Process of Implementing Windows Integrated Authentication

This topic describes the tasks involved in implementing a Windows Integrated Authentication Single Sign-On authentication system.

The process outlined in this topic provides instructions for implementing and testing Web SSO authentication for a single Siebel application, using Microsoft Windows Integrated Authentication as your Web SSO solution. You can repeat the appropriate instructions in this process to provide Web SSO access to additional Siebel Business Applications. For details on the environment setup for the solution outlined in the process, see "Requirements for the Example Windows Integrated Authentication Environment".

Perform the following tasks to implement and test Windows Integrated Authentication SSO:

1. Verify that all requirements are met. For information, see:

   • "Requirements for Microsoft Windows Integrated Authentication"

   • "Requirements for the Example Windows Integrated Authentication Environment".

2. Set up third-party Web SSO authentication.

3. Review "About Creating a Database Login for Externally Authenticated Users".

4. "Setting Up Active Directory to Store Siebel User Credentials for Windows Integrated Authentication".

5. "Configuring the Microsoft IIS Web Server for Windows Integrated Authentication"

6. "Creating Users in the Directory (Windows Integrated Authentication)".

7. "Adding User Records in the Siebel Database".

8. "Setting Web Single Sign-On Authentication Parameters in the SWSE Configuration File".

9. Configure authentication parameters, using one of the following methods:

   • Edit Siebel Gateway Name Server parameters. See "Setting Web Single Sign-On Authentication Parameters for the Gateway Name Server".

   • (Developer Web Clients only). Edit the Siebel application's configuration file parameters.

     For Developer Web Clients only, configure authentication parameters in the application configuration file. For additional information, see "Editing Web Single Sign-On Parameters in the Application Configuration File".

10. "Restarting Servers".

11. "Testing Web Single Sign-On Authentication".

Requirements for the Example Windows Integrated Authentication Environment

This topic outlines the requirements for implementing the Web SSO authentication environment described in "Process of Implementing Windows Integrated Authentication".

This task is a step in "Process of Implementing Windows Integrated Authentication".

The following requirements must be met before setting up the example Windows Integrated Authentication environment:

• Microsoft IIS Web Server is deployed on Microsoft Windows. The Microsoft IIS Web Server functions as the authentication service.

• The Active Directory server and the Web server are installed on different computers. The Active Directory functions as a directory of users for the following functions:

  • Authenticates Web server users.

  • Provides the Siebel user ID and the database account for authenticated Web server users.

• The ADSI security adapter communicates between the authentication manager and the Active Directory.

• Siebel Business Applications, including the Siebel Gateway Name Server and the Siebel Server, are installed. The Siebel Server, including affected Application Object Managers, is installed on the Web server computer.

  
  

  Note: These instructions are for a minimal, baseline configuration. In a production environment, it is not recommended to install the Siebel Server on the same computer as the Web server.

  
  

• If you use a non-Siebel security adapter, it must support the Siebel Security Adapter Software Developers Kit, described in "Security Adapter SDK". You must adapt the applicable parts of the implementation to your security adapter.

• You are experienced with administering Active Directory and can perform tasks such as creating and modifying user storage subdirectories, creating attributes, and creating and providing privileges to users.

Setting Up Active Directory to Store Siebel User Credentials for Windows Integrated Authentication

This topic describes how to set up Active Directory for Windows Integrated Authentication. In this example, the Active Directory performs two functions that might be handled by two separate entities in other Web SSO implementations:

• Users are authenticated through the Active Directory performing its function as the Microsoft IIS Web Server directory.

• The Active Directory functions as the directory from which an authenticated user's Siebel user ID and database account are retrieved.

This topic describes how to configure the Active Directory as the directory which provides the user IDs and the Siebel database account for authenticated users. For information about configuring the Microsoft IIS Web Server, see "Configuring the Microsoft IIS Web Server for Windows Integrated Authentication".

