9.10 Configuring Single Sign-On with Internet Information Services for Windows

Like Novell Access Manager, Windows Authentication provides Windows users with a single sign-on experience, enabling users to automatically authenticate to Novell Vibe after they log in to their individual workstations. Internet Information Services (IIS) provides this capability.

Before you implement Windows Authentication, consider the following limitations:

After you configure the Vibe server to support Windows Authentication, complete the planning process for additional Advanced installation features as needed, then perform the Advanced installation as described in Section 10.0, Performing an Advanced Vibe Installation.

9.10.1 System Requirements

Windows Authentication with IIS can be enabled for Vibe only in the following environments:

Server

  • Windows 2008 Server

  • Windows 2008 R2 Server

IIS

  • IIS 7 with IIS Manager with CGI and ISAPI components

  • IIS 7.5 with IIS Manager with CGI and ISAPI components

Authentication Protocol

One of the following authentication protocols:

  • NTLM

  • Kerberos v5

  • Negotiate/SPNEGO (wrapper for NTLM and Kerberos v5)

Domain Controller

Client

One of the following clients:

  • Windows 7

  • Windows XP

Browser

One of the following browsers, configured to support Windows Authentication:

  • Internet Explorer

  • Firefox

For information on how to configure your browser to support Windows Authentication, see Section 9.10.5, Configuring Your Browser to Allow Access to the Vibe Site.

9.10.2 Planning Your IIS Installation and Configuration

Use the information in the following table as you consider your IIS installation.

Directory: The default installation directory for the IIS plug-in is C:\Program Files\Novell. This is the recommended directory. If for some reason you choose to install the IIS plug-in in a directory other than the C:\Program Files\Novell directory, then you need to modify the isapi_redirect.properties files, as described in Installing the Vibe IIS Plug-In.

External or Local Server: You can install the IIS plug-in on the same server where you are running Vibe, or you can install it on an external server. Installing IIS on an external server can have several benefits, such as:

  • Performance improvement

  • Ability to integrate with several Vibe servers in a clustered environment

  • Ability to run Vibe from a non-Windows server

If you are running IIS from an external server, then you need to edit the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file, as described in Installing the Vibe IIS Plug-In.

64-bit/32-bit: You can install the IIS plug-in on a 64-bit or 32-bit operating system. However, Vibe should run on a 64-bit operating system, so if you install IIS on a 32-bit operating system, you should use an external server.

HTTP Ports: Regardless of whether IIS and Vibe are located on the same server or separate servers, the HTTP port and secure HTTP port for Vibe should always be 80 and 443. This ensures that when links are generated, they contain the correct hostname and port number.

These are the ports that Vibe uses to refer to the browser. In a very basic Vibe system (single server without Windows Authentication), the HTTP ports can be the same as the listen ports. However, in a Vibe system with Windows Authentication enabled, the HTTP ports correspond with the ports that the IIS server is configured to use.

Listen Ports: If you plan to run IIS on the same server as the Vibe server, you need to set the listen port and secure listen port for Vibe to something other than 80 and 443.

By default, Vibe listens on ports 80 and 443. Because IIS also uses these ports to listen on, you must reconfigure the Vibe listen ports to ports that are not currently in use, such as 8080 for the listen port and 8443 for the secure listen port.

You configure Vibe ports during the Vibe installation, as described in Section 10.0, Performing an Advanced Vibe Installation.

ADVANCED VIBE INSTALLATION SUMMARY SHEET

Under Network Information, specify the HTTP ports and listen ports.

Under Integration with IIS for Windows Authentication, select Enable Integration with IIS for Windows Authentication, then list the logout URL.

9.10.3 Configuring the Vibe Server to Support Windows Authentication

To configure the Vibe server to support Windows Authentication, you must first configure IIS. You can set up IIS on the same server where Vibe is running, or on a separate server. See Section 9.10.2, Planning Your IIS Installation and Configuration for more information.

Complete the following sections to ensure that IIS is configured correctly to work with Vibe.

Installing the Vibe IIS Plug-In

  1. Locate the teaming-version-iis-plugin.zip file from the Vibe distribution, then unzip it into the C:\Program Files\Novell directory.

    This creates a directory called Vibe IIS Plugin.

