SignIn Help

 

user’s WEB BROWSER configuration for transparent authentication

How does the transparent authentication (auto-logon) works with respect to Active Directory.

A.: The auto-logon service uses the Windows Integrated Authentication, based on user’s windows domain loginID/password – (as a reminder, Capgemini’s global windows domain is CORP.capgemini.com)

Technically, the mechanism is the following:

  • Beginning of the working day:  user starts his workstation
  • User enters his loginID/password, in the specific Windows domain to which he belongs
  • The DC (Domain Controller) of this domain authenticates the user and generates a key certificate
  • When the user connects to a SIGNIN protected application (with Internet Explorer, for example) he is redirected to the SIGNIN service
  • The key certificate generated earlier by the DC is used by SIGNIN to authenticate the user.
  • Once authenticated, the SIGNIN application gets the user profile from the central AD (Active Directory) CORP; the information is used to generate the authentication cookie that is basic reference for SIGNIN protected application over the Intranet.

There are two different behaviours when the user starts workstation and enters credentials:

  • User is connected and authenticated in the windows domain that contains the SIGNIN server too (domain CORP.capgemini.com): SIGNIN should authenticate the user without any issue.
  • User is connected and authenticated in other windows domain: a problem could occur if there are no trust relationships between the two domains (External domain and corp) or if for some reasons, relationships are broken.

 

If the description for the configuration are technical contact the local helpdesk for assistance.

How to Enable the transparent authentication (auto-logon) on Microsoft IE6, IE7, IE8, IE9

To enable the auto-logon with Microsoft IE6, IE7, IE8, IE9 browsers:
(note that only step 3 is different in between IE7 and IE6):

  • In Internet Explorer, select Tools->Internet Options.
  • In the Internet Options window, select the Security tab.
  • Mandatory: the value *.capgemini.com must be validated (according to the browser version, the parameter is set up differently):
    • For IE6: click on the Trusted Sites icon and then click the Sites button.
    • For IE7, IE8, IE9: click on the Local Intranet Sites icon and then click the Sites button
  • Make sure *.capgemini.com is listed in the Web sites list. If it is not, add it and click the OK button. If it is already listed, click the Cancel button.
  • In the Internet Options window, select the Advanced tab
  • Mandatory: scroll the settings list all the way to Security and verify that “Enable Integrated Windows Authentication (requires restart)” parameter is selected (checked). If it is not, select it and click the OK button. Otherwise, click the Cancel button

Reminder: for IE7, IE8, IE9, *.capgemini.com should not be set in any case, in the Trusted Sites part.

 

How to Enable the transparent authentication (auto-logon) on Mozilla Firefox

To enable the auto-logon on FireFox:

  1. In Firefox enter about:config in the address bar.
  2. Enter negotiate in configuration filter bar.
    • The Preference Name network.negotiate-auth.trusted-uris should be listed.
  • Double-Click on network.negotiate-auth.trusted-uris and set the parameter value to
    capgemini.com
  • Press OK to save the change.

Close all instances of Firefox and retry access.

 

FAQS, INCIDENTS, PROBLEMS related to single USER

User systematically gets a Windows popup when connecting to a SIGNIN protected application

Q.: Instead of transparently signin in, user systematically gets a Windows popup prompting him for a windows-like authentication: practically the user has to login first before being transparently authenticated by SIGNIN.

Verify that browser settings are correctly set up, as described above.

Verify that no automatic password is set into the user profile on the user’s PC.
To do this,

  • open control panel
  • open user accounts and choose advanced options
  • then click manage passwords
  • In case there is a password set for SIGNIN.capgemini.com, suppresses it.

If none of the above, open a ticket to the local helpdesk, providing the ID (loginID) of the user having problems and a screen shot with the error.

 

None desired “security information popup” with IE

Q.: If the user gets popup that displays security information about secure and non-secure items on a web page  

A.: Set IE browser settings the following way:

  1. Back in the Internet Options -> Security window click on the Internet icon and then click the Custom Level button
  2. In the Settings list scroll all the way to Miscellaneous and verify that option Display mixed content is set to Enable. If it is not set to that value, check it and click the OK button. Otherwise, click the Cancel button
  3. Exit the Internet Options window, close all instances of Internet Explorer, and retry access.

Error:  Authentication failed

Q.: If the user gets the following error message: “Authentication failed”

A:

    • User may have typed a wrong username or a wrong password
    • User’s account may have expired

Check the validity of the respective user’s account in the corporate directory or to reset a new password.
Possible workaround (except if the account is expired) until the problem is fixed: using Safeword,

 

Error: This user is not active

Q.: If the user gets the following error message: This user is not active

A: The error shows that user’s account has been disabled in the active directory.
Activate the respective user’s account in the corporate directory.

Error: Google Apps (/www.google.com/a/capgemini.com/ ): Invalid Email

Q.: User systematically gets “Invalid Emailerror message while trying to connect to federated application Google Apps (www.google.com/a/capgemini.com):

 

A.: This error is returned when the information passed by SIGNIN cannot match Google account.
In most cases it is due to the fact that the user has not a valid account on “Google apps”

Open a ticket with the local helpdesk, providing the screen-shot with the error, the user’s EmailID (firstname.lastname) and his loginID (loginID)

 

Error: You are not authorized to access this application

Q.: If the user gets the following error message: You are not authorized to access this application.
Please contact the application webmaster for more information....

A: This message states that the employee is not allowed on the application
This depends of the policy set for the application that is based on Employee Type, Groups belonging, or other more specific settings related to the employee profile in CORP AD. 

One well-known problem is with the employee type: 
Check the user employee type in Corporate Directory. If it is set as Employee Other or Subcontractor Other, this means that the user is forbidden ALL access to any application. If it is set to something else, contact the application support team to check if this employee type is allowed on the application.

Internet Explorer 8 and 9, issue with session timeout

A problem can occure when using IE8 and IE9 this because this versions of IE are “Loosely-Coupled IE” this means that the session is getting merged when you open a new IE instance, so the probable cause of this problem is that session expired once in any IE instance will show session timed out message until entire session is cleared off.

2 possible way to deal with this are

  1. Open a new session (IE >files > new session)
  2. Clear the entire cache and then try to open