Windows Authentication
Windows Authentication allows application users to automatically log in to Campaign Manager when they are already logged in with their Windows ID. Windows Authentication can only be used if https is used throughout the system; it is not suitable for http implementations.
If Windows Authentication is required for use across multiple client databases, contact Support for information on how to configure the system.
Setting up Windows Authentication must be done within a secure environment.
Procedure
- In IIS enable Windows Authentication for the
auth subsite of the
Alterian.Alchemy.Hosting webservice .
- In the IIS Authentication panel open
Providers and remove "Negotiate" entirely
- Confirm that the authentication service is configured by exploring the
auth subsite of the
Alterian.Alchemy.Hosting
website in Content View and browse the
AlterianAuthentication.svc
page.
You will not be challenged for a password and the https://<website-url>/auth/AlterianAuthentication.svc is displayed.
Note: |
Steps 2 and 3 are not required if the
Configure NTLM Authentication check box is selected on the Assign URLs stage when installing Campaign Manager |
- Locate the following line in the
Alterian.Alchemy.HostingSite web config file, and confirm the value is set to "true":
<add key="tryWindowsAuth" value="true" /> |
- Open the
AuthenticationService.webconfig file and check if the following line exists:
<endpoint name="AuthApi_json_ntlm" address="jsonntlm" binding="webHttpBinding" bindingConfiguration="JSONP-https-ntlm"
contract="SDL.AUTH.ApiLibrary.IAuthAPI" behaviorConfiguration="json-behaviour"/>
|
If the line does not exist, add it between the
<service> &
</service> element tags as follows:
<service behaviorConfiguration="ServiceCredentialBehavior" name="SDL.AUTH.ApiLibrary.AuthAPIService">
<endpoint name="AuthApi_httpscert" address="httpscert" binding="basicHttpBinding" bindingConfiguration="httpsiisBinding" contract="SDL.AUTH.ApiLibrary.IAuthAPI" behaviorConfiguration="SilverlightFaultBehavior" />
<endpoint name="AuthApi_json" address="json" binding="webHttpBinding" bindingConfiguration="JSONP-https" contract="SDL.AUTH.ApiLibrary.IAuthAPI" behaviorConfiguration="json-behaviour" />
<endpoint name="AuthApi_json_ntlm" address="jsonntlm" binding="webHttpBinding" bindingConfiguration="JSONP-https-ntlm" contract="SDL.AUTH.ApiLibrary.IAuthAPI" behaviorConfiguration="json-behaviour"/>
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
|
- When creating application Logons for a User Name, the Login Name must be entered as domain\windowsuserid. Select the
Windows Authentication check box in the
Manage logins dialogue to disable (grey out) the password box.
- If you need to switch existing Logins to Windows Authentication, you can edit them in the back end SQL tables (you cannot edit Login names with the Campaign Manager Admin UI).
Note: |
Take care when you edit back end SQL tables; this should only be done after consultation with the Administrator or DBA. |
- Locate the entries for the logins in the
[AlterianAuth].[Auth].[LoginIndex] table. Existing logins can be edited to be domain\windowsuserid, and the binary format password must be set to blank.
- To log into Campaign Manager automatically, add the Campaign Manager site to the Local Intranet list via
IE Options > Security > Local Intranet.
- It is advisable to test your set up to ensure it works as expected.
|