NTLM Authentication Plug-in
If you use TeamConnect with a Software as a Service (SaaS) license, you do not need to perform any of the tasks described in this section, except for Enabling NTLM Authentication for TeamConnect Users.
The NTLM authentication plug-in allows TeamConnect to authenticate a user through a challenge/ response system in conjunction with Microsoft® Internet Information Services (IIS). When authenticated through NTLM, the user no longer has to submit separate authentication credentials, such as username and password, to access TeamConnect.
When the NTLM authentication plug-in is enabled, users who are successfully authenticated bypass the TeamConnect login page and go directly to their TeamConnect home page. Aside from the lack of a login page, there is no change to the user interface.
If the user account fails authentication through NTLM a denial page is displayed. When troubleshooting denials, verify that the login user ID corresponds to a valid user account name within TeamConnect and that the appropriate domain is specified in the System Settings page in the Admin section of TeamConnect.
Shown below is a diagram of the general concept of NTLM authentication as it affects the application server and web server in TeamConnect:
The following requirements must be met in order to use the NTLM authentication plug-in for TeamConnect:
- Your TeamConnect environment must be a pure Microsoft solutions environment using Internet Information Services (IIS). The environment must include an application server that is compatible with IIS. For specific versions of IIS and application servers that are supported, refer to Application and Web Servers.
- Within TeamConnect, you must specify a list of one or more domains in which to authenticate all users. NTLM automatically authenticates users based on their Windows login name and domain. You can, however, change the behavior of the default plug-in.
- Each user that is authenticated through NTLM must have a corresponding user name defined in TeamConnect.
Configuring Internet Information Services
The process below describes the sequence of configuration requirement tasks:
- Configure Microsoft IIS plug-in to disable anonymous access.
- Customize Message Screens.
- Upload the NTLM authentication configuration class files to the Documents area of TeamConnect.
- Enable NTLM authentication through the Admin Settings/Security page of TeamConnect.
- Configure TeamConnect user accounts for using NTLM authentication.
It also provides two URLs that can be used for logging in and explains the difference between them.
The following sections explain each task in the order in which you should perform them.
Disabling Anonymous Access
In order to use NTLM authentication you must disable anonymous access in IIS. When anonymous access has been disabled, IIS looks for other means of authentication and finds NTLM authentication.
Note: The following steps are for Windows XP Professional. If you are using another version of Windows, these steps might differ.
To disable anonymous access to IIS
- On the computer running your web server, click Start > Programs > Administrative Tools > Internet Services Manager.
- In the left pane, open Web Sites, click Default Web Site, and then be certain that the web site is stopped. Click the Stop button in the toolbar, if necessary.
- Right-click Default Web Site, and then click Properties.
- Click the Directory Security tab.
- In the Anonymous Access and Authentication Control section, click Edit.
- Clear the Anonymous Access check box. If a checkbox named Integrated Windows authentication is present, be sure that it is presently checked. Then click OK.
- Click OK.
- With Default Web Site highlighted, click the Start button in the toolbar to start the web site.
- Close the Internet Information Services console.
Important: You must also configure the proxy plug-in for IIS. For general information about doing this, see Web Proxy Settings.
Stop and restart IIS when these steps are completed.
Editing the NTLM Configuration File
The configuration file, authenticationDescriptor.properties, needs to e edited to match your particular network environment. Shown below is the default text of this file.
## This is a sample properties file for NTLM authentication. You can tailor it to your specific ## situation to work with the NTLM authentication mechanism included within TeamConnect. All ## un-commented properties in this file are required, though their values can be changed. # Identification properties for this authentication component tc.displayName=NTLM based Single Sign On tc.uniqueId=SNTLM tc.isSSO=true # Custom page mappings (omit any that do not apply) #page.badCredentials=tryagain.html #page.lockedAccount=giveup.html #page.maximumLogins=sorry.html #page.logout=goodbye.html #page.sessionTimeout=missedyou.html # NTLM configuation properties # # The NT domain against which clients should be authenticated. ntlm.tcDomain=TCDOMAIN ntlm.remoteUserHeader=
The value of ntlm.tcDomain can be a single domain name or it can be a list of domain names, delimited by semicolons. The domain portion of a user's login name (such as "firstname.lastname@example.org") is matched against this property value and, if a matching domain is not found, authentication fails.
If you expect to override the default error message pages, modify the "page mappings" section to supply your own HTML file names.
Property ntlm.remoteUserHeader must exist in the configuration file, but it does not always need to have a value associated with it. You may find that for WebLogic application servers, a value of Proxy-Remote-User works best and, for WebSphere application servers, a value of $WSRU works best.
Note that even if you do not use properties page.logout and page.sessionTimeout, TeamConnect will construct a logout page on the fly to use in these situations, to avoid redisplaying the login page, which would cause an automatic re-login with NTLM.
Installing the NTLM Configuration File
NTLM authentication plug-in installation consists of a configuration file that must be uploaded to a specific directory within the Documents area of TeamConnect: authenticationDescriptor.properties.
You must edit the authenticationDescriptor.properties file, as described in Editing the NTLM Configuration File.
To install the NTLM Authentication configuration file
- In the TeamConnect tab bar, select Documents.
- Navigate to Top Level, then System.
- Create a folder named Authentication.
- In the Authentication folder that you just created, create a sub-folder named NTLM.
- In the NTLM folder that you just created, create the following sub-folders:
Caution: The folder names must be entered exactly as they appear below.
- In the classes folder that you just created, upload this file: authenticationDescriptor.properties
- The pages folder does not require any file uploads, unless you choose to override the default error message pages, using the page.xxx properties in the configuration file. If so, you would upload your matching custom error message pages to this folder.
The NTLM Authentication plug-in is now installed.
Enabling NTLM Authentication for TeamConnect Users
Before assigning authentication methods to individual users, be sure that NTLM has been chosen as the default authentication mechanism. To do so, refer to Enabling a Default Authentication Method.
To enable other users to log in to TeamConnect using NTLM authentication, each user account must be properly configured except for TeamConnectAdmin. However, if you followed the directions in Enabling a Default Authentication Method, NTLM is now the system default authentication mechanism, and users who are already set to use the default need no editing. You need to perform overrides only:
- For users who may have previously been overridden with a different authentication method and are now using NTLM. In this case you can set their method to (System Default).
- For users who are not using NTLM.
For details on performing an override, see Overriding Authentication for Individual Users.
Important: For user "TeamConnectAdmin", do not attempt to use NTLM authentication. Force this user to go through standard authentication by appending /standardLogin to the end of the URL that launches TeamConnect.
Important: When using Web Services and NTLM to connect to TeamConnect, be sure that the URL in your NTLM configuration points to the TeamConnect application server, not the Internet Information Server.
For information about which login URL to give your users based on the authentication mechanism, see Login URLs.