  2. If in Step 1 you chose to unzip the teaming-version-iis-plugin.zip file into the C:\Program Files\Novell directory, continue with Step 3.

    or

    If in Step 1 you chose to unzip the teaming-version-iis-plugin.zip file into a location other than C:\Program Files\Novell, you must complete the following steps:

    1. Locate the isapi_redirect.properties file in each of the following directories:

      • Vibe IIS Plugin\resources1\bin

      • Vibe IIS Plugin\resources2\bin

    2. In each of the directories, open the isapi_redirect.properties file in a text editor.

    3. Adjust the values of the log_file, worker_file, and worker_mount_file properties to reflect the directory where you chose to unzip the teaming-version-iis-plugin.zip file.

    4. Save your changes and close both of the isapi_redirect.properties files.

  3. If IIS and the Vibe server are located on the same server, continue with Step 4.

    or

    If IIS and the Vibe server are located on separate servers, complete the following steps:

    1. Locate the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file.

    2. Open the workers.properties file in a text editor.

    3. Adjust the value of the worker.worker1.host property from localhost to the hostname or IP address of the Vibe server.

    4. Save your changes and close the editor.

  4. (Conditional) If you are running IIS on a 64-bit server, complete the following steps:

    1. Locate the C:\Program Files\Novell\Vibe IIS Plugin\library\win64 directory.

    2. Copy the appropriate version of the .dll library and paste it into each of the following directories:

      • C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin

      • C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin

      Ensure that you copy the correct version of the .dll library. If you copy the incorrect version, you receive a 500 error when you try to access the Vibe site.

    3. Delete the existing isapi_redirect.dll files from the C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin directory, as well as from the C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin directory.

    4. Rename the .dll library files that you copied in Step 4.b to isapi_redirect.dll.

      For example, if Vibe is running on an AMD64/EM64T platform, copy C:\Program Files\Novell\Vibe IIS Plugin\library\win64\amd64\isapi_redirect-version.dll into the C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin and C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin directories, then delete the original isapi_redirect.dll file and rename isapi_redirect-version.dll to isapi_redirect.dll.

Installing IIS Manager

If Internet Information Services (IIS) Manager is not already installed on your server, you need to download and install it. You also need to install the CGI and ISAPI components.

  1. Install the IIS 7 Administration Pack:

    1. Navigate to Microsoft IIS Download Site.

    2. Click the Manage tab.

    3. Under Administration Pack, click Install.

    4. (Conditional) If you have not yet installed the Microsoft Web Platform, click Get the Microsoft Web Platform to download the .exe file, install the Microsoft Web Platform, then click Finish your installation.

      The Launch Application dialog box is displayed.

    5. Select Web Platform Installer, then click OK.

      The Web Platform Installer 2.0 dialog box is displayed.

    6. Click Install to install the Administration Pack, then accept the terms of the license agreement.

  2. Install the ISAPI and CGI components:

    1. Launch the Web Platform Installer.

    2. From the Web Platform Installer, select Web Platform.

    3. Under Web Server, click Customize.

    4. In the Application Development section, select CGI, ISAPI Extensions, and ISAPI Filters.

    5. Click Install, then accept the terms of the license agreement.

    6. Click Finish after the components have been installed successfully.

Installing Windows Authentication Role Service

If the Windows Authentication Role Service is not already installed, you need to install it.

  1. On the Windows 2008 server, click Start > Administrative Tools > Server Manager.

  2. Expand Roles, then right-click Web Server (IIS).

  3. Click Add Role Services.

    The Add Role Services window is displayed.

  4. Scroll to the Security section, then select Windows Authentication.

  5. Click Next, then complete the installation.

Creating and Managing Vibe Resources with IIS Manager

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.

  2. In the Connections pane on the left side of the window, expand your server, then expand Sites.

  3. Right-click Default Web Site, then click Add Virtual Directory.

    The Add Virtual Directory dialog box is displayed.

  4. In the dialog box, specify the following information:

    Alias: VibeResources1.

    Physical path: C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin.

  5. Click OK.

  6. Repeat Step 3 through Step 5 to add another virtual directory.

    This time, specify the following information in the Add Virtual Directory dialog box:

    Alias: VibeResources2

    Physical path: C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin

  7. In the Connections panel, select VibeResources1, then double-click Handler Mappings.

  8. In the Actions pane, click Edit Feature Permissions.

    The Edit Feature Permissions dialog box is displayed.

