About Windows Authentication

For SQL Server installations, you can select the Windows Authentication check box to use a Windows user account of your choice to connect to SQL Server (instead of a SQL Server user account). You must ensure that this account can log in to SQL Server and that is has "dbo" permissions over all the tables in the database. This means that you must set SQL Server to allow Windows Authentication or both Windows Authentication and SQL Authentication. For details, refer to your SQL Server DBMS documentation.

CAUTION:

If you use Windows Domain (NTCR) to authenticate users, Windows authentication requires that your domain users have "dbo" privilege to the database. However, this presents a security risk to your system. Therefore, it is recommended that you clear the Windows Authentication check box in SBM Configurator and use SQL Authentication with Windows Domain (NTCR) instead.

If you select Windows Authentication in SBM Configurator, you do not need to enter database credentials in the User Name and Password columns. Instead, the SBM Application Pool Identity and the Tomcat Log On Identity are used to connect to the SBM databases. Note that you must also run SBM Configurator as a privileged Windows user account in order to connect to SQL Server.

Application Pool Identity – By default, SBM uses the DefaultAppPool in IIS. The Identity specified in the DefaultAppPool is used to connect to the Application Engine database for Windows authentication. Note the following important information:
- The default Identity for the DefaultAppPool is NetworkService. If you do not change the default Identity, then the NetworkService account is used to connect to the Application Engine database, and automatically granted the required Application Engine file system permissions once you click Apply in SBM Configurator.
- If you want to use a different Windows user account, change the Identity from NetworkService to the desired account, and then click Apply in SBM Configurator. This grants the specified user account the required file system permissions.
- If you change the default Identity in the DefaultAppPool, you must set the same identity in the gsoap application pool (gsoap_pool).
- If you decide to create a new application pool for SBM, the Identity in that application pool is used for Windows Authentication.
- If you install more than one instance of SBM Application Engine, you must ensure that the same Windows user account is specified in the application pool Identity on each server.
Tomcat Log On Identity – By default, the SBM Tomcat uses the Local System account. Similar to the DefaultAppPool identity, this account is used for Windows authentication unless you change it. Note the following important information:
- If you select Windows Authentication, the Local System account is used to connect to the Tomcat databases, and automatically granted the required Tomcat file system permissions once you click Apply in SBM Configurator.
- If you want to use a different Windows user account, change the Log On identity to the desired account, and then click Apply in SBM Configurator. This grants the specified user account the required file system permissions.
- To change the default Tomcat identity:
  1. Open the Windows Services Manager.
  2. Right-click SBM Tomcat and select Properties.
  3. Click the Log On tab.
  4. Select This account and enter the Windows user account name.
  5. Click OK.
- For distributed installations, you must ensure that the same Windows user account is specified in the Log On tab in the SBM Tomcat service properties on each server.

After you click Apply in SBM Configurator, the default DSN (SBM) that is used to connect to the Application Engine database is automatically updated to use Windows authentication. If you decide to use a DSN other than the default, you must manually update that DSN to use Windows Authentication.

About Windows Authentication

Related Topics