Windows Authentication/Active DirectoryUsers can be authenticated against your existing Windows system accounts by configuring the jaas.config file to use Windows Authentication.
To configure the Management Server to use Windows Authentication, follow these steps:
- Copy the default jaas.config file to jaas.config.bak so that you have your original configuration if needed
- Copy the jaas.windowsSSPI.config to the jaas.config.
- Alter the adminFilter and userFilter to reflect a regular expression for the groups that are intended to indicate admin or user access.
- Restart the Management Server and log in to the Management Server with a FactFinder Console.
Windows Authentication Example Configuration
/* Windows SSPI Authentication with Group Privileges */
/* Note: to use this file, rename to jaas.config */
/* This variable indicates which Security Support Provider (SSP) to use */
/* http://msdn.microsoft.com/en-us/library/windows/desktop/aa380502(v=vs.85).aspx */
/* bluestripe.securityPackage="Negotiate" */
/* If the SSP is Negotiate, Kerberos, or NTLM, then targetName may be set to the */
/* Service Principal Name (SPN) or the security context of the destination server. */
/* Run the command "setspn.exe -L <target>" to list the SPNs for a target FactFinder Management Server. */
/* bluestripe.targetName="ExampleServicePrincipalName" */
/* These filters are Java Regular Expressions matched against the user's group membership list */
/* Note: the 4 '\' characters separating domain and group are to escape both the Java string and the regex */
/* Uncomment the line below to enable additional logging */
/* debug=true */
Windows Authentication JAAS optionsJAAS options available for use with Windows Authentication:
- — determines which Security Support Provider (SSP) to use. The default is "Negotiate" which will first attempt to use Kerberos, but if unsuccessful will fall back to NTLM.
- — determines which Service Principal Name (SPN) to use to uniquely identify the Management Server to which the user is connecting. This is optional for Negotiate or NTLM, but configuration is required for Kerberos.
- — specifies a regular expression value to examine the user's group list for appropriate matches and grant administrative access to FactFinder. In the examples above, the Group, DOMAIN\FFAdmin, is used.
- — specifies a regular expression value to examine the user's group list for appropriate matches and grant user access to FactFinder. In the examples above, the Group, DOMAIN\FFGuest, is used.
TIP: If you have any issues with your Windows Authentication configuration, the following option can be added to provide additional logging to the FactFinderMS.log file:
Article ID: 3134885 - Last Review: 11 Jan 2016 - Revision: 1