  9. Select Execute, then click OK.

  10. Repeat Step 7 through Step 9 for the VibeResources2 virtual directory.

  11. In the Connections pane, select Default Web Site, then double-click ISAPI Filters.

  12. In the Actions panel, click Add.

    The Add ISAPI Filter dialog box is displayed.

  13. In the dialog box, specify the following information:

    Filter name: VibeResources1.

    You must name the filter VibeResources1 for Windows Authentication to work successfully.

    Executable: C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin\isapi_redirect.dll.

  14. Click OK.

  15. Repeat Step 12 through Step 14 to add another ISAPI filter.

    This time, specify the following information in the Add ISAPI Filter dialog box:

    Filter name: VibeResources2.

    You must name the filter VibeResources2 for Windows Authentication to work successfully.

    Executable: C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin\isapi_redirect.dll.

  16. In the Connections pane, select the server, then double-click ISAPI and CGI Restrictions.

  17. In the Actions pane, click Add.

    The Add ISAPI or CGI Restriction dialog box is displayed.

  18. In the dialog box, specify the following information:

    ISAPI or CGI path: Specify C:\Program Files\Novell\Vibe IIS Plugin\resources1\bin\isapi_redirect.dll.

    Description: VibeResources1.

    Allow extension path to execute: Select this option to allow the path to execute.

  19. In the Actions pane, click Add.

    The Add ISAPI or CGI Restriction dialog box is displayed.

  20. In the dialog box, specify the following information:

    ISAPI or CGI path: Specify C:\Program Files\Novell\Vibe IIS Plugin\resources2\bin\isapi_redirect.dll.

    Description: VibeResources2.

    Allow extension path to execute: Select this option to allow the path to execute.

  21. In the Connections pane, select VibeResources1, then double-click Authentication.

  22. Select Anonymous Authentication, then click Disable in the Actions panel.

  23. Select Windows Authentication, then click Enable in the Actions panel.

  24. Exit the Internet Information Services Manager.

  25. Perform the Advanced installation as described in Section 10.0, Performing an Advanced Vibe Installation.

9.10.4 Running the Vibe Installation Program

See Choosing Windows Authentication for information about how to configure the Vibe installation program to support Windows Authentication, then follow the instructions for the advanced installation as described in Section 10.0, Performing an Advanced Vibe Installation. Return here and continue with additional configuration steps.

9.10.5 Configuring Your Browser to Allow Access to the Vibe Site

After Windows Authentication has been enabled on the server, you need to configure the client browser to allow access to the Vibe site.

Internet Explorer

  1. In an Internet Explorer window, click Tools > Internet Options.

    The Internet Options dialog box is displayed.

  2. Click the Security tab, select Local intranet, then click Sites.

    The Local Intranet dialog box is displayed.

  3. Click Advanced.

  4. In the Add this website to the zone field, specify the Vibe Web site.

  5. Click Add > Close.

Firefox

  1. In Firefox, specify about:config in the URL field.

  2. Specify ntlm in the Filter window, then locate and select the network.automatic-ntlm-auth.trusted-uris entry.

    The Enter String Value dialog box is displayed.

  3. Specify the DNS name of your Vibe site, then click OK.

    For example, vibe.mycompany.com.

  4. Repeat Step 2 through Step 3 for network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris.

9.10.6 Bypassing Windows Authentication to Configure LDAP and Perform Other Tasks

After Windows Authentication is working on your Vibe server, you can bypass the Windows Authentication functionality by including the Vibe listening port in the Vibe URL.

You need to do this in order to configure your LDAP directory.

  1. In a Web browser, specify your Vibe URL with the Vibe listening port.

    For example, http://vibe:8080.

    The Vibe login page is displayed.

  2. Log in to the Vibe site as the Vibe administrator.

  3. Configure LDAP, as described in Section 5.3, Adding Vibe Users from Your LDAP Directory.

You might also need to bypass Windows Authentication to access Vibe for the following reasons:

  • To access a specific Vibe node in a clustered environment.

  • To troubleshoot the Vibe system.

