Integrated Authentication Setup and Implementation Considerations
Integrated Authentication Options
There are no settings in AppStudio that control Integrated Authentication. It is actually all done at the server level with IIS. There is only one setting on the application server that controls integrated authentication and one setting within the client file on the device.
To install Integrated Authentication for IIS 6:
A) First find your Virtual Directory:
B) Right click and select Properties, then go to the Directory Security tab:
C) Select Edit under Authentication and Access control. Deselect Enable anonymous access and check Integrated Windows authentication:
To install Integrated Authentication for IIS 7:
For customers running newer servers, you should be aware that Integrated Authentication is basically a “feature” in Windows Server 2k8 and Windows 7. It must be installed first and then enabled in IIS.
A) On your computer, select Control Panel -> Programs and Features ->Turn Windows Features on
B) or off:
C) In the Server Manager window that opens, Highlight Web Server IIS in the left pane and then select Add Role Services.
Scroll down and check Basic Authentication and Windows Authentication, then select Next to Install:
This will take approximately 10 minutes or so to install.
Once finished, open IIS 7 and highlight the Verivo Virtual Directory then select the Authentication icon:
You now have the option to enable Windows (Integrated) or Basic Authentication for your site. If you enable either of these, you’ll need to turn off Anonymous Authentication. Most customers’ web hosting teams will recommend the following settings for the Verivo site:
Integrated Authentication on the Device
Once you have configured your application server for integrated authentication you will need to configure your device. This is done through changing your devices authentication type in the client file.
From an Android, iPhone, and iPad you can do this by going into the Settings finding the application and then switching the authentication type to either Integrated or MDS Assisted. For a BlackBerry, you can access these settings from the login screen by going to the menu from the Login screen choosing “Options” and then changing your authentication type on this screen (see below):
Active Directory authentication through our dynamic plug-in and plug-in scripting
You can authenticate directly against your Active Directory account using our dynamic plug-in and plug-in scripting. Plug-in scripting is a set of files that rely on Python scripting that can manipulate a plug-in’s responses and requests. In this case you would use Python to define your Active directory parameters.
Instructions on how to set this up can be found within our video on how to authenticate against active directory using plug-in scripting:http://support.verivo.com/entries/21189727-echelon-active-directory-plugin
Should you be interested you can submit a support ticket to obtain the necessary dll’s and sample python script to implement this.
Basic Auth and SSL
Your other option is to use Basic Authentication with the option of enabling SSL (setting up certificate on the application server as well). Basic authentication will authenticate against your active directory> However the only difference between this and Integrated Authentication is that Basic will send the password in clear text (not encrypted). That is why we also recommend that should you choose this option you enable SSL at the application server level as well.
To enable Basic Authentication you will do the same as Integrated Authentication however you will want to uncheck Enable Anonymous Access and check Basic Authentication.
Similarly you will have to change the authentication type on the device as discussed above to Basic.
Regarding setting up SSL this is outside of our software so we do not have any documentation on this but you will be able to find this information on Google as many sites will walk you through obtaining a certificate and setting it up for a website/URL.
When is Integrated Authentication not an Option?
Unfortunately there is an issue right now regarding how MDS caches user’s credentials that is causing this (VS-30571) error with Integrated Auth on Blackberry devices. We have logged this under 33046 and it has been slated for a future release. This only occurs on BES 5.0.1 and higher, if you are on a BES 4.0 you will not experience any issues with MDS caching user’s credentials.
Considerations and Known Issues
1) iOS 5 has an issue with OTA download links protected with Integrated/Windows/NTLM authentication. Basic authentication works fine in iOS 5 and it seems Windows/NTLM works fine in iOS 4.x.
2) In order to make integrated authentication work via the Blackberry Simulator, you need to modify the MdsLogin.conf file in the MDS\config folder (the same place that rimpublic.property is). You need to change all of the company.com references to be your domain (example: pyxisit.com or whatever NTLM/Integrated domain you need to be running against).
3) It is important to note that there is a difference between BES 4.x (which the MDS simulator replicates) and BES 5.x.
BES 4.x will automatically do NTLM Assisted auth with your Active directory credentials with the user name of "myusername" and your AD password
BES 5.x will automatically do NTLM Assisted auth with your Active directory credentials with the user name of "DOMAIN\myusername"
This means that you need to have the appropriate user in the tmpcfg_User table or AppStudio in the user section (and the relevant python scripts if needed)
4) There is an issue with using IIS 7.5 and Integrated Auth. Login will fail due to a compatibility issue. The only workaround at this time is to use Basic Authentication. The exact defect number is 27062 and is targeted for a future release.