Summary
This article provides steps for configuring Active Directory Single Sign On (SSO).
Synopsis
Configuring Active Directory Single Sign On (SSO) allows automatig log into Spider LCM / Heat LM if a user has rights to do so
Discussion
Requirements:
- Active Directory has to be configured and users need to be able to log into Windows
- IIS (Spider Application) has to allow Windows Authentication and disallow Anonymous Authentication
Configure SSO:
- Log on to your Spider LCM/Heat LM installation with an administrative account
and go to System (1) > Active directory (2)
- Then click New and fill out the form:
Login context | <NETBIOS name of the domain> |
Prefix | <Short form of the domain (max. 2 characters) |
Top Level | <Top level of your domain. E.g.: LDAP://mycompany.local/dc=mycompany,dc=local> Always set it to the root domain (2) |
User | <AD user with rights to read the active directory> |
Password | <Password> |
Menu | Menu |
Active | Set to active to activate this domain configuration |
Authentication only | If ticked only accounts out of the active directory are allowed (2) |
Save this configuration an test it by clicking the Test button (3)
If your test is successful you will get the following message:
otherwise check your username/password and your top level entry
- Change to the register Groups and click Assign groups (1)
With the Search (2) button all active directory groups for a certain domain user (Domain login) are listed.
Select all groups which should have access to Spider LCM/Heat LM
Then transfer the selected groups by clicking Port
- The ported groups then will appear in the Start tab under assigned groups
- As soon as the groups are listed, roles have to be assigned to them
Do so by clicking onto the group name
Then change to the register Mandators and click Add mandator (Information: This also has to be done if only one mandator is available!) and select the appropriate mandator
- Afterwards change to the register Roles and assign the required roles by selecting them and clicking onto the green arrow
The same way roles can be removed from active directory groups (though the other way around)
- The configuration Spider LC /Heat LM wise is done now
Users will be shown in Spider LCM /Heat LM after they have been logging into it the first time
Configure IIS:
In order to get SSO working the configuration in Spider LCM / Heat LM is not enough. IIS has to be configured accordingly.
- Open the IIS Manager and click Authentication (1)
- Check whether Windows Authentication is available
If yes proceed to 4.
- To add the Windows Authentication feature goto the Server Manager > Manage > Add Roles and Features and choose the Windows Authentication feature as shown in the picture below:
Click Next and then Install
Wait until the installation has completely finished before doing any further changes in the IIS Manager and restart the IIS service after the installation
Now you do have an entry Windows Authentication in the Authentication list
-
Enable Anonymous and Windows Authentication and
disable the Forms Authentication
Authentication can be set on the application level only and does not need to be set on top level
Troubleshooting
If after these steps the AD login doesn't work please check the following:
- Within the IIS Manager check the authentication again on IIS > Default Website > Spider|Heat LM
Sometimes it is not possible to enable Windows Authentication.
To solve this problem set the security on the folder C:\Program Files (x86)\Heat License Manager\CoreServer_00\Web\_Settings and give full rights to the IUSR user. After a successful change of the configuration, this right can be removed again
- Enable Active Directory Debug Information
Goto SYSTEM > Configuration and filter for application Spider Core (1) and AreaSearch ActiveDirectory (2)
Then set the value for DebugInformation to True
You then will get more informations on the problem logging into active directory
- Delete your created AD connection completely and recreate it including the groups and role settings
Additional Information
Products
LCM6, HEAT