TopEase Single Sign On Windows AD



Similar documents
How-to: Single Sign-On

Configuring Sponsor Authentication

Introduction. Versions Used Windows Server 2003

Configure the Application Server User Account on the Domain Server

Enabling single sign-on for Cognos 8/10 with Active Directory

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Click Studios. Passwordstate. Installation Instructions

How to Join QNAP NAS to Microsoft Active Directory (AD)

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

PineApp Surf-SeCure Quick

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Security Provider Integration Kerberos Server

Click Studios. Passwordstate. Installation Instructions

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Configuring IBM Cognos Controller 8 to use Single Sign- On

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Windows XP Exchange Client Installation Instructions

PingFederate. IWA Integration Kit. User Guide. Version 2.6

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Active Directory 2008 Implementation. Version 6.410

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Security Provider Integration Kerberos Authentication

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Single Sign-On Using SPNEGO

Kerberos and Windows SSO Guide Jahia EE v6.1

How To - Implement Single Sign On Authentication with Active Directory

SchoolBooking SSO Integration Guide

Use Enterprise SSO as the Credential Server for Protected Sites

BusinessObjects 4.0 Windows AD Single Sign on Configuration

AVG Business SSO Connecting to Active Directory

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

TIBCO ActiveMatrix BPM Single Sign-On

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Active Directory 2008 Implementation Guide Version 6.3

CA Performance Center

CLEO NED Active Directory Integration. Version 1.2.0

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

IIS, FTP Server and Windows

Using Integrated Windows Authentication with Websense Content Gateway, v7.6

IIS SECURE ACCESS FILTER 1.3

QUANTIFY INSTALLATION GUIDE

SUSE Manager 1.2.x ADS Authentication

Deploying RSA ClearTrust with the FirePass controller

Integration Package for Microsoft Office SharePoint3

Quality Center LDAP Guide

Security Assertion Markup Language (SAML) Site Manager Setup

CYAN SECURE WEB HOWTO. NTLM Authentication

Parallels Plesk Panel

Exchange 2013 mailbox setup guide

Using Logon Agent for Transparent User Identification

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Getting Started Guide

Joining. Domain. Windows XP Pro

Enterprise Knowledge Platform

1 Introduction. Windows Server & Client and Active Directory.

Security Provider Integration RADIUS Server

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

VMware Identity Manager Administration

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Security and Kerberos Authentication with K2 Servers

Univention Corporate Server. Operation of a Samba domain based on Windows NT domain services

Integrating LANGuardian with Active Directory

qliqdirect Active Directory Guide

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Contents. Introduction. Prerequisites. Requirements. Components Used

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Video Administration Backup and Restore Procedures

Release Notes RSA Authentication Agent for Web for IIS 7.0, 7.5, and 8.0 Web Server

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Owner of the content within this article is Written by Marc Grote

Install MS SQL Server 2012 Express Edition

SINGLE SIGN-ON FOR MTWEB

CA Spectrum and CA Embedded Entitlements Manager

How To - Implement Clientless Single Sign On Authentication with Active Directory

Creating a New Database and a Table Owner in SQL Server 2005 for exchange@pam

User-ID Best Practices

Installation Troubleshooting Guide

How to Configure Outlook Client for Exchange

TIBCO ActiveMatrix BPM Single Sign-On

Configure Single Sign on Between Domino and WPS

Collax Active Directory

Advanced Event Viewer Manual

Active Directory Rights Management Service Integration Guide

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Quick Scan Features Setup Guide

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Transcription:

TopEase Single Sign On Windows AD Version Control: Version Status Datum / Kurzzeichen Begründung 1.0 Final 09.09.12 / gon New template and logo Copyright: This document is the property of Business-DNA Solutions GmbH, Switzerland. It is not allowed to copy, distribute or in any other way reproduce this document or parts thereof without written permission of Business-DNA Solutions GmbH. Page 1 / 11

