HOW TO: Setup Windows Integrated Security - V4.0 or higher

Summary

RMTrack supports "single sign-on" access to RMTrack through the use of Windows Integrated Security.

There are several ways to configure authentication, and depending on your local network configuration some choices may be more appropriate than others. The steps outlined below are for a "typical" network, and may not be 100% appropriate for your environment. Please consult a qualified systems administrator or the RMTrack Support team to obtain a full range of available options.

Users that are not logged onto your network (domain) that attempt accessing RMTrack will be presented with the standard browser login dialog box to get access to RMTrack.

Users that are logged onto your network (domain) that attempt to access RMTrack will have their Windows user matched with either the RMTrack User Id or the RMTrack Secondary User Id (see below). If RMTrack finds a matching user id the user will be automatically logged into RMTrack as that user. If there is no match, they will be directed to a "Not Authorized" page.

USER ID’S

When using Windows Integrated Security for single sign-on access RMTrack continues to maintain an internal user table. The RMTrack UserId must match the Windows UserId. If your windows user id is "mydomain\mywindowsid" then your RMTrack user id must be "mywindowsid".

Existing user id's may need to be renamed. Do this prior to implementing Windows Integrated Security.

Alternately, RMTrack can use a "Secondary User Id". This option can be turned on AFTER Windows Integrated Security is working (see below).

SQL SERVER AUTHENTICATION ("FRONT TO BACK" OR "2-HOP" AUTHENTICATION)

This article does not address full front to back authentication, i.e. Windows Authentication for both the web server and the SQL Server. That type or authentication is possible but requires the assistance of qualified System Administrators and/or the RMTrack Support team.

This article assumes that the RMTrack database connection to the SQL Server uses SQL Server Authentication Mode.

STEPS TO ACTIVATE WINDOWS INTEGRATED SECURITY FOR RMTRACK

STEP 1: DATABASE SERVER CONNECTION

If you are already using SQL Server Authentication Mode for your connection to the RMTrack database you can skip these steps and proceed to STEP 2: INTERNET INFORMATION SERVICES (IIS) WEB SERVER AUTHENTICATION.

To check if you are using SQL Server authentication:

...On the web server:

  1. Locate the database connection file for RMTrack. Default location is: c:\Intepub\wwwoot\RMT\DbConnection.udl
  2. Double-click this file to open.
  3. On the Connection tab if the "Use a specific user name and password option is active, you can skip to Step 2 Web Server.
  4. If the "Use Windows NT Integrated security" option is selected, continue...

...On the SQL Server:

  1. Make sure SQL Mode logins are allowed:
    1. Open SQL Server Management Studio and connect to your SQL Server
    2. Right-click on the Server and select Properties
    3. Switch to "Security" and make sure the Server Authentication setting is set to "SQL Server and Windows Authentication mode"
  2. Define a new SQL user id for RMTrack (eg. RMTrackAppUser)
    1. Open SQL Server Management Studio and connect to your SQL Server
    2. Plus open Server > Security > right-click Logins > New
    3. Provide a name (eg. RMTrackAppUser)
    4. Set to SQL Server Authentication
    5. Enter password and confirmation
    6. Uncheck "Enforce password policy"
    7. Define Roles and Mapping
      1. If you are using the RMTrack Integrated Database Backup you must set the above user to sysadmin on the Server Roles page
      2. OR, if you do not use the RMTrack Integrated Database Backup you can instead go to the User Mapping page, select the RMTrack database, grant db_owner OR db_datareader, db_datawriter and db_ddladmin

...On the Web Server:

  1. Locate the DbConnection.udl file. Default location is: c:\Intepub\wwwoot\RMT\DbConnection.udl
  2. Double click it, change to the "Connection" tab
  3. Select the "Use a specific user name and password option"
  4. Specify the UserId/Password created in step 2 above
  5. Check the "Allow saving password" option
  6. Click "Test Connection" button to ensure the connection works
  7. Click OK to save the changes
  8. Verify that you can still access RMTrack.

