Note: Only Web client contacts can log into the MassTransit web server using their Active Directory login credentials.
Single Sign-On (SSO) is a feature that allows Active Directory users connected to an Active Directory-enabled MassTransit HP Server to authenticate to the MassTransit MTWeb interface without typing a username and password.
Due to security considerations, modern web browsers will not automatically provide authentication information to web sites unless they are part of your local intranet or explicitly defined within the browser’s configuration parameters. This ensures that authentication information is not sent to a malicious web site inadvertently, which could compromise organizational security.
These next sections will assist you in configuring various browsers to use the single sign-on feature with your SSO-enabled MassTransit HP MTWeb instance.
Before configuring your web browsers, make sure the following requirements are met:
The client machine must be bound to Active Directory in order for this feature to function properly;
The current logged-in user must have a valid Active Directory account, and this account must be associated with a contact within MassTransit;
For Mac OS X, Kerberos must be properly configured and a valid ticket granting ticket (TGT) must be active for the logged-in user;
If any of the following conditions is present on the client machine:
the client machine is not presently bound
is accessing from a remote location where authentication to the Active Directory infrastructure is not possible
if the connecting user has a valid MassTransit account that is not associated with Active Directory, then MTWeb users will be presented with a NTLM authentication dialog on Microsoft Windows and Mac OS X. Users in these circumstances can "fall back" to the legacy MTWeb login page by dismissing the dialog by clicking the Cancel button, or pressing Escape. Due to the way these NTLM authentication dialogs work, they will not accept login names for MassTransit contacts that are not associated with Active Directory. Instead you must use the "fall back" feature and login from the legacy MTWeb login page.
NTLM Dialog:
Apple Safari on Mac OS X does not directly support this ability to "fall back" and therefore, in order to use the standard MTWeb login page, the user must append index.php to the MTWeb address, which then bypasses the single sign-on component.
Firefox allows you to define "trusted" sites using hostnames, IP addresses or combinations - including wildcards - that authentication data should be automatically passed to. These steps apply for Firefox versions 3 or later on both Microsoft Windows and Mac OS X.
Defining trusted sites:
Launch Firefox.
In the Address Bar, enter about:config and then press Enter. In the warning message that appears, click the I'll be careful, I promise! button. A very long list of configuration parameters for Firefox will be displayed.
Using the Filter textbox, type network.negotate. Five (5) options will be returned.
Double click on the network.negotiate-auth.trusted-uris option:
In the resulting dialog, enter the hostname or IP address of the SSO-enabled MTWeb host. Acceptable inputs are as follows:
IP address (i.e. 10.10.20.80)
Hostname (i.e., masstransit.company.com)
Wildcards (i.e., .company.com or 10.10.20.*)
Separate multiple entries with a comma (i.e., masstransit1.company.com,10.10.20.80)
Once entered, click OK.
Restart Firefox.
Single sign-on configuration for Firefox is now complete. You may test the functionality by visiting your MTWeb installation when bound to Active Directory and authenticated as a user associated with a MassTransit contact. If working properly, Firefox will not prompt you to login. Instead, you will be automatically navigated to the MassTransit File Transfer page. Your Active Directory login, in the form of DOMAIN\USERNAME, will appear in the upper-left-hand corner of the MTWeb interface.
Configuring Internet Explorer
Internet Explorer, by default, will automatically provide authentication credentials to sites defined as being part of the Local Intranet. Internet Explorer contains logic that automatically attempts to identify sites on the intranet network. However, due to network layouts and other factors, this may not always work reliably. Therefore, we need to instruct Internet Explorer to consider your MTWeb installation as part of the Local Intranet zone.
Instructing Internet Explorer to consider your MTWeb installation as part of the Local Intranet zone
Launch Internet Explorer.
From the Tools menu, click Internet Options.
Click the Security tab. Then, click Local intranet.
Click the Sites button.
In the Local intranet dialog, click the Advanced button. In the resulting dialog, add the URLs for your SSO-enabled MTWeb installation. You should provide both the DNS hostname and the IP address for the server. Uncheck the Require server verification (https:) for all sites in this zone check box.
Click Close.
Verify that Internet Explorer's options have not deviated from the default by clicking Custom level… on the Security tab.
Scroll to the bottom of the Settings list. Under User Authentication section, ensure that the radio button for Automatic logon only in Intranet zone is selected. Optionally, you can reset IE to the zone defaults, which are Medium-low.
Click OK. Then click OK in Internet Options to apply your changes.
Restart Internet Explorer.
Single sign-on configuration for Internet Explorer is now complete. You may test the functionality by visiting your MTWeb installation when bound to Active Directory and authenticated as a user associated with a MassTransit contact. If working properly, Internet Explorer will not prompt you to login. Instead, you will be automatically navigated to the MassTransit File Transfer page. Your Active Directory login, in the form of USERNAME, will appear in the upper-left-hand corner of the MTWeb interface.
Configuring Apple Safari
Safari supports single sign-on out of the box, and requires no configuration to use this feature. Safari relies on Mac OS X's support for the MIT Kerberos standard for authentication to connect to single sign-on-enabled services. Active Directory uses Kerberos version 5 for authentication by default.
The Mac OS X machine needs to be bound to the Active Directory domain to allow for single sign-on to be used. This feature works with the built-in Active Directory plug-in and optional third party software, such as ADmit Mac from Thursby Software.
When logging in with an Active Directory user account, Mac OS X will be assigned a Kerberos ticket that dictates the services the user is allowed to use. Safari uses this ticket to connect to the SSO-enabled MTWeb server.
You may test the functionality by visiting your MTWeb installation when bound to Active Directory and authenticated as a user associated with a MassTransit contact. If working properly, Safari will not prompt you to login. Instead, you will be automatically navigated to the MassTransit File Transfer page. Your Active Directory login, in the form of DOMAIN\USERNAME, will appear in the upper-left-hand corner of the MTWeb interface.
Configuring Other Browsers
Other browsers may work, but have not been tested and may not provide the higher levels of security when using SSO. It is recommended that you use the browsers mentioned in this document when accessing your SSO-enabled MTWeb instance.
