How to: Configure an Active Directory Login for Heat License Manager

Version 1

    Details

    This article describes how to configure Active Directory authentication for HEAT License Manager.  Configuring Active Directory Single Sign On (SSO) allows automatic login into Heat License Manager for specified users.


    Resolution

     

    Requirements:

    • Active Directory has to be configured and users need to be able to log into Windows
    • IIS has to allow Windows Authentication

    Configure SSO:

    1. Log on to your Spider LCM/Heat LM installation with an administrative account
      and go to System (1) > Active directory (2)


    2. Then click New and fill out the form:                                
      Login context   <NETBIOS name of the domain>
      Prefix   <Short form of the domain (max. 2 characters)
      Top Level   <Top level of your domain. E.g.: LDAP://mycompany.local/dc=mycompany,dc=local> Always set it to the root domain (2)
      User   <AD user with rights to read the active directory>
      Password   <Password>
      Menu   Menu
      Active   Set to active to activate this domain configuration
      Authentication only   If ticked only accounts out of the active directory are allowed (2)

      Save this configuration an test it by clicking the Test button (3)

      If your test is successful you will get the following message:

      otherwise check your username/password and your top level entry

    3. Change to the register Groups and click Assign groups (1)
      With the Search (2) button all active directory groups for a certain domain user (Domain login) are listed.
      Select all groups which should have access to Spider LCM/Heat LM

      Then transfer the selected groups by clicking Port

    4. The ported groups then will appear in the Start tab under assigned groups


    5. As soon as the groups are listed, roles have to be assigned to them
      Do so by clicking onto the group name

      Then change to the register Mandators and click Add mandator (Information: This also has to be done if only one mandator is available!) and select the appropriate mandator


    6. Afterwards change to the register Roles and assign the required roles by selecting them and clicking onto the green arrow

      The same way roles can be removed from active directory groups (though the other way around)

    7. The configuration Spider LC /Heat LM wise is done now
    Information

    Users will be shown in Spider LCM /Heat LM after they have been logging into it the first time


    Configure IIS:
     

    In order to get SSO working the configuration in Spider LCM / Heat LM is not enough. IIS has to be configured accordingly.

    1. Open the IIS Manager and click Authentication (1)


    2. Check whether Windows Authentication is available
      If yes proceed to 4.


    3. To add the Windows Authentication feature goto the Server Manager > Manage > Add Roles and Features  and choose the Windows Authentication feature as shown in the picture  below:

      Click Next and then Install

      Information

      Wait until the installation has completely finished before doing any  further changes in the IIS Manager and restart the IIS service after the  installation

      Now you do have an entry Windows Authentication in the Authentication list


    4. Enable Anonymous and Windows Authentication and
      disable the Forms Authentication 


      Information

      Authentication can be set on the application level only and does not need to be set on top level


    Troubleshooting

    If after these steps the AD login doesn't work please check the following:

    1. Within the IIS Manager check the authentication again on IIS > Default Website > Spider|Heat LM
      Sometimes it is not possible to enable Windows Authentication.
      To  solve this problem set the security on the folder C:\Program Files  (x86)\Heat License Manager\CoreServer_00\Web\_Settings and give full  rights to the IUSR user. After a successful change of the configuration,  this right can be removed again

    2. Enable Active Directory Debug Information
      Goto SYSTEM > Configuration and filter for application Spider Core (1) and AreaSearch ActiveDirectory (2)
      Then set the value for DebugInformation to True


      You then will get more informations on the problem logging into active directory


    3. Delete your created AD connection completely and recreate it including the groups and role settings