Summary:
This technical document covers the requirements, installation, configuration and possible issues associated with using NTLM Authentication CleverPath Portal. Please use the most current NTLM files. If you are using Portal 4.51, these files are available on the Portal CD in the \resources directory in the file named windows_authentication.zip. Users on 4.0, 4.01, and 4.5 should us the windows_authentication.zip located at: https://ftp.broadcom.com/user/downloads/pub/portal/4.51/4.51.001/resources/
I. Included Files
- Portal Files
- Portallogin.aspĀ - This is the main file that is used for access to the Portal via NTLM Authentication.
- Portallogin.html - This is the alternative portal login page when NTLM Authentication fails.
- Logout.html - This is the portal logout page when using NTLM Authentication.
- Third-Party files
- Msxml3.dll - This is the Microsoft XML Parser version 3.0 w/sp1.
- Scr55en.exe - This is the Windows Scripting Engine 5.5 used by Windows NT. This file is not required for Windows 2000 or 2003 as it is part of the operating system installation.
II. Required Software
- Windows 2000/2003 Server
- Internet Explorer 5.01 or higher
http://www.microsoft.com/ie - Microsoft XML Parser 3.0 or higher
http://www.microsoft.com/downloads - Microsoft Internet Information Server 5.0 - This is required because NTLM is a Microsoft authentication method and IIS is the program that actually passes the NTLM data to the Win2000/NT server.
- Windows NT 4.0 Server
- Install the Windows NT Option Pack on the same machine as the Portal.
http://www.microsoft.com/NTServer/nts/downloads/recommended/NT40ptPk/default.asp - Install Windows Scripting Engine 5.5
http://www.microsoft.com/msdownload/vbscript/scripting.asp - Install Internet Explorer 5.01 or higher
http://www.microsoft.com/ie - Install Microsoft XML Parser 3.0 or higher
http://www.microsoft.com/downloads - Microsoft Internet Information Server 4.0 - This is required because NTLM is a Microsoft authentication method and IIS is the program that actually passes the NTLM data to the Win2000/NT server.
III. Installation Procedure
- Windows 2000/2003 Server
- Install the Microsoft XML Parser 3.0 or higher
- Copy the portallogin.asp, portallogin.html and logout.html files to a directory on the server.
- Open the Internet Services Manager for Internet Information Server.
- Expand the IIS Server.
- Right click on the Default Web Site.
- Choose New, then Virtual Directory.
- Enter an alias name for the virtual directory.
- Browse to the directory where the files you copied in step 2 are located.
- Click OK to finish the creation of the virtual directory.
- Choose the virtual directory you just created and right click on it. Now choose properties.
- Change Execute Permissions to "Scripts and Exectuables".
- Click OK.
- Now, right click on the portallogin.asp file in the virtual directory and choose properties.
- Click on the File Security tab, and then choose Edit.
- Make sure that Integrated Windows Authentication is the only authentication method checked. Uncheck all others.
- If you are installing using IIS 6.0 (included in Windows 2003 by default) then you'll need to enable ASP in the Web Service Extensions section from within the IIS properties for your web site.
- Close Internet Services Manager.
- Windows NT 4.0 Server
- Install the Microsoft XML Parser 3.0 or higher.
- Install the Microsoft Scripting Engine 5.5.
- Reboot the NT server after the installation is complete.
- Install the Windows NT 4.0 Option Pack if you have not already done so.
- Copy the portallogin.asp, portallogin.html and logout.html files to a directory on the server.
- Open the Internet Services Manager for Internet Information Server.
- Expand the IIS Server
- Right click on the Default Web Sites.
- Choose New, then Virtual Directory.
- Enter an alias name for the virtual directory.
- Browse to the directory where the files you copied in step 5 are located.
- Click OK to finish the creation of the virtual directory.
- Choose the virtual directory you just created and right click on it. Now choose properties.
- Change Execute Permissions to "Execute"
- Click OK
- Now, right click on the portallogin.asp file in the virtual directory and choose properties.
- Click on the File Security tab and then choose Edit.
- Make sure "Windows NT Challenge/Response" is the only authentication method checked. Uncheck all others.
- Close Internet Services Manager
IV. Basic Configuration
- Local.properties file
- Located in [Portal_Install_Dir]/properties/local.properties
- Modify the login.impl variable to reflect the example below:
login.impl=com.ca.portal.base.util.NTLMLogin - Add the login.href variable:
login.href=http://[IIS Server Name]/[Virtual Directory]/portallogin.asp - Add the logout.href variable:
logout.href=http://[IIS Server Name]/[Virtual Directory]/logout.html
- Edit the portallogin.asp file. Please view the file in a text editor for details
- Make sure that the admin password that is defined in this file is correct. By default the admin password is admin, and this is what is used as an example in this file. If the admin password has been changed, make sure that it is reflected correctly in the portallogin.asp file.
- Under the commented out heading ''Native Login UI URL when not using NT authentication" please change the NativeLoginURL to the actual name of your IIS server.
NativeLoginURL = http://[IIS Server Name]/portal/portallogin.html
- pecify your domain for Domain = array("")
Ex. Domain = array("DOMAIN1","DOMAIN2","DOMAIN3")
- Edit the portallogin.html file
- Modify the [portalserver_name] variable to point to the running Portal server. Example:
http://[portalserver_name]:8080/servlet/portal
- Edit the logout.html file
- Modify the [portalserver_name] variable to point to the running Portal server. Example:
http://[portalserver_name]:8080/servlet/portal
V. Advanced Configuration
- Adding Multiple Domains to Authenticate Against
- Edit the Domain variable in the portallogin.asp file. Example: Domain="abc|xyz|aaa
- The domains you add have to either be trusted or you have to change the file permissions on the portallogin.asp file to include the "Authenticated Users" group from each domain you want to authenticate against. Again, this is not necessary if the domains trust each other.
- Using NTLM and LDAP Simultaneously
- In order to use LDAP and NTLM together, you must make the following changes to the portallogin.asp file:
- Build User = False
- RemoveDomain = True
- Password = Your LDAP Server Password (This is normally ?LDAP# - where # is the number of your LDAP server.)