Skip past navigation linksSecure Global Desktop 4.40 Administration Guide > Users and Authentication > Windows Domain Authentication

Windows Domain Authentication

Windows domain authentication allows users to log in to SGD if they belong to a specified Windows 2000 or Windows 2003 Server domain.

Windows domain authentication is disabled by default.

This page includes the following topics:

How Windows Domain Authentication Works

At the SGD login screen, the user types either a common name (for example Indigo Jones), a user name (for example indigo), or an email address (for example indigo@indigo-insurance.com) and a password.

SGD searches the local repository for a user profile with a Name attribute that matches the user name typed by the user. If there is no match, the search is repeated on the Login Name attribute, and finally on the Email Address attribute.

If a user profile is found, the Login Name attribute of the user profile is treated as the Windows domain user name. If no user profile is found, the name the user typed is used as the Windows domain user name. SGD then checks the Windows domain user name and the password typed by the user against the domain controller.

If the authentication fails, the next authentication mechanism is tried.

If the authentication succeeds and the Login attribute for the user profile is not enabled, the user is not logged in and no further authentication mechanisms are tried.

If the authentication succeeds and either the Login attribute for the user profile is enabled or no matching user profile is found, the user is logged in.

User Identity and User Profile

If a user profile was found in the local repository, that object is used for the user identity and user profile. In the SGD Administration Console, the user identity is displayed as user-profile (Local). On the command line, the user identity is displayed as .../_ens/user-profile.

If no user profile was found in the local repository, the user identity is the Windows domain user name. The profile object System Objects/NT User Profile is used for the user profile. In the SGD Administration Console, the user identity is displayed as NT-username (NT). On the command line, the user identity is displayed as .../_service/sco/tta/ntauth/NT-username.

Application Sessions and Password Cache Entries

Application sessions and password cache entries belong to the Windows domain user.

Enabling Windows Domain Authentication

  1. In the SGD Administration Console, display the Secure Global Desktop Authentication Configuration Wizard.

    On the Global Settings » Secure Global Desktop Authentication tab, click the Change Secure Global Desktop Authentication button.

    Use the Next and Previous buttons to move between the steps of the Wizard.

  2. On the Third-Party/System Authentication step, ensure the System Authentication check box is selected.
  3. On the System Authentication - Repositories step, select the Windows Domain Controller check box.
  4. On the Windows Domain Authentication - Domain Controller step, type the name of a domain controller in the Windows Domain field.
  5. On the Review Selections step, check your authentication configuration and click Finish.

Windows Domain User Names and Passwords

Windows domain authentication supports 8-bit case-sensitive passwords. The user name can contain any characters.

Authenticating Users From More Than One Domain

If you need to authenticate users from more than one domain, you must have one domain that is trusted by all the other domains. You must use the trusted domain as the Windows domain controller when you configure Windows doamin authentication.

When a user from another domain logs in to SGD, they must use the format domain\username for their username. If they do not use this format, SGD tries to authenticate the user using the authentication domain and fails.

Note The Windows NT domain (--ntdomain) attribute for user profiles plays no part in the SGD login.

Windows Domain Authentication and Subnets

If the Secure Global Desktop server is on a different subnet to the domain controller, you must hard code the authentication machine as follows:

  1. Log in as superuser (root).
  2. Stop the SGD server.
  3. Configure the authentication machine.

    Use the following commands:

    Skip past command syntax or program code$ tarantella config edit \
      --com.sco.tta.server.login.ntauth.NTAuthService.properties-authConfig authnbt=NTNAME
      
    $ tarantella config edit \
      --com.sco.tta.server.login.ntauth.NTAuthService.properties-authConfig-append authserver=my.domain.name

    NTNAME is the NetBIOS name of the domain controller and my.domain.name is the DNS name or IP address of the domain controller.

  4. Start the SGD server.
Related Topics