How to configure Windows Authentication on BlueStripe Management Server

Windows Authentication/Active Directory

Users can be authenticated against your existing Windows system accounts by configuring the jaas.config file to use Windows Authentication.

To configure the Management Server to use Windows Authentication, follow these steps:
  • Copy the default jaas.config file to jaas.config.bak so that you have your original configuration if needed
  • Copy the jaas.windowsSSPI.config to the jaas.config.
  • Alter the adminFilter and userFilter to reflect a regular expression for the groups that are intended to indicate admin or user access.
  • Restart the Management Server and log in to the Management Server with a FactFinder Console.
NOTE: Windows Authentication will only work with Windows-based components, so Linux-based Management Servers or Linux-based Database Loaders are not supported.
Windows Authentication Example Configuration
FactFinder {    /* Windows SSPI Authentication with Group Privileges */    /* Note: to use this file, rename to jaas.config */    com.bluestripe.ms.auth.WindowsAuthLoginModule required    /* This variable indicates which Security Support Provider (SSP) to use */    /* http://msdn.microsoft.com/en-us/library/windows/desktop/aa380502(v=vs.85).aspx */    /* bluestripe.securityPackage="Negotiate" */    /* If the SSP is Negotiate, Kerberos, or NTLM, then targetName may be set to the */    /* Service Principal Name (SPN) or the security context of the destination server. */    /* Run the command "setspn.exe -L <target>" to list the SPNs for a target FactFinder Management Server. */    /* bluestripe.targetName="ExampleServicePrincipalName" */    /* These filters are Java Regular Expressions matched against the user's group membership list */    /* Note: the 4 '\' characters separating domain and group are to escape both the Java string and the regex */    bluestripe.adminFilter="DOMAIN\\\\FFAdmin"    bluestripe.userFilter="DOMAIN\\\\FFUser"    /* Uncomment the line below to enable additional logging */    /* debug=true */    ;};
Windows Authentication JAAS options
JAAS options available for use with Windows Authentication:
  • bluestripe.securityPackage
    — determines which Security Support Provider (SSP) to use. The default is "Negotiate" which will first attempt to use Kerberos, but if unsuccessful will fall back to NTLM.
  • bluestripe.targetName
    — determines which Service Principal Name (SPN) to use to uniquely identify the Management Server to which the user is connecting. This is optional for Negotiate or NTLM, but configuration is required for Kerberos.
  • bluestripe.adminFilter
    — specifies a regular expression value to examine the user's group list for appropriate matches and grant administrative access to FactFinder. In the examples above, the Group, DOMAIN\FFAdmin, is used.
  • bluestripe.userFilter
    — specifies a regular expression value to examine the user's group list for appropriate matches and grant user access to FactFinder. In the examples above, the Group, DOMAIN\FFGuest, is used.
NOTE: The DOMAIN\Group is specified with 4 '\' characters. This is necessary to escape both the Java string and the regular expression.

TIP: If you have any issues with your Windows Authentication configuration, the following option can be added to provide additional logging to the FactFinderMS.log file:
debug=true
Properties

Article ID: 3134885 - Last Review: 01/11/2016 02:27:00 - Revision: 1.0

BlueStripe

  • KB3134885
Feedback