How to setup authentication using the NTLM protocol

To use NTLM authentication functionality, it is required to register the users manually in the system or import them from LDAP and grant licenses to them. Also, it is required to allow cookies via the browser configuration to be able to store the data locally.

NTLM authentication setting is performed on the server where the application is deployed and includes:

•IIS server setting that activates authentication using the NTLM protocol.

•Web.config file setting of the loader application that defines authentication providers and users availability check order among those registered in bpm’online.

Setting IIS server

1.Activate Windows Authentication in the loader application (Fig. 315).

Fig. 315 Activating Windows Authentication

2.Activate Windows Authentication on all working applications inside the loader application.

In the process of bpm’online installation, one working application with the “0” caption is created automatically by default to be in charge of the configuration work flow. However, the structure of your application may contain additional configurations.

3.Activate Windows Authentication for the 0/ServiceModel level to activate service work with domain authorization.

Note

Read more about Windows Authentication in Microsoft webhelp.

Setting up Web.config file of the loader application

1.Open the Web.config file of the loader application to be edited.

2.In this file, specify the Windows Authentication providers, for example:

auth providerNames = “InternalUserPassword, SSPLdapProvider, Ldap”
autoLoginProviderNames = “NtlmUser, SSPNtlmUser”

[InternalUserPassword] – provider that is specified in the Web.config file by default. If you want to provide NTLM authentication only for the users who are not synchronized with LDAP, do not specify an additional value for the providerNames parameter.

[Ldap] – add this parameter to the [providerNames] parameter value for the users of the main application who are synchronized with LDAP to be able to perform NTLM authentication.

[SSPLdapProvider] – add this parameter to the [providerNames] parameter value for the users of the self-service portal who are synchronized with LDAP to be able to perform NTLM authentication.

[NtlmUser] – add this parameter to the [autoLoginProviderNames] parameter value for the users of the main application to be able to perform NTLM authentication regardless of their synchronization with LDAP and the authentication type configured for these bpm’online users.

[SSPNtlmUser] – add this parameter to the [autoLoginProviderNames] parameter value for the users of the self-service portal to be able to perform NTLM authentication regardless of their synchronization with LDAP and the authentication type configured for these bpm’online users.

The record order of the [autoLoginProviderNames] parameters defines the order of the user availability check within the system among the users of the main application (NtlmUser) or among the self-service portal users (SSPNtlmUser). For example, if you want the check to be performed among the main application users primarily, place the [NtlmUser] provider at the top of the list of the values of the [autoLoginProviderNames] parameter.

Attention

You can specify the [SSPNtlmUser] provider as an [autoLoginProviderNames] parameter value only if the [NtlmUser] provider is specified additionally. You can use the [NtlmUser] provider separately.

3.If you want to authenticate in bpm’online at once, specify the “true” value for the [UsePathThroughAuthentication] parameter of the <appSettings> element:

If you want the login page to be displayed with the available [Log in as domain user] link, specify the “false” value for the [UsePathThroughAuthentication] parameter.