Authentication Type NTLM

Using Authentication Type NTLM it is possible to use web server functionality for providing Single Sign On functionality, e.g. in Windows networks using Microsoft Internet Information Server (IIS) as well as Internet Explorer (IE) the user login check against the Microsoft Active Directory occurs automatically and implicitly. After login to the computer when starting the working day, the user will not need to Log In again to use WebOffice 10.9 R4.

 

Recommended scenarios for this authentication type are:

single sign on scenarios in e.g. homogenous Microsoft Windows networks.

 

icon_comment

The authentication type NTLM does not use the WebOffice login dialog for authentication. Users and Passwords are managed in the WebOffice UM Repository.

icon_cross-reference

A general comparison of the common authentication methods in WebOffice 10.9 R4 can be found in chapter Overview of authentication methods.

 

Authentication type NTLM configuration

Authentication type NTLM configuration

 

Property

Description

Use domain?

Specifies whether Authentication module takes the domain string into consideration (true) or not (false) when logging in (login (username) is e.g.: VIENNA\Novak or VIENNA/Novak):

true: VIENNA\Novak or VIENNA/Novak will be used

false: Novak will be used

icon_comment

If using domain string (true) then the user login names in user management database must be saved with the domain strings included!

Use user roles only?

Use role based information from authentication system. No storage and maintenance of user objects in the user management database is necessary then.

Use fallback authentication type UM-DB

The authentication type user management will be activated (true) as a fallback if the NTLM Login will fail or won't be activated as a fallback (false).

icon_comment

If NTLM is used the authentication will be done for example through the Tomcat Connector (Windows Authentication). Therefore requests to WebOffice will not be redirected if the authentication fails. To use the above described function the application has to use the tomcat application directly (f.e. port 8080, IIS ARR Redirection to Tomcat). The fallback will be executed if no NTML Header will be delivered (unauthenticated Access).

Authentication type NTLM configuration

 

icon_comment

You need to configure the user logins into the WebOffice usermanagement rights repository as well. The password specified will not be used by the application.

Apache Tomcat Configuration for NTLM

You need to change the Tomcat configuration in order to use NTLM with IIS, Tomcat redirector (ISAPI filter) and Tomcat:

Open the file C:\Tomcat\conf\server.xml with an XML or text editor. Check the value of the tomcatAuthentication property and set to false if necessary. Restart the Tomcat service if you had to change the file.

 

Set tomcatAuthentication="false" in the Server.xml

Set tomcatAuthentication="false" in the Server.xml

IIS Configuration for NTLM

If using Microsoft IIS and ISAPI redirector to use Port 80 for your WebOffice 10.9 R4 web application, you have to enable the Windows authentication for the virtual directory Jakarta and disable the Anonymous Authentication. Through this setting the user is authenticated to the web server by NTLM. If the IIS is inside the same domain as the client, the user credentials are automatically taken by it, which means that the user does not have to log on explicitly.

 

Authentication of Jakarta directory in MS IIS manager

Authentication of Jakarta directory in MS IIS manager

 

icon_comment

If all previous settings have been configured but NTLM authentication still does not work, please check if changing the order of the windows authentication providers might be the solution.

 

Changing the order of the windows authentication providers in IIS Manager

Changing the order of the windows authentication providers in IIS Manager

 

The administrator must ensure to set up a virtual directory mapping the configured WebOffice output URL to the physical path of the WebOffice output directory (C:\Tomcat\webapps\<WebOffice application>\output). It must be possible to access files in this virtual directory using anonymous http. Detailed information about the configuration of the WebOffice output URL can be found in chapter WebOffice.

 

icon_cross-reference

See also chapter Printing for understanding the interaction between WebOffice 10.9 R4 Application Server and ArcGIS Server Server.

 

Add virtual directory in MS IIS manager

Add virtual directory in MS IIS manager

 

WebOffice output URL configuration

WebOffice output URL configuration