This task is a step in "Process of Implementing Windows Integrated Authentication".

To set up Active Directory to store Siebel user credentials  

1. Select a subdirectory in the Active Directory to store users, for example, the Users subdirectory under the domain-level directory.

   You cannot distribute the users of a single Siebel application in more than one subdirectory. However, you can store multiple Siebel Business Applications' users in one subdirectory.

2. Define the attributes to use for the following user data (create new attributes if you do not want to use existing attributes):

   • Siebel user ID. Suggested attribute: sAMAccountName.

   • Database account. Suggested attribute: dbaccount.

3. Password. Assign a user password to each user using the ADSI user management tools. The user password is not stored as an attribute.

   
   

   Note: A user password is required for the Active Directory for its role as the Microsoft IIS Web Server directory, which is the authentication service in this configuration. A user password attribute is not required for Active Directory as the directory. In other configurations in which the authentication service is physically independent of the directory, the directory is not required to have a user password assigned to each user.

   
   

4. For the purposes of Microsoft IIS Web Server authentication, provide attributes as needed to store the user name, first name, last name, or other user data.

Configuring the Microsoft IIS Web Server for Windows Integrated Authentication

This topic describes the configuration tasks you must perform on the IIS Web Server for Windows Integrated Authentication.

This task is a step in "Process of Implementing Windows Integrated Authentication".

Configuring the IIS Web Server to Authenticate against Active Directory

Configure the Microsoft IIS Web Server to authenticate against the Active Directory. Select the type of authentication that is most appropriate for your deployment.

For purposes of testing this Web SSO implementation, configure your Web site to require users to log in at an entry point to the Web site.

Configuring Authentication for Siebel Virtual Directories

During configuration of the Siebel Web Server Extension, Siebel virtual directories are created on the IIS Web server for the installed Siebel Business Applications. For example, the virtual directory eservice_enu is for Siebel eService using U.S. English (ENU). You must set the authentication mode for these virtual directories to Windows Authentication or Integrated Windows Authentication, depending on the version of IIS Web Server that you are using.

For information about configuring authentication modes for the Microsoft IIS Web Server, go to the Microsoft MSDN Web site at

http://msdn.microsoft.com

(Optional) Creating Protected Virtual Directories

This topic describes how to create virtual directories in a Web SSO implementation. Creating virtual directories allows users to access a Siebel application and anonymously browse specific views while requiring Web SSO authentication to access other views in the application.

Protected virtual directories are used with Siebel Business Applications that support anonymous browsing. By making parts of the application available under two Web server virtual directories, you can configure the third-party authentication client to protect one virtual directory while leaving the other unprotected, and thus accessible for anonymous browsing. When a user requests a Siebel view that requires explicit login, the request is automatically redirected to the protected virtual directory and the user must enter a Web SSO login to proceed.

Perform the steps in the following procedure to create a custom protected virtual directory, and to enable Windows Authentication for the virtual directory.

To create a protected virtual directory  

1. Make a copy of the appropriate eapps_virdirs batch file provided in the SWSE logical profile directory.

   The eapps_virdirs batch files are used to create Siebel virtual directories. For additional information, see Siebel Installation Guide for the operating system you are using.

2. Edit the copied eapps_virdirs file to specify the name and other details of the virtual directory you want to create for the Siebel application.

   For example, enter p_eservice as a virtual directory name for Siebel eService.

3. Run the eapps_virdirs batch file, and a Siebel virtual directory with the name you specified is created.

   It is recommended that you save the edited eapps_virdirs file so that it can be used if you need to restore or migrate your virtual directory environments.

4. Set the Authentication setting for the virtual directory you created to Windows Authentication as follows:

   1. In the Internet Service Manager explorer, right-click the virtual directory you created in the previous steps, then choose Properties.

      The Properties dialog box appears.

