Windows domain authentication enables users to log in to SGD if they belong to a specified Windows domain.
Windows domain authentication is disabled by default.
This section includes the following topics:
At the SGD login screen, the user types a user name and password. The user name can be any of the following:
A common name, for example Indigo Jones
A user name, for example indigo
An email address, for example email@example.com
SGD searches the local repository for a user profile with a Name attribute that matches the user name typed by the user. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute.
If a user profile is found, the Login Name attribute of the user profile is treated as the Windows domain user name. If no user profile is found, the name the user typed is used as the Windows domain user name. SGD then checks the Windows domain user name and the password typed by the user against the domain controller.
If the authentication fails, the next authentication mechanism is tried.
If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in and no further authentication mechanisms are tried.
If the authentication succeeds and either the Login attribute for the user profile is enabled or no matching user profile is found, the user is logged in.
If a user profile was found in the local repository, that object is used for the user identity and user profile. In the SGD datastore, the user identity is in the Local namespace. In the Administration Console, the text “(Local)” is displayed next to the user identity. On the command line, the user identity is located in .../_ens.
If no user profile was found in the local repository, the user identity is the Windows domain user name. In the SGD datastore, the user identity is in the NT namespace. In the Administration Console, the text “(NT)” is displayed next to the user identity. On the command line, the user identity is located in .../_service/sco/tta/ntauth. The profile object System Objects/NT User Profile is used for the user profile.
Go to the Global Settings -> Secure Global Desktop Authentication tab and click the Change Secure Global Desktop Authentication button.
Windows domain authentication supports 8-bit case-sensitive passwords. The user name can contain any characters.
If you need to authenticate users from more than one domain, you must have one domain that is trusted by all the other domains. You must use the trusted domain as the Windows domain controller when you configure Windows domain authentication.
When a user from another domain logs in to SGD, they must use the format domain\username for their user name. If they do not use this format, SGD tries to authenticate the user using the authentication domain and fails.
Note - The Domain Name (--ntdomain) attribute for user profiles plays no part in the SGD login.
If an SGD server is on a different subnet to the domain controller, you must hard code the domain controller information, see How to Specify a Domain Controller on a Different Subnet.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
Use the following commands:
# tarantella config edit \ --com.sco.tta.server.login.ntauth.NTAuthService.properties-authConfig \ authnbt=NTNAME # tarantella config edit \ --com.sco.tta.server.login.ntauth.NTAuthService.properties-authConfig-append \ authserver=my.domain.name
where NTNAME is the NetBIOS name of the domain controller and my.domain.name is the DNS name or IP address of the domain controller.