STEP 2: INTERNET INFORMATION SERVICES (IIS) WEB SERVER AUTHENTICATION

In the RMTrack application make sure that at least one of the Site Administrators has a user id that matches your (or someone’s) windows user id. Preferably the user you are currently logged onto the web server as.

...for IIS 6 (Windows Server 2003)

  1. Locate the Web.config file. Default location is: c:\inetpub\wwwwroot\rmt\web.config.
  2. Right click on the Web.config file and select "edit" to edit the file
  3. Change the line: <authentication mode="Forms"> TO <authentication mode="Windows">
  4. Save the Web.config file
  5. Start IIS Manager (Start > All Programs > Administrative Tools->Internet Information Services)
  6. Locate the RMTrack virtual directory (by default this is named RMT and located in the Default Website)
  7. Right click and select "Properties", switch to the "Directory Security" tab
  8. Click the "Edit" button in the Anonymous and Authentication control section to display the Authentication Methods dialog.
  9. Disable Anonymous Access, enable Integrated Windows Authentication (should be the only option checked)
  10. Click OK to close the Authentication Methods dialog
  11. Click OK to close the virtual directory Properties dialog
  12. Start a new browser and go to the RMTrack url
  13. If you are not logged in, or are prompted for user id and password, then "something" has gone wrong. Please note exactly what message/prompt was displayed and send it to support@rmtrack.com.

...for IIS 7 and 7.5 (Windows Server 2008 and 2008 R2)

IIS 7 does not come with the Windows Authentication "Role" active. You may need to install that role:

  1. Start Server Manager (Start > Administrative Tools > Server Manger)
  2. Plus open Roles > Web Server
  3. In the left pane scroll down to Role Services > Security
  4. Windows Authentication must be "Installed", if it is not then install it (Add Role Services)
  5. Close Server Manager

After the Windows Authentication "Role" has been installed you then use the IIS Manager to enable Windows Authentication:

  1. Start IIS Manager (Start > All Programs > Administrative Tools->Internet Information Services)
  2. Plus open to RMTrack web site: Server > Sites > Default Web Site > RMT
  3. In the right side pane, under IIS, right click Authentication and select Open Feature
  4. DISABLE Forms Authentication
  5. ENABLE Windows Authentication
  6. Close IIS Manager
  7. Start a new browser and go to the RMTrack url
  8. If you are not logged in, or are prompted for user id and password, then "something" has gone wrong. Please note exactly what message/prompt was displayed and send it to support@rmtrack.com.

STEP 3: SWITCH TO RMTRACK SECONDARY USER ID (OPTIONAL)

In some organizations it might be desirable to connect to RMTrack using a "Secondary user ids", these are useful when the Windows ids are meaningless e.g. "5935jd" instead of "John Doe". To activate Secondary user id’;

  1. Logon to RMTrack as a Site Administrator
  2. Go to: Administration > System > Site Options > Authentication Settings
  3. Check "Use Secondary User Id and Save the Site Option
  4. Go to: Administration > Users > Open your own user record
  5. Put your same user id into the Windows User Id field and save the user
  6. Logoff and close the browser
  7. Open a new browser and access RMTrack – you should be logged on as the same user. If this doesn’t happen then "something" has gone wrong. Please note exactly what message/prompt was displayed and send it to support@rmtrack.com.
  8. If you are logged on then now you want to go and set all the Secondary User ids to match your windows user ids.

ASSISTANCE

We strongly recommend clients involve a qualified system administrator to make these configuration changes. We also recommend clients attempt these changes in a test environment first, to make certain everything will go smoothly. RMTrack support can be available for telephone support at the time when a client is making these changes (end of business day or a weekend is recommended so as not to impact active users).

Applies to

RMTrack Issue Tracking - v4.0 or higher

Keywords: Security, Active Directory, Windows Integrated Security