Using ldap with single sign-on – VBrick Systems ETHERNETV 4410-0118-0009 User Manual

Server Administration

ETV Portal Server Admin Guide

93

Using LDAP with Single Sign-On

To use single sign-on, go to

Access Control

and then check

Enable Authentication and

Authorization

and

Use LDAP Database

. If the LDAP server is Microsoft Active Directory, you

can select

Use Integrated Windows Authentication

to enable "MCS Single Sign-on." This

means that once you login to your local network with your assigned credentials, you can open
ETV Portal Server without re-entering your login credentials. ETV Portal Server uses your
assigned credentials to authenticate and authorize your defined permissions within the
application. (If using an LDAP directory other than Microsoft's Active Directory, VBrick
strongly recommends using SSL to encrypt the communication between the Portal Server
server and the LDAP directory. Please consult your LDAP vendor documentation for
instructions on how to configure SSL.) When configuring for Integrated Windows
Authentication, keep the following points in mind:

•

Integrated Windows Authentication is only valid when using LDAP Authentication with
Microsoft Active Directory.

•

You must perform an additional configuration step in IIS as explained below in
Configuring IIS for Single Sign-On.

•

Integrated Windows Authentication only works seamlessly with Microsoft Internet
Explorer browsers (Windows and Macintosh). When accessing ETV Portal Server, you
will get a popup login window only if you have not previously logged in to the network.

•

When using Integrated Windows Authentication, all single-sign-on users must have an
Active Directory account and the Portal Server must be part of the Windows domain.

•

When using Integrated Windows Authentication, Microsoft Internet Explorer's default
behavior is that it will not prompt for an ID/password when the server is in the

Local

Intranet Zone

. (By default, Internet Explorer assumes a URL without a period (.). This

means

http://yourserver/

is in the

Local Intranet Zone

while

http://

yourserver.yourcompany.com

(or

http://199.88.7.11

)) is in the

Internet Zone

.

Configuring IIS for Single Sign-On

Use the following steps to configure IIS for single sign-on. If you do not perform these steps, the
login page will likely be blank when you launch the Portal Server.

T

To configure IIS for single sign-on

1. Go to

Start > Administrative Tools > Computer Management

.

2. Expand

Services and Applications

and expand

Internet Information Services (IIS)

Manager

.

3. Expand

Web Sites

and then right-click on

Default Web Site

and select

Properties

.

Note The Softerra LDAP Browser 2.6 provides an Explorer-like LDAP client you can use to

browse the LDAP tree. It is available for Windows only and can be downloaded free of
charge from Softerra at http://www.ldapbrowser.com

Note If single sign-on is enabled on multiple LDAP servers, when a user signs on for the

first time, the system validates the login credentials against all servers configured for
single sign-on. If you are validated by at least one server, you are automatically logged
in. In most cases when single sign-on is enabled, the user will not be prompted for a

Domain

name at login.