Implement Web remote single sign-on with PPM
This section provides information on how to implement Web remote single sign-on with PPM. This implementation is based on NTLM authentication and requires that the PPM Server(s) be integrated with an external Web server running Microsoft IIS.
How web remote single sign-on works
Web remote single sign-on works with PPM as follows:
-
A user logs in to a Windows desktop.
-
The user accesses PPM through the external (IIS) Web server.
-
The user is authenticated through the Windows user account to IIS and the user name is passed to the PPM Server by way of the
REMOTE_USER
HTTP header field. -
If the user is a valid PPM user, the standard interface and PPM Dashboard open.
Requirements
To implement Web remote single sign-on, your system must meet the following requirements:
-
PPM must be set up with an external Microsoft IIS Web server. For information on how to do this, see Integrate an external web server with a PPM Server.
-
To ensure that you have the required access rights, make sure that the system username you use to log on to PPM is same as the account username for the active directory.
-
By default, logon credentials are not automatically passed from Web browsers other than Internet Explorer when connecting to IIS. If you want to use other browsers (such as Firefox and Chrome) to log on to PPM, you should configure the browser to automatically use Windows credentials to authenticate PPM. For such configuration details, see the browser's official help document.
Set up web remote single sign-on
To configure Web remote single sign-on with PPM:
-
Integrate the external IIS Web server with the PPM Server(s).
For information about how to integrate the external Web server with a PPM Server, see Integrate an external web server with a PPM Server.
-
On the PPM Server, do the following:
-
Stop the PPM Server.
-
Open the
server.conf
file in a text editor, and then add to it the following:com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN =com.kintana.sc.security.auth.WebRemoteUserSingleSignOn
Note: For information on how to edit the
server.conf
file, see PPM Configuration parameters. -
Save and then close the
server.conf
file. -
Run the
kUpdateHtml.sh
script.Note: For information about the
kUpdateHtml.sh
script, see kUpdateHtml.sh. -
Disable Tomcat from authenticating the user. Otherwise, you will get the "
No Access
" error message when trying to access PPM.-
Open the following file in an editor (for example, notepad, or VI editor):
<PPM_Home>/conf/jboss/server.xsl
-
Append
tomcatAuthentication="false"
to the end of the Connector protocol line.For example,
<Connector enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3" tomcatAuthentication="false">
-
In PPM Workbench, create the same Window user account in PPM Workbench and select NTLM as its authentication mode. Give proper access grants.
- In the
server.conf
file, forauthentication_mode
, addNTLM
. - Restart the PPM Server.
-
-
-
On the IIS external Web server, do the following:
-
From IIS Microsoft Management Console, select the default Web site.
-
In the Home pane for the default Web site, scroll to the Security section, and then double-click Authentication.
-
In the Authentication pane, right-click Anonymous Authentication and select Disable from the context menu.
-
Stop, and then restart the IIS Windows service.
-
-
Stop and restart the PPM Server.
For information on troubleshooting issues you may encounter with Web remote single sign-on, see Troubleshoot single sign-on implementation.