EasyAdmin Windows Authentication – KB4031b
The OpenLM EasyAdmin administrative web interface incorporates a role-based security access scheme, facilitating different levels of access to different role players in the organization.
OpenLM also incorporates Directory service synchronization, to combine license management with Directory service (e.g. Active Directory) information, and automatically maintain Users’ and Groups’ data.
Beginning with version 3.3, OpenLM has combined these capabilities to offer a Windows Authentication scheme. This feature enables direct access to the EasyAdmin web interface following a usual Windows’ login process, using the username and password registered on the organizational Directory Service.
How does it look?
When launching the EasyAdmin web application, the user is presented with the choice of entering OpenLM – specific credentials (username and password), or use the user’s stored Windows credentials that were used to log into their machine:
In order to incorporate the Windows Authentication feature in your OpenLM installation, you will need:
1a. A valid OpenLM license file, incorporating the following features:
- Directory Synchronization (External_Platforms)
1b. Employ one of the following supported web browsers:
- Google Chrome – use latest version
- Mozilla Firefox – use latest version
- Microsoft Edge – use latest version
1c. An Active Directory domain, authenticating and authorizing users within your Windows network domain.
1d. Administrative access to the Active Directory Domain Controller.
1e. Microsoft IIS web server: OpenLM Software is delivered with LightTPD, a built-in web server. In order to employ Windows authentication, EasyAdmin must be served with Microsoft IIS instead. Please follow the explanation in this document. This procedure will, of course, require editing privileges on the IIS web server.
2. Active Directory synchronization
Perform Active Directory synchronization, in order to import user names to the OpenLM database. You can follow either one of the following (Basic and Comprehensive) guides to do so:
- Directory Synchronization – Quick Start Guide HT500
- Directory Synchronization – Comprehensive Guide KB500
3. Assign Administrative role
The next step is to activate the roles and permissions security feature in OpenLM, and assign administrative privileges to specific users or groups. Please follow the explanations on this document in order to do so:
4. Enable Windows Authentication on IIS
4a. Add a service role in the Microsoft IIS web server: (Control panel → Programs and features → Turn Windows features on or off → Roles → Web server (IIS) → Add Role Services)
4b. Make sure “Windows Authentication” is marked as ‘Installed’.
4c. On the IIS Manager, select the EasyAdmin web application, and click on the ‘Authentication’ icon.
4d. On the ensuing ‘Authentication’ window:
- Enable Windows Authentication
- Enable ASP.NET Impersonation
- Disable Anonymous Authentication
4e. On the IIS Manager, select the ‘EasyAdmin’ web application (created when following the IIS guide in step 1e above), and click on the “Configuration Editor” icon.
4f. In the Configuration Editor, select the system.webserver/validation section, and set the value of validateIntegratedModeConfiguration to ‘False’.
5. Browser configuration
Additional configuration is required on the web browser in order to avoid an authentication dialog window, such as this one:
5.1 For Chrome and Internet Explorer
5.1.1 Start the Internet Explorer browser
5.1.2. Select Tools → Internet Options
5.1.3 Click the ‘Security’ Tab
5.1.4 Click on “Local Intranet Zone”
5.1.5 Click on ‘Sites’ → ‘Advanced’.
5.1.6. Fill in the local Intranet Site (e.g. https://servername.openlm.com) and click on the ‘Add’ button.
5.2. For Firefox
5.2.1 In the Firefox address bar type “About:Config”
5.2.2 Once past the agreement prompt, type ‘NTLM’ in the filter box
5.2.3 Double click on the “network.automatic-ntlm-auth.trusted-uris” entry
Note: Environments limited to Kerberos authentication that do not accept NTLM authentication will need to adjust the network.negotiate-auth.delegation-uris, as well.
5.2.4. Type in the local Intranet Site (https://servername.openlm.com) and click ‘OK’.
6. EasyAdmin configuration
The final step for enabling Windows credentials authentication must be configured in the EasyAdmin administrative interface:
1. Open the EasyAdmin web application.
2. Go to Start → Administration → System & Security icon. The “Administration System” window opens.
3. On the right side, select the Security → Password Settings tab.
4. Toggle the Require Login Credentials switch if it isn’t on already and then Trusted authentication.
5. Enter your organizational domain name (e.g. openlm.biz) and then click Add to add it to the list of trusted domains.
6. Click Save to store the configuration.
Your EasyAdmin web application should now be able to authenticate using the users’ Windows credentials. If you encounter any problem during this process, please address our support team, and one of our representatives will be happy to assist you in this configuration.