   2. Click the Directory Security tab.

   3. Click Edit in the Anonymous Access and Authentication Control section.

   4. The Authentication Methods dialog box appears.

   5. Check the Integrated Windows Authentication check box, and uncheck all others. Make sure that the Allow Anonymous Access box is unchecked.

      
      

      Note: On some versions of the IIS Web Server, an Integrated Authentication check box is not displayed. In this case, make sure that the Allow Anonymous Access box is unchecked and enable Windows Authentication.

      
      

   6. Click Yes on the Internet Service Manager caution dialog, and then click OK when you return to the Authentication Methods dialog box.

      The Directory Security tab in the Properties dialog box appears.

   7. Click Apply, and then click OK.

Creating Users in the Directory (Windows Integrated Authentication)

To implement Web SSO using Windows Integrated Authentication, you must create users in the Active Directory, as described in this topic.

This task is a step in "Process of Implementing Windows Integrated Authentication".

Create three users in the Active Directory, using values similar to those shown in Table 6-1. The attribute names, sAMAccountName and Password, are suggestions; your entries might vary depending on how you make attribute assignments in "Setting Up Active Directory to Store Siebel User Credentials for Windows Integrated Authentication". Complete other attribute fields for each user, as needed.

Table 6-1 Active Directory Records

User	sAMAccountName	Password	Database Account
Anonymous user	Enter the user ID of the anonymous user record for the Siebel application you are implementing. You can use a seed data anonymous user record, as described in Appendix B, "Seed Data," for a Siebel customer or partner application. For example, for Siebel eService, enter GUESTCST. You can create a new user record or adapt a seed anonymous user record for a Siebel employee application.	GUESTPW or a password of your choice.	username=LDAPUSER password=P.
Application user	APPUSER or a name of your choice.	APPUSERPW or a password of your choice.	A database account is not used for the application user.
A test user	TESTUSER or a name of your choice.	TESTPW or a password of your choice.	username=LDAPUSER password=P.

The database account for all users is the same, and must match the database account reserved for externally-authenticated users described in "Setting Up Active Directory to Store Siebel User Credentials for Windows Integrated Authentication". P represents the password in that database account. For information about formatting the database account attribute entry, see "Requirements for the LDAP Directory or Active Directory".

Note: Make sure the application user has privileges to search and write to all records in the directory.

Adding User Records in the Siebel Database

This topic describes how to create a record in the Siebel database that corresponds to the test user you created in "Creating Users in the Directory (Windows Integrated Authentication)".

This task is a step in "Process of Implementing Windows Integrated Authentication".

For purposes of confirming connectivity to the database, you can use the following procedure to add the test user for any Siebel application. However, if you are configuring a Siebel employee or partner application, and you want the user to be an employee or partner user, complete with position, division, and organization, then see the instructions for adding such users in "Internal Administration of Users".

To add user records to the database  

1. Log in as an administrator to a Siebel employee application, such as Siebel Call Center.

2. Navigate to the Administration - User screen, then the Users view.

3. In the Users list, create a new record.

4. Complete the following fields for the test user, then save the record. Use the indicated guidelines. Suggested entries are for this example. You can complete other fields, but they are not required.

   Field	Guideline
   Last Name	Required. Enter any name.
   First Name	Required. Enter any name.
   User ID For example, TESTUSER	Required. This entry must match the sAMAccountName attribute value for the test user in the directory. If you used another attribute instead of sAMAccountName, then it must match that value.
   Responsibility	Required. Enter the seed data responsibility provided for registered users of the Siebel application that you implement. For example, enter Web Registered User for Siebel eService. If an appropriate seed responsibility does not exist, such as for a Siebel employee application, then assign an appropriate responsibility that you create.
   New Responsibility	Optional. Enter the seed data responsibility provided for registered users of the Siebel application that you implement. For example, enter Web Registered User for Siebel eService. This responsibility is automatically assigned to new users created by this test user.

