How to set up authentication using the NTLM protocol

To use NTLM authentication functions, first add system users (manually or by importing them from LDAP) license them. Users will need to allow cookies in their browsers to be able to store the data locally.

NTLM authentication setup is performed on the application server and consists of two steps:

IIS server setup that activates authentication using the NTLM protocol.
Web.config file setup of the loader application that defines authentication providers and users availability check order among those registered in bpm’online.

IIS setup

1.Enable Windows authentication and anonymous authentication, disable forms authentication for the loader application (Fig. 416).

Fig. 416 Authentication settings for the loader application in IIS

2.Disable Windows authentication support and anonymous authentication; enable form authentication for all working applications within the loader application (Fig. 417).

Fig. 417 Authentication settings for applications within the loader

3.For services of the 0/ServiceModel level, enable Windows authentication and anonymous authentication, disable forms authentication to activate services with domain authentication (Fig. 416).

Please note that anonymous authentication of the loader application and working applications must be conducted under application pool identity. To enable this, edit anonymous authentication credentials by clicking the [Edit] button in the [Actions] area of the IIS manager and select [Application pool identity] (Fig. 418).

Fig. 418 Entering credentials for anonymous authentication in IIS

Note

Read more about Windows Authentication in Microsoft webhelp.

Setting up Web.config file of the loader application

1.Open the Web.config file of the loader application to be edited.

2.In this file, specify the Windows Authentication providers, for example:

auth providerNames = “InternalUserPassword,SSPLdapProvider,Ldap”
autoLoginProviderNames = “NtlmUser,SSPNtlmUser”

[InternalUserPassword] – provider that is specified in the Web.config file by default. If you want to provide NTLM authentication only for the users who are not synchronized with LDAP, do not specify an additional value for the providerNames parameter.

[Ldap] – add this parameter to the [providerNames] parameter value for the users of the main application who are synchronized with LDAP to be able to perform NTLM authentication.

[SSPLdapProvider] – add this parameter to the [providerNames] parameter value for the users of the self-service portal who are synchronized with LDAP to be able to perform NTLM authentication.

[NtlmUser] – add this parameter to the [autoLoginProviderNames] parameter value for the users of the main application to be able to perform NTLM authentication regardless of their synchronization with LDAP and the authentication type configured for these bpm’online users.

[SSPNtlmUser] – add this parameter to the [autoLoginProviderNames] parameter value for the users of the self-service portal to be able to perform NTLM authentication regardless of their synchronization with LDAP and the authentication type configured for these bpm’online users.

The record order of the [autoLoginProviderNames] parameters defines the order of the user availability check within the system among the users of the main application (NtlmUser) or among the self-service portal users (SSPNtlmUser). For example, if you want the check to be performed among the main application users primarily, place the [NtlmUser] provider at the top of the list of the values of the [autoLoginProviderNames] parameter.

Attention

You can specify the [SSPNtlmUser] provider as an [autoLoginProviderNames] parameter value only if the [NtlmUser] provider is specified additionally. You can use the [NtlmUser] provider separately.

3.If you want to authenticate in bpm’online at once, specify the “true” value for the [UsePathThroughAuthentication] parameter of the <appSettings> element:

If you want the login page to be displayed with the available [Log in as domain user] link, specify the “false” value for the [UsePathThroughAuthentication] parameter.