Secure Global Desktop 4.40 Administration Guide > Users and Authentication > Windows Domain Authentication
Windows domain authentication allows users to log in to SGD if they belong to a specified Windows 2000 or Windows 2003 Server domain.
Windows domain authentication is disabled by default.
This page includes the following topics:
At the SGD login screen, the user types either a common name (for example Indigo Jones
), a user name (for example indigo
), or an email address (for example indigo@indigo-insurance.com
) and a password.
SGD searches the local repository for a user profile with a Name attribute that matches the user name typed by the user. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute.
If a user profile is found, the Login Name attribute of the user profile is treated as the Windows domain user name. If no user profile is found, the name the user typed is used as the Windows domain user name. SGD then checks the Windows domain user name and the password typed by the user against the domain controller.
If the authentication fails, the next authentication mechanism is tried.
If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in and no further authentication mechanisms are tried.
If the authentication succeeds and either the Login attribute for the user profile is enabled or no matching user profile is found, the user is logged in.
If a user profile was found in the local repository, that object is used for the user identity and user profile.
In the SGD Administration Console, the user identity is displayed as user-profile (Local)
.
On the command line, the user identity is displayed as .../_ens/user-profile
.
If no user profile was found in the local repository, the user identity is the Windows domain user name. The profile object System Objects/NT User Profile
is used for the user profile. In the SGD Administration Console, the user identity is displayed as NT-username (NT)
. On the command line, the user identity is displayed as .../_service/sco/tta/ntauth/NT-username
.
Application sessions and password cache entries belong to the Windows domain user.
On the Global Settings » Secure Global Desktop Authentication tab, click the Change Secure Global Desktop Authentication button.
Use the Next and Previous buttons to move between the steps of the Wizard.
Windows domain authentication supports 8-bit case-sensitive passwords. The user name can contain any characters.
If you need to authenticate users from more than one domain, you must have one domain that is trusted by all the other domains. You must use the trusted domain as the Windows domain controller when you configure Windows doamin authentication.
When a user from another domain logs in to SGD, they must use
the format domain\username
for their username. If they do not use this format, SGD
tries to authenticate the user using the authentication domain and fails.
Note The Windows NT domain (--ntdomain
) attribute for user profiles plays no part in the SGD login.
If the Secure Global Desktop server is on a different subnet to the domain controller, you must hard code the authentication machine as follows:
Use the following commands:
$ tarantella config edit \ --com.sco.tta.server.login.ntauth.NTAuthService.properties-authConfig authnbt=NTNAME $ tarantella config edit \ --com.sco.tta.server.login.ntauth.NTAuthService.properties-authConfig-append authserver=my.domain.name
NTNAME is the NetBIOS name of the domain controller and my.domain.name is the DNS name or IP address of the domain controller.
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.