Implement Web remote single sign-on with PPM

This section provides information on how to implement Web remote single sign-on with PPM. This implementation is based on NTLM authentication and requires that the PPM Server(s) be integrated with an external Web server running Microsoft IIS.

Web remote single sign-on works with PPM as follows:

1. A user logs in to a Windows desktop.

2. The user accesses PPM through the external (IIS) Web server.

3. The user is authenticated through the Windows user account to IIS and the user name is passed to the PPM Server by way of the REMOTE_USER HTTP header field.

4. If the user is a valid PPM user, the standard interface and PPM Dashboard open.

Requirements for Implementing Web Remote Single Sign-On

To implement Web remote single sign-on, your system must meet the following requirements:

• PPM must be set up with an external Microsoft IIS Web server. For information on how to do this, see Integrate an external web server with a PPM Server.

• To ensure that you have the required access rights, make sure that the system username you use to log on to PPM is same as the account username for the active directory.

• By default, logon credentials are not automatically passed from Web browsers other than Internet Explorer when connecting to IIS. If you want to use other browsers (such as Firefox and Chrome) to log on to PPM, you should configure the browser to automatically use Windows credentials to authenticate PPM. For such configuration details, see the browser's official help document.

Setting Up Web Remote Single Sign-On with PPM

To configure Web remote single sign-on with PPM:

1. Integrate the external IIS Web server with the PPM Server(s).

   For information about how to integrate the external Web server with a PPM Server, see Integrate an external web server with a PPM Server.

2. On the PPM Server, do the following:

   1. Stop the PPM Server.

   2. Open the server.conf file in a text editor, and then add to it the following:

      com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN =com.kintana.sc.security.auth.WebRemoteUserSingleSignOn

      Note: For information on how to edit the server.conf file, see PPM Configuration parameters.

   3. Save and then close the server.conf file.

   4. Run the kUpdateHtml.sh script.

      Note: For information about the kUpdateHtml.sh script, see kUpdateHtml.sh.

   5. Disable Tomcat from authenticating the user. Otherwise, you will get the "No Access" error message when trying to access PPM.

      1. Open the following file in an editor (for example, notepad, or VI editor):
         <PPM_Home>/conf/jboss/server.xsl

      2. Append tomcatAuthentication="false" to the end of the Connector protocol line.

         For example,

         <Connector enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3" tomcatAuthentication="false">

      3. In PPM Workbench, create the same Window user account in PPM Workbench and select NTLM as its authentication mode. Give proper access grants.

      4. In the server.conf file, for authentication_mode, add NTLM.
      5. Restart the PPM Server.

3. On the IIS external Web server, do the following:

   1. From IIS Microsoft Management Console, select the default Web site.

   2. In the Home pane for the default Web site, scroll to the Security section, and then double-click Authentication.

   3. In the Authentication pane, right-click Anonymous Authentication and select Disable from the context menu.

   4. Stop, and then restart the IIS Windows service.

4. Stop and restart the PPM Server.

For information on troubleshooting issues you may encounter with Web remote single sign-on, see Troubleshooting Your Single Sign-On Implementation.