Contents TOPEASE SINGLE SIGN ON... 1 1 PREAMBLE... 3 2 CHANGES FROM TOPEASE 6.2.X TO 6.3.X RELEASE... 3 3 BASIC SETUP... 3 3.1 FIRST CONNECTION TO ACTIVE DIRECTORY SERVER... 3 3.2 CONFIGURE IMPORT AND SYNCHRONIZATION SOURCES FOR USERS AND GROUPS... 4 4 CONFIGURE WEBEXPLORER SETTINGS... 4 4.1 REQUIREMENTS FOR BOTH MODULES... 5 1.1.1 Web User... 5 1.1.2 Internet Explorer (IE)... 5 4.2 REQUIREMENTS FOR THE NTLM MODULE... 6 1.1.3 Window 7... 6 4.3 REQUIREMENTS FOR THE KERBEROS MODULE... 6 1.1.4 Register the SPN s for your TopEase XChange Server... 6 1.1.5 Additional Information s for the Kerberos Module... 7 1.1.6 Use your own kr5.ini file... 7 5 SINGLE OR MULTIDOMAIN... 8 5.1 SINGLE DOMAIN MODE... 8 5.2 MULIT DOMAIN MODE... 8 6 ADDITIONAL INFORMATIONS... 8 6.1 ENHANCED LOGGING... 8 6.2 RESOLVE USERS USING PREWINDOWS2000USER PROPERTY... 9 6.3 RESOLVE MEMBERSHIPS FLAT... 9 6.4 CHANGE THE DEFAULT LDAP PORTS... 10 6.5 MOVING USERS AND GROUPS... 10 6.6 RENAMING USERS AND GROUPS... 11 Page 2 / 11

1 Preamble This document contains the procedure for set up Sing Sign On for TopEase XChange with a Microsoft Windows Active Directory. How to set up the access management in a model or to a share is not covered. 2 Changes from TopEase 6.2.x to 6.3.x Release WINS Support for Domain Controller Resolving has been removed Kerberos Module added for SSO with Web Portals 3 Basic Setup Login to the TopEase Administration Client select the tab Login. In the table Modules select ssoserverlogin. 3.1 First connection to Active Directory Server Enter a domain controller a user and a password and select the << Buttons to load the domain details. Page 3 / 11

Field Server Port User Password Domain Details Remarks Enter a server or a qualified Domain name, e.g. ch.mycompany.com. You can also enter a comma separated list of servers. If the connection to the first server fails, then a connection to the next server will be tried. If you plan to use Kerberos as web login, you must enter a full qualified name, otherwise Kerberos may not work! The port will be set automatically. If your domain is an Active Directory tree or forrest, then port 3268 will be set, this accesses the global catalog. If your domain is a single on, the port 389 will be set to access the domain. You have to enter a fully qualified user name. See image above. The users domain password. Shows all domains found the domain configuration of the server. 3.2 Configure import and synchronization sources for users and groups For each found domain you can set up from which element the TopEase XChange Administrator later can import and synchronize users and groups. Select a domain in the list Domain Details and click the button on the right side of the text boxes Groups and Users. Select one or more elements which define the base nodes to search for users and groups in Windows Active Direcotry. Do this for every domain where you want to import and synchronize users and groups. If you left a domain empty, the administrator cannot import anything from this domain. 4 Configure WebExplorer settings To enable Windows Active Directory based Single Sign On for the WebExplorer, you have to configure the setting for the WebExplorer pre authentication. The preauthentication is used to perform a NTML or Kerberos Login. Usually the same user entered in the Settings for LDAP Access can be used. Page 4 / 11

Field Domain Web-User Web-Password Module Remarks Full qualified Domain name e.g. my.domain.com The user without domain extension The password for the web user Select the Login Module to be used to authenticate the user. Currently they are 2 modules supported: NTLM (does not Support NTLMv2) Kerberos 4.1 Requirements for both Modules To use Web SSO there are some Requirements to your environment. 1.1.1 Web User You need a Domain user as pre authentication user. This can be simple user, with no additional rights. Your administrator can also deny the user to logon to any workstation. The user should have a long and comple xpassword that never expires. 1.1.2 Internet Explorer (IE) The IE is setup by default to perform SSO to any capable server in your Intranet! Open the Options Panel and selected the tab Security Select the zone Local Intranet and click on custom level. The entry User Authentication -> Logon should be setup as Automatic logon only in Intranet zone or Automatic logon with current user name and password. As mentioned before, this is a default setting. Page 5 / 11