   
   

5. Verify that the seed data user record exists for anonymous users of the Siebel application you implement. For example, verify that the seed data user record with user ID GUESTCST exists if you are implementing Siebel eService. If the record is not present, then create it using the field values in Table B-2. You can complete other fields, but they are not required.

   This record must also match the anonymous user you create in "Creating Users in the Directory (Windows Integrated Authentication)". You can adapt a seed data anonymous user or create a new anonymous user for a Siebel employee application.

Setting Web Single Sign-On Authentication Parameters in the SWSE Configuration File

To implement Web Single Sign-On authentication, you must specify values for parameters in the SWSE configuration file, eapps.cfg, as indicted in this topic.

This task is a step in "Process of Implementing Windows Integrated Authentication".

Provide parameter values in the eapps.cfg file, as indicated by the guidelines in Table 6-2. For information about editing eapps.cfg parameters and about the purposes of the parameters, see "About Parameters in the eapps.cfg File".

Table 6-2 Parameter Values in eapps.cfg File

Section	Parameter	Guideline
[defaults]	Various	The values of the parameters in this section are overridden by the parameter values you set in the sections for individual applications. For this scenario, set Web SSO and related parameters in application-specific sections.
The section particular to your application, such as one of these: [/eservice_enu] [/callcenter_enu] where _enu is the language code for U.S. English.	AnonUserName	Enter the user ID of the seed data user record provided for the application that you implement or of the user record you create for the anonymous user. This entry also matches the sAMAccountName entry for the anonymous user record in the directory. For example, enter GUESTCST for Siebel eService.
	AnonPassword	Enter the password you created in the directory for the anonymous user. Note: Typically, password encryption applies to the eapps.cfg file. In this case, you must specify the encrypted password. See "Encrypted Passwords in the eapps.cfg File".
	SingleSignOn	Enter TRUE to implement Web SSO.
	TrustToken	Enter HELLO, or a contiguous string of your choice. In Web SSO mode when used with a custom security adapter, the specified value is passed as the password parameter to a custom security adapter if the value corresponds to the value of the Trust Token parameter defined for the custom security adapter. Note: Typically, password encryption applies to the eapps.cfg file. In this case, you must specify the encrypted value. See "Encrypted Passwords in the eapps.cfg File".
	UserSpec	Example entry: REMOTE_USER REMOTE_USER is the default Web server variable in which the user's identity key is placed for retrieval by the authentication manager. For additional information, see "Configuring the User Specification Source".
	UserSpecSource	Example entry: Server
	ProtectedVirtualDirectory	If you created a protected virtual directory, as described in "(Optional) Creating Protected Virtual Directories", enter the name of the directory. Alternatively, if anonymous browsing is not implemented, you can enter the name of the existing virtual directory created for your Siebel application. Note: It is recommended that this parameter is always used in a Web SSO implementation.
[swe]	Integrated DomainAuth	Set to TRUE for Windows Integrated Authentication. This parameter is set to FALSE by default.

Setting Web Single Sign-On Authentication Parameters for the Gateway Name Server

To implement Web SSO authentication, you must specify values for the Gateway Name Server parameters listed in this topic.

This task is a step in "Process of Implementing Windows Integrated Authentication".

Set each Siebel Gateway Name Server parameter listed in Table 6-3, "Siebel Gateway Name Server Parameters" for the component that corresponds to the Object Manager for the application you are implementing, such as Call Center Object Manager or eService Object Manager. Set the parameters at the component level and follow the guidelines provided in the table. For additional information about Siebel Gateway Name Server parameters, see "Siebel Gateway Name Server Parameters".

