General Settings  Authentication  About Windows Domain Authentication  Configuring Windows Domain (NTCR) Authentication

Configuring Windows Domain (NTCR) Authentication

SBM Configurator performs all the necessary set up tasks in IIS or SSO to authenticate users against your Windows domain. However, if your IIS settings are inadvertently or mistakenly changed, consult with your IIS administrator and manually configure either IIS or SSO according to the steps in the following sections. Note that the steps differ slightly depending on which session management option you select.

Windows Authentication (IIS) Manual Configuration Steps

This section describes how to manually configure Windows Authentication when IIS is used to manage user authentication (non-SSO). You will configure the following settings on the machine that hosts SBM Application Engine:

  1. Open Internet Information Services (IIS).
  2. On the tmtrack application:
    • Enable Windows Authentication (IIS 7 and higher)
    • Disable Anonymous Authentication (IIS 7 and higher)
    If you intend to use integrations, such as SourceBridge, enable Basic Authentication.
  3. On the workcenter application:
    • Enable Windows Authentication (IIS 7 and higher)
    • Disable Anonymous Authentication (IIS 7 and higher)
    Important: The workcenter application authentication settings must match the tmtrack application authentication settings.
  4. Enable only Anonymous Authentication on the following applications:
    • Default Web Site (or Web Sites)
    • gsoap application
    • sbmconnector application
    This ensures that the REST grid widget, PDF widget, and Service Request Center work properly. The REST Widget fails in FireFox browsers if SBM uses Windows Domain (NTCR) authentication. This issue does not occur in Internet Explorer browsers.
    Important: In a distributed installation, configure the SBM Tomcat service to use a Windows domain account (or create a local user on both the Tomcat and IIS servers with the same password). This ensures that the PDF widget has access to the tmtrack application.
  5. Stop and start IIS.
  6. Launch SBM Configurator, and then open the Authentication tab.
  7. On the General tab, set the following:
    • Browser sessionsSBM Session Cookies
    • Browser authenticationWindows Authentication
    • Web services authenticationInternal SBM Database
  8. On the Windows Domain tab, enter the correct Windows domain in the Domain field. If a domain is not specified, then the domain that the IIS server machine is installed on is used for user validation.
    Note: This domain is used by SBM Application Engine to verify the user's credentials with the domain controller when Windows authentication materials do not accompany the authentication request (for example, when SBM Application Engine receives a Web service request). Basic authentication materials should accompany the call in that case; therefore the proper domain is required. Be aware that user passwords are sent in clear text unless secured through SSL in this scenario.
  9. Configure password restrictions for external users (if any) on the External Passwords tab. For details, refer to Password Restrictions.
  10. If you want users to access SBM without logging in to your network domain, type the name of an application in IIS with anonymous authentication in the Virtual Directory for external authentication field on the Other Settings tab. For more information, refer to Other Settings.
  11. Click Apply in SBM Configurator.

Windows Authentication (SSO) Manual Configuration Steps

This section describes how to manually configure Windows Authentication when SSO is used to manage user authentication. You will configure all of the IIS settings on the machine that hosts SBM Application Engine and the steps involving SBM Configurator on the server that hosts SSO.

  1. Open Internet Information Services (IIS).
  2. On the tmtrack application:
    • Enable Anonymous Authentication (IIS 7 and higher)
    • Disable Windows Authentication (IIS 7 and higher)
    If you intend to use integrations, such as SourceBridge, enable Basic Authentication.
  3. Enable and disable the same authentication settings (except for Basic Authentication, if you enabled it) on the following directories:
    • Default Web Site (or Web Sites)
    • gsoap
    • sbmconnector
    • workcenter
      Important: The workcenter application authentication settings must match the tmtrack application authentication settings.
    This ensures that the REST grid widget, PDF widget, and Service Request Center work properly. The REST Widget fails in FireFox browsers if SBM uses Windows Domain (NTCR) authentication. This issue does not occur in Internet Explorer browsers.
    Important: In a distributed installation, configure the SBM Tomcat service to use a Windows domain account (or create a local user on both the Tomcat and IIS servers with the same password). This ensures that the PDF widget has access to the tmtrack application.
  4. Stop and start IIS.
  5. Launch SBM Configurator, and open the Authentication tab.
  6. On the General tab, set the following:
    • Browser sessionsSingle Sign-On
    • Browser authenticationWindows Authentication
    • Web services authenticationInternal SBM Database

    Select the Enable Login Form check box if you want to display a login page to users when user validation fails. Clear the check box if you do not want the page to appear.

  7. Configure password restrictions for external users (if any) on the External Passwords tab. For details, refer to Password Restrictions.
  8. If you want users to access SBM without logging in to your network domain, type the name of an application in IIS with anonymous authentication in the Virtual Directory for external authentication field on the Other Settings tab. For more information, refer to Other Settings.
  9. Click Apply in SBM Configurator.

Related Topics

Authentication

About Windows Domain Authentication

Copyright © 2007–2018 Serena Software, Inc., a Micro Focus company. All rights reserved.