Your web server must be recognized as Intranet server. To check this, open a web page on your web server and check the status bar. If the Zone Local Intranet is not displayed, then you have to add it to your sites list. 4.2 Requirements for the NTLM Module The NTLM Module does not work if client and/or domain controllers are configured to work only with NTLMv2. In this case you will get a Dialog to enter username and password instead to log in without to enter your credentials. The LmCompatibiltyLevel must be set to 0 2, otherwise NTLM login will not work. See: http://technet.microsoft.com/en-us/library/cc960646.aspx If your company uses NTLMv2 you can use the Kerberos login module. 1.1.3 Window 7 The standard value for a Windows 7 Client, after installation, is set higher as 2 by default. If SSO with NTLM works for Windows-2000 and Vista clients but not on Windows 7, then you have to change this registry entry and restart the workstation. 4.3 Requirements for the Kerberos Module The Kerberos Module does not depend on the configured NTLM version; it works also if NTLM is disabled. If you want to work with Kerberos you have to do some extra configurations. The Kerberos does not perform a login when you open the browser on the server. You can login, but it s not a Kerberos login. The user which is used to run the XChange Server will be took as logged in user. 1.1.4 Register the SPN s for your TopEase XChange Server Following the Kerberos specification, every pre authentication user for a specific service (in our case HTTP), has to registered. This is done with setspn.exe command. See http://technet.microsoft.com/en-us/library/cc773257(ws.10).aspx for detailed information s and how to get the setspn.exe if it is not installed on your server. You have to register your service with any DNS name of your server (including aliases) with your web-user (see Chapter 4 Configure WebExplorer settings ). Example: Your server name is server1 and is member of the domain pul.test. The configured user is called userm. For your server there is a DNS alias named topease. In this case you have to register 3 SPN s (SPN = Service Principal Name). Page 6 / 11

The last command lists all SPN s for a specific user, you can use to check if the SPN s are registered. After registering your SPN s you must restart the windows server! Important: The service name HTTP must be written upper case, do not type http! You cannot register multiple users for the same service, but a user can be the service principal for multiple services. 1.1.5 Additional Information s for the Kerberos Module Do not change any configurations described here if you re not familiarly with Kerberos and the Java Kerberos Implementation! Kerberos will be configured with the configured server as KDC, the domain as default realm (they will be added as system properties). Enter a full qualified server name, like yourserver.domain.net in the server text field of the configuration, otherwise Kerberos may not work! http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/kerberosreq.html The kerb5.conf file is located in the server installation directory, which contains all other configurations. 1.1.6 Use your own kr5.ini file If you want to use a specific KDC or do other changes to the configuration you can add the entries to the section # Java Additional Parameters in TopEase XChange.conf (located in the installation directory) Entry wrapper.java.additional.kk=-djava.security.krb5.conf =<YourKrb5Conf> wrapper.java.additional.kk=-dtopease.web.sso.use.krb5.conf=true Remarks Default is krb5.conf Default is false Page 7 / 11

