This article describes how to configure Active Directory authentication for HEAT License Manager. Configuring Active Directory Single Sign On (SSO) allows automatic login into Heat License Manager for specified users.
- Active Directory has to be configured and users need to be able to log into Windows
- IIS has to allow Windows Authentication
- Log on to your Spider LCM/Heat LM installation with an administrative account
and go to System (1) > Active directory (2)
- Then click New and fill out the form:
Login context <NETBIOS name of the domain> Prefix <Short form of the domain (max. 2 characters) Top Level <Top level of your domain. E.g.: LDAP://mycompany.local/dc=mycompany,dc=local> Always set it to the root domain (2) User <AD user with rights to read the active directory> Password <Password> Menu Menu Active Set to active to activate this domain configuration Authentication only If ticked only accounts out of the active directory are allowed (2)
Save this configuration an test it by clicking the Test button (3)
If your test is successful you will get the following message:
otherwise check your username/password and your top level entry
- Change to the register Groups and click Assign groups (1)
With the Search (2) button all active directory groups for a certain domain user (Domain login) are listed.
Select all groups which should have access to Spider LCM/Heat LM
Then transfer the selected groups by clicking Port
- The ported groups then will appear in the Start tab under assigned groups
- As soon as the groups are listed, roles have to be assigned to them
Do so by clicking onto the group name
Then change to the register Mandators and click Add mandator (Information: This also has to be done if only one mandator is available!) and select the appropriate mandator
- Afterwards change to the register Roles and assign the required roles by selecting them and clicking onto the green arrow
The same way roles can be removed from active directory groups (though the other way around)
- The configuration Spider LC /Heat LM wise is done now
Users will be shown in Spider LCM /Heat LM after they have been logging into it the first time
In order to get SSO working the configuration in Spider LCM / Heat LM is not enough. IIS has to be configured accordingly.
- Open the IIS Manager and click Authentication (1)
- Check whether Windows Authentication is available
If yes proceed to 4.
- To add the Windows Authentication feature goto the Server Manager > Manage > Add Roles and Features and choose the Windows Authentication feature as shown in the picture below:
Click Next and then InstallInformation
Wait until the installation has completely finished before doing any further changes in the IIS Manager and restart the IIS service after the installation
Authentication can be set on the application level only and does not need to be set on top level
If after these steps the AD login doesn't work please check the following:
- Within the IIS Manager check the authentication again on IIS > Default Website > Spider|Heat LM
Sometimes it is not possible to enable Windows Authentication.
To solve this problem set the security on the folder C:\Program Files (x86)\Heat License Manager\CoreServer_00\Web\_Settings and give full rights to the IUSR user. After a successful change of the configuration, this right can be removed again
- Enable Active Directory Debug Information
Goto SYSTEM > Configuration and filter for application Spider Core (1) and AreaSearch ActiveDirectory (2)
Then set the value for DebugInformation to True
You then will get more informations on the problem logging into active directory
- Delete your created AD connection completely and recreate it including the groups and role settings