9.10.7 Logging In to the Vibe Site through Windows Authentication

After you have performed the configuration steps described in Section 9.10.3, Configuring the Vibe Server to Support Windows Authentication through Section 9.10.5, Configuring Your Browser to Allow Access to the Vibe Site, users can access the Vibe site through Windows Authentication. Users who have been configured through LDAP and are already logged in to their individual workstations do not need to log in again to access the Vibe site. Users who are not already logged in before they access Vibe see the following dialog box:

9.10.8 Editing Files through WebDAV with Windows Authentication

Achieving Single Sign-On When Editing Files through WebDAV

By default, when you edit a file in Vibe through WebDAV, you are prompted for your system login credentials before you can edit the file. However, when Windows Authentication is enabled on your Vibe server, you are no longer prompted for your system login credentials before you edit a file through WebDAV.

This functionality is supported only when you use Microsoft Office as your default document editor. When you use OpenOffice 3.1 or later as your default document editor, Vibe allows you to edit files through WebDAV, but it still requires you to enter your system login credentials. The single sign-on experience is only available when you use Microsoft Office.

Enabling Basic Authentication for WebDAV

If you are using OpenOffice 3.0 or earlier, or any other document editor that requires basic authentication (it does not support Windows Authentication), you need to configure your IIS server to support basic authentication. Supporting basic authentication enables Vibe users to edit files through WebDAV when using a document editor other than Microsoft Office or OpenOffice 3.1 or later.

NOTE:If you enable basic authentication on your IIS server, all users who access the Vibe site through Firefox are prompted for their login credentials. Single sign-on to the Vibe server no longer functions. However, users who access the Vibe site using Internet Explorer retain the single sign-on experience.

To enable basic authentication on your IIS server, you need to install the Basic Authentication Role Service.

  1. On the Windows 2008 server, click Start > Administrative Tools > Server Manager.

  2. Expand Roles, then right-click Web Server (IIS).

  3. Click Add Role Services.

    The Add Role Services window is displayed.

  4. Scroll to the Security section, then select Basic Authentication.

  5. Click Next, then complete the installation.

  6. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.

  7. In the Connections pane on the left side of the window, expand your server, expand Sites, then expand Default Web Site.

  8. Select VibeResources1, then double-click Authentication.

  9. Select Basic Authentication, then click Enable in the Actions panel.

  10. Close the Internet Information Services (IIS) Manager.

9.10.9 Configuring IIS to Allow Uploading of Large Files to the Vibe Site

By default, IIS might not allow you to upload large files to the Vibe site. This is caused by timeout restrictions as well as maximum upload size restrictions.

For information about how to configure IIS to allow you to upload large files, see article 925083 in the Microsoft Support Knowledgebase.

9.10.10 Configuring IIS to Load Balance in a Clustered Environment

If you have Vibe installed in a clustered environment where there are multiple Vibe nodes, you can configure IIS to balance the load of user requests from the multiple Vibe nodes, while still supporting Windows Authentication.

  1. On the IIS server, locate the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties.clustered.template file, then open the file in a text editor.

  2. Copy the contents of the file.

  3. Locate the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file, then open the file in a text editor.

  4. Paste the contents of the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties.clustered.template that you copied in Step 2 and into the C:\Program Files\Novell\Vibe IIS Plugin\conf\workers.properties file, overwriting the content that was previously there.

  5. Replace the value of worker.worker1.host from first_hostname_or_ip with the hostname or IP address of your first Vibe node.

  6. Repeat Step 5 for each additional Vibe node that is running in your environment. If you have more than two Vibe nodes, you should add an additional section to the workers.properties file for each additional node.

    The values that you specify in the workers.properties file (for example, worker1, worker2, etc.) must exactly match the values that you specify as the JVM Route setting during the Vibe installation, as described in Section 15.2, Installing the Vibe Software on Multiple Servers.

  7. Locate the C:\Program Files\Novell\Vibe IIS Plugin\resources1\conf\uriworkermap.properties file, then open the file in a text editor.

  8. Replace all instances of worker1 with balancer.

  9. Repeat Step 7 and Step 8 for each Vibe node.

  10. Locate the C:\Program Files\Novell\Vibe IIS Plugin\resources2\conf\uriworkermap.properties file, then open the file in a text editor.

  11. Replace all instances of worker1 with balancer.

  12. Repeat Step 10 and Step 11 for each Vibe node.

  13. Restart each Vibe node.

  14. Restart the IIS server:

    1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.

    2. Select your server in the Connections panel, then click Restart in the Actions panel.