HOW TO: Setup Windows Integrated Security - v3.2 or lower
RMTrack supports "single signon" through the use of Windows Integrated Security. There are several ways to configure Integrated Security and depending on your local network configuration some choices may be more appropriate than others. The steps outlined below are for a "typical" network, and may not be 100% appropriate for your environment. Please consult a qualified systems administrator to obtain a full range of available options.
All users should be part of your local network and signed on via to your Windows Domain (essentially logged on to the PC). Users who are not logged on to the domain will be presented with a standard IE login dialog box. If you have a large number of users who access the application from the internet you may want to reconsider using this option.
The database connection settings used by RMTrack may need to be adjusted. If when RMTrack was installed, on the database connection options panel, if the SQL Security mode "Windows Integrated Security" was chosen then you will likely want to change how the application connects to the database.
The core of the issue is that when the web server (IIS) operates in "Integrated Security Mode" when a request for a web page arrives then IIS will impersonate that user (ie. the underlying operating system process will "take on" the identity, or Windows User Id, of the user making the request). When also using "Integrated Security" to connect to SQL server, SQL Server will look at the connecting process's identity (ala window's user id) and use that grant/deny access.
This can result in a "2 hop" authentication... once to the web server and once to the database server (but only if these are separate machines, if the database server and the web server are the same physical machine then this does not apply). In order to allow a "2 hop" authentication your Domain Controller must be configured to use Kerberos authentication (before Windows 2003 this was fairly challenging to get setup).
Even with "2 hop" authentication setup and working (or if the database server and webserver are on the same machine) you will then need to grant the individual users login rights to SQL Server and Database Reader/Database Write rights to the RMTrack database. Usually this is done through a Windows Group instead of individually. Also RMTrack Site Administrators need to belong to the SQL Server sysadmin fixed server role.
All in all using Integrated Security from "front to back" requires the most planning and effort to setup. However it also represents the "best" security (but it really does require knowledgeable systems admin people to pull it off).
The simplest approach to all this is to _not_ used SQL "Integrated Security" for authorizing access to SQL Server. By doing that, the impersonation logic only affects the web server... all requests to the database server will use an SQL Server Login and not a Windows Login. Much simpler to configure and not that much less secure.
This KB article does not address "front to back" style of Windows Integrated Security. Please consult a qualified systems administrator for assistance with this option.
RMTrack continues to maintain a user table. The RMTrack UserId must match the Windows UserId. If you're windows user id is "mydomain\mywindowsid" then your RMTrack user id must be "mywindowsid" (the domain name is automatically removed). Existing user id's may need to be renamed, and support@rmtrack can provide a simple SQL script to help with this.
- On the Database Server:
- Make sure SQL Mode logins are allowed
- Define a new user id for RMTrack (eg. RMTrackAppUser)
- Add the sysadmin fixed server role to the new user
- On the Web Server:
- Locate the DbConnection.udl file (c:\inetpub\wwwroot\rmt by default)
- Double click it, change to the "Connection" tab
- Select the "Use a specific user name and password option"
- Specify the UserId/Password created in step 1b above
- Check the "Allow saving password" option
- Click "Test Connection" button to ensure the connection works
- Click OK to save the changes
- Verify that RMTrack is still working (if test connection worked then RMTrack should too... but lets make sure)
- Log in to RMTrack as a Site Administrator
- Enable the Windows Authentication Site Option, using the "Request" sub-option.
- Keep this browser window open... do all subsequent tests using a new browser window.
If the subsequent tests fail you can use this window to switch back to using just
RMTrack for authentication.
- Start IIS Manager (Start->All Programs->Control Panel-> Administrative Tools->Internet Information Services)
- Locate the RMTrack virtual directory (by default this is named RMT and located in the Default Website)
- Right click and select "Properties", switch to the "Directory Security" tab
- Click the "Edit" button in the Anonymous and Authentication control section to display the Authentication Methods dialog.
- Disable Anonymous Access, enable Integrated Windows Authentication (should be the only option checked)
- Click OK to close the Authentication Methods dialog
- Click OK to close the virtual directory Properties dialog
- Start a new browser and go to the RMTrack url (note if you invoke the Login.asp url you will be presented with the login page, use Default.asp instead, for example: http://localhost/RMT/Default.asp)
- If you are not logged in, or are prompted for user id and password, then "something" has gone wrong. Please note exactly what message/prompt was displayed and send it to support@rmtrack. Switch to the IE window you left open in step K and change the security option back to just plain RMTrack.
We strongly recommend clients involve a qualified system administrator to make these configuration changes. We also recommend clients attempt these changes in a test environment first, to make certain everything will go smoothly. RMTrack support can be available for telephone support at the time when a client is making these changes (end of business day or a weekend is recommended so as not to impact active users).
RMTrack Issue Tracking - v2.5.0 to v3.2.0