Like Novell Access Manager, Windows Authentication provides Windows users with a single sign-on experience, enabling users to automatically authenticate to Vibe after they log in to their individual workstations. Internet Information Services (IIS) provides this capability.
Before you implement Windows Authentication, consider the following limitations:
IIS is best suited for an intranet environment. Because NTLM is a connection-based protocol, it does not work well with HTTP proxy servers.
IIS does not support Guest Access.
After you configure the Vibe server to support Windows Authentication, complete the planning process for additional Advanced installation features as needed, then perform the Advanced installation as described in Section 16.0, Performing an Advanced Vibe Installation.
Windows Authentication with IIS can be enabled for Vibe only in the following environments:
Windows 2008 Server
Windows 2008 R2 Server
IIS 7 with IIS Manager with CGI and ISAPI components
IIS 7.5 with IIS Manager with CGI and ISAPI components
One of the following authentication protocols:
NTLM
Kerberos v5
Negotiate/SPNEGO (wrapper for NTLM and Kerberos v5)
Active Directory Service
Vibe needs to be configured and synchronized with your Active Directory directory service. For more information about configuring LDAP synchronization within Vibe, see Gathering Directory Services Information and Synchronizing Users and Groups from an LDAP Directory
in the OpenText Vibe 4.0.8 Administration Guide.
If you are using Kerberos as your authentication protocol, then Key Distribution Services is also required.
For more information about installing and configuring the domain controller and other domain services to support Windows Authentication, refer to the appropriate Microsoft documentation.
One of the following clients:
Windows 7
Windows XP
One of the following browsers, configured to support Windows Authentication:
Internet Explorer
Firefox
For information on how to configure your browser to support Windows Authentication, see Configuring Your Browser to Allow Access to the Vibe Site.
Use the information in the following table as you consider your IIS installation.
Directory: The default installation directory for the IIS plug-in is C:\Program Files\Novell. This is the recommended directory. If for some reason you choose to install the IIS plug-in in a directory other than the C:\Program Files\Novell directory, you need to modify the isapi_redirect.properties files, as described in Installing the Vibe IIS Plug-In. |
External or Local Server: You can install the IIS plug-in on the same server where you are running Vibe, or you can install it on an external server. Installing IIS on an external server can have the following benefits:
If you are running IIS from an external server, you need to edit the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file, as described in Installing the Vibe IIS Plug-In. |
64-bit/32-bit: You can install the IIS plug-in on a 64-bit or 32-bit operating system. However, Vibe should run on a 64-bit operating system; therefore, if you install IIS on a 32-bit operating system, you should use an external server. |
HTTP Ports: Regardless of whether IIS and Vibe are located on the same server or separate servers, the HTTP port and secure HTTP port for Vibe should always be 80 and 443. This ensures that when links are generated, they contain the correct hostname and port number. These are the ports that Vibe uses to refer to the browser. In a very basic Vibe system (single server without Windows Authentication), the HTTP ports can be the same as the listen ports. However, in a Vibe system with Windows Authentication enabled, the HTTP ports correspond with the ports that the IIS server is configured to use. |
Listen Ports: If you plan to run IIS on the same server as the Vibe server, you need to set the listen port and secure listen port for Vibe to something other than 80 and 443. By default, Vibe listens on ports 80 and 443. Because IIS also uses these ports to listen on, you must reconfigure the Vibe listen ports to ports that are not currently in use, such as 8080 for the listen port and 8443 for the secure listen port. You configure Vibe ports during the Vibe installation, as described in Section 16.0, Performing an Advanced Vibe Installation. |
ADVANCED VIBE INSTALLATION SUMMARY SHEET |
---|
Under Network Information, specify the HTTP ports and listen ports. |
Under Integration with IIS for Windows Authentication, select Enable Integration with IIS for Windows Authentication, then list the logout URL. |
To configure the Vibe server to support Windows Authentication, you must first configure IIS. You can set up IIS on the same server where Vibe is running, or on a separate server. See Planning Your IIS Installation and Configuration for more information.
Complete the instructions in the following sections to ensure that IIS is configured correctly to work with Vibe.
Locate the teaming-version-iis-plugin.zip file from the Vibe distribution, then unzip it into the C:\Program Files\Novell directory.
This creates a directory called Vibe IIS Plugin.
If in Step 1 you chose to unzip the teaming-version-iis-plugin.zip file into the C:\Program Files\Novell directory, continue with Step 3.
or
If in Step 1 you chose to unzip the teaming-version-iis-plugin.zip file into a location other than C:\Program Files\Novell, you must complete the following steps:
Locate the isapi_redirect.properties file in each of the following directories:
Vibe IIS Plugin\resources1\bin
Vibe IIS Plugin\resources2\bin
In each of the directories, open the isapi_redirect.properties file in a text editor.
