Hello,
I have Moodle 2.2 and when we try to launch an AICC URL or downloaded AICC, the external LMS cannot receive the user credentials. Moodle 2.2 supports external AICC/HCAP and the following settings are checked off in Plugins->Activitie Modules-> SCORM- yet there is no explanation as to why this is not working:
Enable external AICC HACP
Enable external AICC URL
Any help would really be appreciated,
Thank you,
John
Hi John,
can you elaborate a bit more your setup?
Using "External AICC HACP" means "let Moodle play&track AICC content hosted outside the Moodle instance" by means of publishing in Moodle a special package containing just the descriptor files where the .au file makes usage of absolute URLs pointing to each external AICC HACP-tracked content (AU = Assignable Unit): no authorization process is performed by Moodle against the host on accessing such hosted content.
HTH,
Matteo
P.S.: this thread should be moved under Using Moodle ► Moodle core ► SCORM Module.
Hi John,
let me try to recap:
If my recap represents the picture, I guess you have enabled the NTLM auth negotiation for all the Moodle site: you need to add an exception to allow both the NTLM handshaking (WIA) and anonymous access (file permission included!) for mod/scorm/aicc.php: Moodle will always check the user authentication on "your" behalf, if required.
Indeed in your scenario, playing with the "Enable external AICC HACP" setting will give you the possibility to let Moodle select how it will authorize the access to the AICC URL:
Suggestion: for performance reasons, you should disabled WIA anywhere within the Moodle site except for auth/ldap/ntlmsso_magic.php. This will allow IIS to perform the (slow) NTLM handshake when just required.
HTH,
Matteo
Hello Matteo,
Your recap is exactly right; I have a few questions though,
1. Where does the anonymous access need to be configured, can it be configured just for a single object /mod/scorm/aicc.php in IIS?
2. Is there a setting in Moodle that also needs to be enabled to allow anonymous in addition to NTLM?, e.g the 'No authentication' option.
3. Is there any special option I need to set to make sure it generates a user session?
4. Being that ISA is involved externally, does there need to be a rule created in ISA to bypass auth externally for the aicc.php page as well?
Thank you for all your help,
John
Hi Matteo,
I just wanted to add that I added anonymous login to the security on the aicc.php file and tried again- it still didn't work. I received the same error related to user information.
John
Hi John,
I've just realized that I missed that ISA is performing the NTLM authentication too.
Here are my replies:
HTH,
Matteo
Hello Matteo,
Thanks again. I have enabled anonymous at the mod folder all the way down and it doesn't seem to help. Please look at the attached and let me know if it looks correct? Any other suggestions?
John
Hi John,
that is not the expected behaviour, at least by me : are your sure that both ISA and file system allow anonymous user too?
To see if kind of NTLM handshake is still working on AICC URL you can install, locally to your PC, Fiddler, press F12 just before entering the course, attend the course, press F12 and look at the captured traffic to see how the communication flows, NTLM authentication included.
Matteo
Hi Matteo,
We have not allowed anonymous yet on ISA. The really interesting thing is that we installed Moodle on a machine today off our Network. This machine has direct access to the internet- without a proxy, firewall or ISA- yet we still could not get this to work! The Moodle site was not even configured with NTLM- only manual accounts, and was still not able to send user info to either one of the AICC sites. I am beginning to think that either something is not enabled that needs to be somewhere else in Moodle, or Moodle 2.2.2 does not fully support AICC communication. What is your setup, do you use Moodle 2.2, do you have Windows etc- Do you have this working correctly in your environment? Can you successfully launch the following URL and have the external site get the first name and last name?
https://secure.testcraft.com/dev7/Assess.aspx?aid=MOODLE-AICC-01&apass=PASSWORD123
John
Hello Matteo,
I was just wondering, is it possible I am not allowing anonymous properly on the page? Does the screen above you look correct? I went directly to IIS for the mod folder enabled Anonymous and also put in Anonymous Logon Windows folder propery permission?
Thank you very much again, for all your help,
John
Hi John,
unfortunately I do not have a Moodle instance running on a Windows machine right now and do not have, right now, a test machine exposed to the Internet (running VMs in my LAN) to allow your content vendor to ping me back using the AICC URL via HTTP POST - that's the HTTP AICC CMI Protocol (HACP).
BTW:
If your test machine is public (and it should be otherwise the external content vendor will never ping you back ) you can PM me the credentials of a student account and I'll test it in the week-end.
HTH,
Matteo
Hello Matteo,
We were able to resolve this issue by your suggestion in the last line of your last reply. The thing that we were missing is that the URL really needs to be directly exposed to the vendor. In our case what eventually needed to be done was to create a firewall rule that allowed NAT from the vendor to the return URL. Thank you for all of your help in this matter.
I really wonder though how other companies are using AICC with multiple vendors? These days I am sure that no one is opening the Moodle return URL to the whole internet. In which case, it means a lot of firewall rules or port forwarding exceptions etc. If someone were to test this with even a DSL machine it wouldn't work- as many DSL and other providers nowadays have firewalls built in to all the devices.
It is great to know that the version we are using fully supports this technology. It was a real learning curve for me setting it up the first time, since we have only used SCORM up to this point. I learned a lot about the whole AICC technology this week, and a lot from you, thank you!
Take care,
John
Hi Martin,
glad to read that we've finally found the root of your issue .
You need to know that SCORM (1.2) - which is an application profile i.e. a collection of standards plus best practices - tooks many parts of the work done by the AICC Group especially for the tracking both data & mechanism - which gives vendors the ability to apply their tracking logics thanks to the talking with the LMS "just" using Standards and not a Vendor locked-in solution - dropping just the HACP part.
What makes the difference between the two tracking mechanisms is HACP, an HTTP (POST) based tracking protocol, while SCORM relies on a Run Time Environment (RTE) based on an ECMA Script based API implementation. Vendors who don't want to distribute their content in a self-contained learning package (almost a requirement for SCORM) need to use AICC and HACP to allow external tracking to let their package work out of the box. SCORM RTE technology simply fails when the content is hosted in a different domain - compared to the one of the LMS - due to the so called SCORM cross domain (security, from a browser POV) issue unless IT or LMS takes care of that content configuration with some extra effort in finding a "working configuration" for the tracking (proxy is the key, at system or LMS level).
That being said, it depends also on the security a Company is used to apply in deploying their applications: here, in case of more vendors in the future, you can trust Moodle to expose mod/scorm/aicc.php to the internet, even if you have "opened" it by enabling External AICC HACP.
Matteo
P.S.: if this post and/or the previous ones has/have been useful please rate it/them . TIA!
