Below are the steps involved for Active Directory (AD) Integration:
- The user visits [yourapp].freshservice.com
- Freshservice sees that your Freshservice account is configured for remote authentication.
- Freshservice sends a redirect response to your browser, telling it to visit the authentication script. The script would be hosted on an internal IIS server at your site, but since your PC where your browser resides, can access both freshservice.com and your LAN, that is alright.
- Your browser redirects to the authentication script.
- Since you configure your IIS to use Windows Integrated Authentication (and disable anonymous access) for this script, your browser automatically uses your Active Directory credentials to run the script.
- The script uses your Active Directory username to lookup your full name and email address.
- These pieces of information are packaged and a digest is created (MD5 digest with name + shared secret + email + timestamp).
- The script redirects your browser back to [yourcompany].freshservice.com and includes your full name, email and message digest.
- Freshservice receives the information and lets you log in immediately.
Attached is the VB Script for AD Integration.
Let's assume your script is stored in "dc-svr01". In this script when it points to http://dc-svr01/rep, the script should redirect the user to http://company.freshservice.com/login/sso which will automatically proceed to Freshservice logged in. So, when users access the helpdesk - http://company.freshservice.com/login, we will automatically redirect to this script http://dc-svr01/rep which must redirect to the URL.
Note: If you've signed up with the Freshworks Suite of Products from February 2020, you can configure Active Directory SSO for your Freshservice account with JSON Web Token.
Points to Remember:
- First off, the script file (attached: ADScript.asp) should have a ".asp" extension and should be encoded in the UTF8 with BOM format.
- Go to the IIS Server -> C:\inetpub\wwwroot. Here create a new Folder - Freshservice & place this file here and save it.
- In the sReturnURL section, it should point to your Freshservice URL. i.e. abc.freshservice.com/login/sso.
- In your Freshservice Account, Go to Admin > Security > Single Sign-on and copy this Shared Secret HASH and paste it in the script in the HASH section.
Once done, ensure that you give the correct script URL in Admin > Security > Single Sign-on section in Freshservice.
- In this script where it shows, sLdapReaderUsername = "domain\username" & sLdapReaderPassword = "password", give any Read-Only username and Password from your AD, who has access to Read all the user credentials.
- Please follow the screenshots and then try to access the Script from http://dc-svr01/test.asp and see if the script is executed or not. Ensure that the IIS calls this script with Integrated Authentication and NOT via Anonymous Authentication. Change the authentication to only use NTLM and not negotiate with Kerberos.
- Run the following command to apply the FDHMACMD5.dll file (The file has to be placed in the same place where we saved ADScript.asp).
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe <PATH_TO_DLL> /codebase
You can find related files attached below!