Adjust the values of the log_file, worker_file and worker_mount_file properties to reflect the directory where you chose to unzip the teaming-version-iis-plugin.zip file.
Save your changes and close both of the isapi_redirect.properties files.
If IIS and the Vibe server are located on the same server, continue with Step 4.
or
If IIS and the Vibe server are located on separate servers, complete the following steps:
Locate the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file.
Open the workers.properties file in a text editor.
Adjust the value of the worker.worker1.host property from localhost to the hostname or IP address of the Vibe server.
Save your changes and close the editor.
(Conditional) If you are running IIS on a 64-bit server, complete the following steps:
Locate the C:\Program Files\Novell\Vibe IIS Plugin\library\win64 directory.
Copy the appropriate version of the .dll library and paste it into each of the following directories:
C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin
C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin
Ensure that you copy the correct version of the .dll library. If you copy the incorrect version, you receive a 500 error when you try to access the Vibe site.
Delete the existing isapi_redirect.dll files from the C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin directory, as well as from the C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin directory.
Rename the .dll library files that you copied in Step 4.b to isapi_redirect.dll.
For example, if Vibe is running on an AMD64/EM64T platform, copy C:\Program Files\Novell\Vibe IIS Plugin\library\win64\amd64\isapi_redirect-version.dll into the C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin and C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin directories, then delete the original isapi_redirect.dll file and rename isapi_redirect-version.dll to isapi_redirect.dll.
Install the ISAPI and CGI components:
Launch the Web Platform Installer.
Search for isapi.
Add both the extensions and filters.
If the Windows Authentication Role Service is not already installed, use the Add Roles and Features Wizard to add "Windows Authentication" to IIS/Web Server/Security.
Internet Information Services (IIS) Manager is used to complete the integration.
Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
In the Connections pane on the left side of the window, expand your server, then expand Sites.
Right-click Default Web Site, then click Add Virtual Directory.
The Add Virtual Directory dialog box is displayed.
In the dialog box, specify the following information:
Alias: VibeResources1
Physical path: C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin
Click OK.
Repeat Step 3 through Step 5 to add another virtual directory.
This time, specify the following information in the Add Virtual Directory dialog box:
Alias: VibeResources2
Physical path: C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin
In the Connections panel, select VibeResources1, then double-click Handler Mappings.
In the Actions pane, click Edit Feature Permissions.
The Edit Feature Permissions dialog box is displayed.
Select Execute, then click OK.
Repeat Step 7 through Step 9 for the VibeResources2 virtual directory.
In the Connections pane, select Default Web Site, then double-click ISAPI Filters.
In the Actions panel, click Add.
The Add ISAPI Filter dialog box is displayed.
In the dialog box, specify the following information:
Filter name: VibeResources1
You must name the filter VibeResources1 for Windows Authentication to work successfully.
Executable: C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin\isapi_redirect.dll
Click OK.
Repeat Step 12 through Step 14 to add another ISAPI filter.
This time, specify the following information in the Add ISAPI Filter dialog box:
Filter name: VibeResources2
You must name the filter VibeResources2 in order for Windows Authentication to work successfully.
Executable: C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin\isapi_redirect.dll
In the Connections pane, select the server, then double-click ISAPI and CGI Restrictions.
In the Actions pane, click Add.
The Add ISAPI or CGI Restriction dialog box is displayed.
In the dialog box, specify the following information:
ISAPI or CGI path: Specify C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin\isapi_redirect.dll
Description: VibeResources1
Allow extension path to execute: Select this option to allow the path to execute.
In the Actions pane, click Add.
The Add ISAPI or CGI Restriction dialog box is displayed.
In the dialog box, specify the following information:
ISAPI or CGI path: Specify C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin\isapi_redirect.dll
Description: VibeResources2
Allow extension path to execute: Select this option to allow the path to execute.
In the Connections pane, select VibeResources1, then double-click Authentication.
Select Anonymous Authentication, then click Disable in the Actions panel.
Select Windows Authentication, then click Enable in the Actions panel.
Exit the Internet Information Services Manager.
Perform the Advanced installation as described in Section 16.0, Performing an Advanced Vibe Installation.
See Choosing Windows Authentication for information about how to configure the Vibe installation program to support Windows Authentication, then follow the instructions for the advanced installation as described in Section 16.0, Performing an Advanced Vibe Installation.
Return here and continue with Configuring Your Browser to Allow Access to the Vibe Site.
After Windows Authentication has been enabled on the server, you need to configure the client browser to allow access to the Vibe site.
In an Internet Explorer window, click Tools > Internet Options.
The Internet Options dialog box is displayed.
