command, check
- klist get http/<fqdn>
Check that “Enable Integrated Windows Authentication” is enabled if using IE or Edge

Here is a reference from Microsoft,

Cheers,

Paul

spadgett · January 14, 2025, 3:02pm

@plim Thanks for responding.

The issue does not occur during initial server login or in the Arc URL for initial sign in. We have previously resolved the SPN settings to allow the Windows SSO to pass the username/password for login with mode 3. That is working well. We are only seeing this issue when an Admin attempts to impersonate a user. The admin selects the user, provides the username/password and then gets the additional sign in request from the host server. We cannot authenticate the second sign in request in Slice or in Arc.

plim · January 15, 2025, 2:34am

Hi @spadgett,

Thanks for clarifying! As for the prompt, is that an Arc prompt or a browser prompt?

It may or may not be supported via the REST API, so if it an Arc prompt that you are seeing like this,

Can you help create an Arc ticket? It depends on whether TM1 supports it or not with mode 3. We can have a look though.

Thanks!

Paul

spadgett · January 15, 2025, 2:43pm

I’ll open a ticket for this.

The Arc prompt image you have above does pop up and allows for input of username/password as expected. It is after this prompt that the additional sign in appears. The blacked-out part of the image I included in the first post is the server domain request that is only occurring on Security Mode 3 servers. This prompt is not accepting a username/password and blocking our ability to impersonate. Everything works as expected when impersonating on servers that are set to Mode 2.