Configuring Windows Domain (NTCR) Authentication

Windows Authentication (IIS) Manual Configuration Steps

This section describes how to manually configure Windows Domain (NTCR) authentication when IIS is used to manage user authentication. You configure all of the following settings on the machine that hosts SBM Application Engine.

Perform the following steps:

1. Open Internet Information Services (IIS).
2. On the tmtrack application:
   • Enable Windows Authentication (IIS 7 and higher)
   • Disable Anonymous Authentication (IIS 7 and higher)
   If you intend to use the Remote Administrator or integrations, such as SourceBridge, enable Basic Authentication.
3. On the workcenter application:
   • Enable Windows Authentication (IIS 7 and higher)
   • Disable Anonymous Authentication (IIS 7 and higher)
   Important: The workcenter application authentication settings must match the tmtrack application authentication settings.
4. Enable only Anonymous Authentication on the following applications:
   • Default Web Site (or Web Sites)
   • gsoap application
   • sbmconnector application
   This ensures that the REST grid widget, PDF widget, and Serena Request Center work properly. The REST Widget fails in FireFox browsers if SBM uses Windows Domain (NTCR) authentication. This issue does not occur in Internet Explorer browsers.
   Important: In a distributed installation, configure the SBM Tomcat service to use a Windows domain account (or create a local user on both the Tomcat and IIS servers with the same password). This ensures that the PDF widget has access to the tmtrack application.
5. Stop and start IIS.
6. Launch SBM Configurator, and then open the Authentication tab.
7. On the General tab, set the following:
   • Select Windows Domain (NTCR) in the Validate user credentials against drop-down list. The Windows Domain tab appears.
   • Select Windows Authentication (IIS) in the User sessions are managed by drop-down list.
8. On the Windows Domain tab, enter the correct Windows domain in the Domain field. If a domain is not specified, then the domain that the IIS server machine is installed on is used for user validation.
   Note: This domain is used by SBM Application Engine to verify the user's credentials with the domain controller when Windows authentication materials do not accompany the authentication request (for example, when SBM Application Engine receives a Web service request). Basic authentication materials should accompany the call in that case; therefore the proper domain is required. Be aware that user passwords are sent in clear text unless secured through SSL in this scenario.
9. Configure password restrictions for external users (if any) on the External Passwords tab. For details, refer to Password Restrictions.
10. If you want users to access SBM without logging in to your network domain, type the name of an application in IIS with anonymous authentication in the Virtual Directory for external authentication field on the Other Settings tab. For more information, refer to Other Settings.
11. Click Apply in SBM Configurator.

Windows Authentication (SSO) Manual Configuration Steps

This section describes how to manually configure Windows Domain (NTCR) authentication when SSO is used to manage user authentication. You configure all of the IIS settings on the machine that hosts SBM Application Engine, and the steps involving SBM Configurator on the server that hosts SSO.

Perform the following steps:

1. Open Internet Information Services (IIS).
2. On the tmtrack application:
   • Enable Anonymous Authentication (IIS 7 and higher)
   • Disable Windows Authentication (IIS 7 and higher)
   f you intend to use the Remote Administrator or integrations, such as SourceBridge, enable Basic Authentication.
3. Enable and disable the same authentication settings (except for Basic Authentication, if you enabled it) on the following directories:
   • Default Web Site (or Web Sites)
   • gsoap
   • sbmconnector
   • workcenter
     Important: The workcenter application authentication settings must match the tmtrack application authentication settings.
   This ensures that the REST grid widget, PDF widget, and Serena Request Center work properly. The REST Widget fails in FireFox browsers if SBM uses Windows Domain (NTCR) authentication. This issue does not occur in Internet Explorer browsers.
   Important: In a distributed installation, configure the SBM Tomcat service to use a Windows domain account (or create a local user on both the Tomcat and IIS servers with the same password). This ensures that the PDF widget has access to the tmtrack application.
4. Stop and start IIS.
5. Launch SBM Configurator, and open the Authentication tab.
6. On the General tab, set the following:
   • Select Windows Domain (NTCR) in the Validate user credentials against drop-down list.
   • Select Windows Authentication (SSO) in the User sessions are managed by drop-down list.
   • Select the Enable Login Form check box if you want to display a login page to users when user validation fails. Clear the check box if you do not want the page to appear.
7. Configure password restrictions for external users (if any) on the External Passwords tab. For details, refer to Password Restrictions.
8. If you want users to access SBM without logging in to your network domain, type the name of an application in IIS with anonymous authentication in the Virtual Directory for external authentication field on the Other Settings tab. For more information, refer to Other Settings.
9. Click Apply in SBM Configurator.

Related Topics

Authentication

About Windows Domain Authentication