Table 6-3 Siebel Gateway Name Server Parameters

Subsystem	Parameter	Guideline
InfraUIFramework	AllowAnonUsers	Enter TRUE.
	SecureLogin	Enter TRUE or FALSE. If TRUE, the login form completed by the user is transmitted over TLS. For information about other requirements for secure login, see "Login Security Features".
Object Manager	OM - Proxy Employee	Enter PROXYE.
	OM - Username BC Field	Leave empty.
Security Manager	Security Adapter Mode	The mode for the security adapter. Values are DB, LDAP, ADSI, or CUSTOM. This parameter is set at the Enterprise, Siebel Server, or component level. For information, see Chapter 5, "Security Adapter Authentication."
	Security Adapter Name	The name of the security adapter. The default names are: DBSecAdpt LDAPSecAdpt ADSISecAdpt This parameter is set at the Enterprise, Siebel Server, or component level. For more information, see Chapter 5, "Security Adapter Authentication."
The enterprise profile or named subsystem for the security adapter you are using. For example: LDAPSecAdpt (LDAP security adapter) ADSISecAdpt (ADSI security adapter)	SingleSignOn	Enter TRUE to indicate the security adapter is used in Web SSO mode.
	TrustToken	Enter a contiguous string of your choice, for example, HELLO. The value you enter must be the same as the value you specify for the TrustToken parameter in the eapps.cfg file (see Table 6-2, "Parameter Values in eapps.cfg File").
	For more information about configuring parameters for each security adapter, see Chapter 5, "Security Adapter Authentication." See also Appendix A, "Configuration Parameters Related to Authentication."	For more information about configuring parameters for each security adapter, see Chapter 5, "Security Adapter Authentication." See also Appendix A, "Configuration Parameters Related to Authentication."

Editing Web Single Sign-On Parameters in the Application Configuration File

If you are implementing Web SSO authentication for the Developer Web Client, then you must specify the parameter shown in Table 6-4 in the configuration file for the Siebel application you are implementing. For information about editing an application's configuration file, see "Siebel Application Configuration File Parameters".

This task is a step in "Process of Implementing Windows Integrated Authentication".

Table 6-4 Siebel Application Configuration File Parameter Values

Section	Parameter	Guidelines for ADSI Security Adapter
[InfraUIFramework]	AllowAnonUsers	Enter TRUE

The AllowAnonUsers parameter in the InfraUIFramework section of the application configuration file applies to Developer Web Clients only. The corresponding Application Object Manager parameter, which applies to Web Clients, is set using Siebel Server Manager and is listed in Table 6-3.

Restarting Servers

You must stop and restart Windows services on the Web server computer to activate the changes you make to the Application Object Manager configuration parameters when implementing Web SSO.

This task is a step in "Process of Implementing Windows Integrated Authentication".

Stop and restart the following services:

• Microsoft IIS Admin service and Worldwide Web Publishing service. Stop the Microsoft IIS Admin service, and then restart the Worldwide Web Publishing Service. The Microsoft IIS Admin service also starts because the Worldwide Web Publishing Service is a subservice of the Microsoft IIS Admin service.

• Siebel Server system service. Stop and restart the Siebel Server. For details, see Siebel System Administration Guide.

Testing Web Single Sign-On Authentication

After performing all the tasks required to implement Web SSO authentication, you can verify your implementation using the procedure in this topic.

This task is a step in "Process of Implementing Windows Integrated Authentication".

Perform the following procedure to confirm that the Web SSO components work together to:

• Allow a user to log into the Web site.

• Allow a user who is authenticated at the Web site level to gain access to the Siebel application without requiring an additional login.

To test your Web SSO authentication  

1. On a Web browser, enter the URL to your Web site, such as:

   http://www.example.com
   

   If the authentication system has been configured correctly, then a Web page with a login form for the Web site appears.

2. Login with the user ID and the password for the test user you created.

   Enter TESTUSER, or the user ID you created, and TESTPW, or the password you created.

   If the authentication system has been configured correctly, then you gain access to the Web site.

3. On a Web browser, enter the URL to your Siebel application, for example:

   http://www.example.com/eservice
   

   Alternatively, if you provide a link on the Web site, click it.

   If the authentication system has been configured correctly, then you gain access to the Siebel application as a registered user without having to log in.