Click the Security tab, select Local intranet, then click Sites.
The Local Intranet dialog box is displayed.
Click Advanced.
In the Add this website to the zone field, specify the Vibe website.
Click Add > Close.
In Firefox, specify about:config in the URL field.
Specify ntlm in the Filter window, then locate and select the network.automatic-ntlm-auth.trusted-uris entry.
The Enter String Value dialog box is displayed.
Specify the DNS name of your Vibe site, then click OK.
For example, vibe.mycompany.com.
Repeat Step 2 through Step 3 for network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris.
After Windows Authentication is working on your Vibe server, you can bypass the Windows Authentication functionality by including the Vibe listening port in the Vibe URL.
You need to do this in order to configure your LDAP directory.
In a web browser, specify your Vibe URL with the Vibe listening port.
For example, http://vibe:8080.
The Vibe login page is displayed.
Log in to the Vibe site as the Vibe administrator.
Configure LDAP, as described in Adding Vibe Users from Your LDAP Directory.
You might also need to bypass Windows Authentication to access Vibe for the following reasons:
To access a specific Vibe node in a clustered environment
To troubleshoot the Vibe system
After you have performed the configuration steps described in Configuring the Vibe Server to Support Windows Authentication through Configuring Your Browser to Allow Access to the Vibe Site, users can access the Vibe site through Windows Authentication. Users who have been configured through LDAP and are already logged in to their individual workstations do not need to log in again to access the Vibe site. Users who are not already logged in before they access Vibe see the following dialog box:
By default, when you edit a file in Vibe through WebDAV, you are prompted for your system login credentials before you can edit the file. However, when Windows Authentication is enabled on your Vibe server, you are no longer prompted for your system login credentials before you edit a file through WebDAV.
This functionality is supported only when you use Microsoft Office as your default document editor. When you use LibreOffice as your default document editor, Vibe allows you to edit files through WebDAV, but it still requires you to enter your system login credentials. The single sign-on experience is only available when you use Microsoft Office.
If you are using a version of LibreOffice that requires basic authentication (it does not support Windows Authentication), you need to configure your IIS server to support basic authentication. Supporting basic authentication enables Vibe users to edit files through WebDAV when using a document editor other than Microsoft Office.
NOTE:If you enable basic authentication on your IIS server, all users who access the Vibe site through Firefox are prompted for their login credentials. Single sign-on to the Vibe server no longer functions. However, users who access the Vibe site using Internet Explorer retain the single sign-on experience.
To enable basic authentication on your IIS server, you need to install the Basic Authentication Role Service.
On the Windows 2008 server, click Start > Administrative Tools > Server Manager.
Expand Roles, then right-click Web Server (IIS).
Click Add Role Services.
The Add Role Services window is displayed.
Scroll to the Security section, then select Basic Authentication.
Click Next, then complete the installation.
Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
In the Connections pane on the left side of the window, expand your server, expand Sites, then expand Default Web Site.
Select VibeResources1, then double-click Authentication.
Select Basic Authentication, then click Enable in the Actions panel.
Close the Internet Information Services (IIS) Manager.
By default, IIS might not allow you to upload large files to the Vibe site. This is caused by timeout restrictions as well as maximum upload size restrictions.
For information about how to configure IIS to allow you to upload large files, see article 925083 in the Microsoft Support Knowledgebase.
If you have Vibe installed in a clustered environment where there are multiple Vibe nodes, you can configure IIS to balance the load of user requests from the multiple Vibe nodes, while still supporting Windows Authentication.
On the IIS server, locate the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties.clustered.template file, then open the file in a text editor.
Copy the contents of the file.
Locate the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file, then open the file in a text editor.
Paste the contents of the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties.clustered.template file that you copied in Step 2 and into the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file, overwriting the content that was previously there.
Replace the value of worker.worker1.host from first_hostname_or_ip with the hostname or IP address of your first Vibe node.
Repeat Step 5 for each additional Vibe node that is running in your environment. If you have more than two Vibe nodes, you should add an additional section to the workers.properties file for each additional node.
The values that you specify in the workers.properties file (for example, worker1, worker2, etc.) must exactly match the values that you specify as the JVM Route setting during the Vibe installation, as described in Installing the Vibe Software on Multiple Servers.
Locate the C:\Program Files\Novell\Vibe IIS Plugin\resources1\conf\uriworkermap.properties file, then open the file in a text editor.
Replace all instances of worker1 with balancer.
Locate the C:\Program Files\Novell\Vibe IIS Plugin\resources2\conf\uriworkermap.properties file, then open the file in a text editor.
Replace all instances of worker1 with balancer.
Restart each Vibe node.
Restart the IIS server:
Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
Select your server in the Connections panel, then click Restart in the Actions panel.