The OpenLM EasyAdmin administrative web interface incorporates a role-based security access scheme, facilitating different levels of access to different role players in the organization.
OpenLM also incorporates Directory service synchronization, to combine license management with Directory service (e.g. Active Directory) information, and automatically maintain Users’ and Groups’ data.
In version 3.3, OpenLM has combined these capabilities to offer a Windows Authentication scheme. This feature enables direct access to the EasyAdmin web application following a usual Windows’ login process, employing the username and password registered on the organizational Directory Service.
How does it look like ?
When launching the EasyAdmin web application, the user is presented with the choice of entering OpenLM – specific credentials (username and password), or use the same Windows credentials as they did for to log into their machine:
In order to incorporate the Windows authentication feature in your OpenLM installation, you will need:
1a. A valid OpenLM license file, incorporating the following features:
1b. Employ one of the following supported web browsers:
- Internet Explorer 9 and later
- Mozilla Firefox – use latest version
- Google Chrome – use latest version
1c. An Active Directory domain, authenticating and authorizing users within your Windows network domain.
1d. Administrative access to the Active Directory Domain Controller.
1e. Microsoft IIS web server: OpenLM Software is delivered with LightTPD, a built-in web server. In order to employ Windows authentication, the EasyAdmin user needs to switch to Microsoft IIS instead. Please follow the explanation in this document. This procedure will, of course, require editing privileges on the IIS web server.
2. Active Directory synchronization
Perform Active Directory synchronization, in order to import user names to the OpenLM database. You can follow either one of the following (Basic and Comprehensive) guides to do so:
- LDAP (Active Directory) Synchronization: Basic Guide – AN3029a
- LDAP (Active Directory) Synchronization: Comprehensive Guide – AN3029b
3. Assign Administrative role
The next step is to activate the roles and permissions security feature in OpenLM, and assign administrative privileges to specific users or groups. Please follow the explanations on this document in order to do so:
4. Enable Windows authentication on IIS
4a. Add a service role in the Microsoft IIS web server: (Control panel → Programs and features → Turn Windows features on or off → Roles → Web server (IIS) → Add Role Services)
4b. Make sure “Windows Authentication” is marked as ‘Installed’.
4c. On the IIS Manager, select the EasyAdmin web application, and click on the ‘Authentication’ icon.
4d. On the ensuing ‘Authentication’ window:
- Enable windows authentication
- Enable ASP.Net Impersonation
- Disable anonymous authentication
4e. On the IIS Manager, select the ‘EasyAdmin’ web application, and click on the “Configuration Editor” icon.
4f. In the Configuration Editor, select the system.webserver/validation section, and set the value of validateIntegratedModeConfiguration to ‘False’.
5. Browser configuration
Additional configuration is required on the web browser, in order to avoid an authentication dialog window, such as this one:
5.1 For Chrome and Internet Explorer
5.1.1 Start the Internet Explorer browser
5.1.2. Select Tools → Internet Options
5.1.3 Click the ‘Security’ Tab
5.1.4 Click on “Local Intranet Zone”
5.1.5 Click on ‘Sites’ → ‘Advanced’.
5.1.6. Fill in the local Intranet Site (e.g. https://servername.openlm.com) and click on the ‘ADD’ button
5.2. For Firefox.
5.2.1 In the Firefox address bar type “About:Config”
5.2.2 Once past the agreement prompt, type ‘NTLM’ in the filter box
5.2.3 Double click on the “network.automatic-ntlm-auth.trusted-uris” entry
Note: Environments limited to Kerberos authentication and do not accept NTLM authentication will need to adjust the network.negotiate-auth.delegation-uris, as well.
5.2.4. Type in the local Intranet Site (https://servername.openlm.com) and click ‘OK’.
6. OpenLM Configuration
In order to apply Windows credentials authentication, apply the following actions:
1. In the OpenLM Server configuration tool, on the ‘Advanced’ tab, check the “require login credentials”. Type in the requireds administrator’s credentials, and then the ‘Apply’ and “Restart now” buttons.
2. In the EasyAdmin web application, click the ‘Start’ → ‘Administration’ → ‘System’ icon. The “Administration System” window opens.
3. Check the “Enable Trusted Authentication” box, and add the trusted domain name(s) you have set up during the LDAP synchronization stage (above). Click the ‘Save’ button.
That’s it !
Your EasyAdmin web application should now be able to authenticate Windows’ credentials. If you encounter any problem during this process, please address our support team, and one of our representatives will be happy to assist in this configuration.