Replace kk so that the list of entries wrapper.java.additional.kk is a non interrupted list. The first entry defines the location to your krb5 configuration file. With the second entry the default realm and the KDC will not be set as system property. 5 Single or Multidomain Depending on the configuration settings of your Active Directory TopEase Administrator Client runs in Single or Multi Domain mode. The two modes differ in resolving memberships to groups. 5.1 Single Domain Mode In Single Domain Mode the memberships of the user are fully accessible without limitation on group types. This is because TopEase XChange reads directs from the domain controller. 5.2 Mulit Domain Mode In Multi Domain Mode there are limitations on loading, synchronization and resolving user memberships. In Multi Domain Mode TopEase XChange accesses the Global Catalog (GC) of Microsoft Windows Active Directory. The Global Catalog contains a reduced set of user and group information s, but these information s are replicated to all Domain Controllers which runs the Global Catalog Service. For TopEase XChange this will end in current limitations: User and group description are not synchronized Only distribution groups are accessible. Local domain and security groups will not be shared in the Global Catalog. So you have to set up the group memberships with distribution groups. The configured servers must run the global catalog service. You have to enter only Global Catalog servers in the Server Textfield in Settings for LDAP Access Section 6 Additional Informations 6.1 Enhanced logging If you need deeper informations about the login process, you can set up to properties to extend the logged informations. This configuration has to be done in the file <TopEase XChange InstallDir>/ TopEase XChange.conf. Add the entries to the section # Java Additional Parameters in TopEase XChange.conf Entry wrapper.java.additional.kk=-daccess.manager.trace=true wrapper.java.additional.kk =-Dnt.server.module.trace.time=true Remarks Produces detail information s of the user login. Like memberships and more details This logs the time used for perform a login with Windows AD. Replace kk so that the list of entries wrapper.java.additional.kk is a non interrupted list. Page 8 / 11

These two entries produce a lot of information in your Log File. Please do not run your TopEase XChange by default with these entries set. Your Log File will be grow really fast. Use these entries only for troubleshooting purpose. 6.2 Resolve users using prewindows2000user property If your login with Windows AD does not work proper, e.g. you can login using the designer but not using TopEase WebExplorer or Server Jobs ends with a error message. Then check user entry of the user who s login fails on your windows server. If in your domain the User logon name and User logon name (pre-windows 2000) are different, then you have to set the prewindows2000user property. If you set this property and your domain forest contains multiples users with the same user logon name, then the login for these users runs slower. This is caused while TopEase XChange cannot resolve the user using user@domain.com which is unique inside a forest. The user logon name is only unique inside each single domain of a forest. So it s also not a good practice to work with the built in Windows AD user administrator! To turn on this property open the files pam.xml and psm.xml inside your TopEase XChange installation directory, and search for these entry on each file, <Property name="useprewindows2000user">false</property> change the these entries to <Property name="useprewindows2000user">true</property> save the changed files and restart the TopEase XChange Service. 6.3 Resolve memberships flat By default the TopEase AccessManager resolves all memberships of a User. If the User is Member of Group A and Group A is member of Group B, the user will be Member of Group A and B. If you don t use the resolved Memberships you can prevent it setting an entry into the psm.xml file (this file is located in the installation directory of TopEase XChange). This may speed up your login time. Page 9 / 11

Enter the property with name resolvegroupsflat and set the value to true. If this property is not set or the value is false, then the TopEase AccessManager resolves also memberships of Groups. If this property is set to true, then only direct memberships of User will be used. Based on the exampla above: If the property resolvegroupsflat is set to true and the User is Member of Group A and Group A is member of Group B, the User will be only Member of Group A. 6.4 Change the default LDAP Ports If your administrator has changed the TCP/IP Ports to access Windows Active Directory and Global Catalog you can set up your server to access the servers by your specific port. This configuration has to be done in the file <TopEase XChange InstallDir>/ TopEase XChange.conf. Add the entries to the section # Java Additional Parameters in TopEase XChange.conf Entry Remarks wrapper.java.additional.kk=-dwindows.ldap.port=nnn Default is 389. wrapper.java.additional.kk =-Dwindows.ldap.gc.port=nn Default is 3268 Replace kk so that the list of entries wrapper.java.additional.kk is a non interrupted list and replace nn with your configured ports. Restart the TopEase XChange and login to TopEase Administration Client, go to the ssoserverlogin configuration and click on the << Button on the right side of the Domain Details table. 6.5 Moving users and groups You can move users and groups within the Active Directory as you want. After moving you can synchronize the users and groups and the data will be updated. Page 10 / 11

6.6 Renaming users and groups You can also rename your users and groups as you like and then synchronize it with the TopEase Administrator Client. But if you rename a group or a user and the new names is already occupied by another user or group the synchronization is not possible. In TopEase XChange a user or group name must be unique. Page 11 / 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information