Configuring › How to Enable External Authentication of Users › Configure Single Sign-on Using Windows NTLM Authentication

Configure Single Sign-on Using Windows NTLM Authentication

When you use Windows NTLM (NTLM) authentication, you can perform this procedure to enable single sign-on (also named single sign-in, single signin, or SSO) for CA Service Catalog. Doing so means that once users log in to the Windows domain, they can access CA Service Catalog without logging in to it. If you do not enable single sign-on, users must log in to CA Service Catalog to access it.

Follow these steps:

1. Verify that you are not planning to use clustering. If you are using clustering, instead of performing this procedure, you set up NTLM authentication for each cluster.
2. Verify that your environment meets the following requirements:
   • You are using Windows domain authentication.
   • CA Service Catalog and CA EEM are installed in the same Windows domain.
   • You have configured CA EEM to use Active Directory.

     Note: For more instructions to configure and use CA EEM, see the Integration Guide.

   • You are running a version of HTTP higher than 1.0. NTLM authentication is supported with versions of HTTP higher than 1.0.
   • If you are using Windows Server, perform one of the following tasks to use single sign-on using NTLM:
     • Use HTTP instead of HTTPS.
     • Uninstall the Internet Explorer Enhanced Security Configuration Windows Component.
   • If both of the following conditions exist, you cannot use single sign-on using NTLM with HTTPS:
     • The client computer operating system is Windows Server.
     • The Internet Explorer Enhanced Security Configuration Windows Component is installed.
3. Perform the following actions:
   1. Click Administration, Configuration, Single Sign On Authentication.

      The Single Sign On Authentication page appears.

   2. Locate the property named Single Sign On Type and click its Modify icon (by default, a pencil).

      The Edit Configuration dialog for this property appears.

   3. Select the option named NTLM (NT LAN Manager) and click Update Configuration.

      The dialog closes, and you return to the Sign On Authentication page.

4. Verify that all affected users can use single sign-on to access CA Service Catalog on this computer.

You have configured NTLM Authentication.

Implement Single Sign-on for One Group of Users and Manual Login for Another Group

In this use case, you want to enable single Sign-on for one group of users, for example, internal users (Group 1) You also want to force manual login for another group of users, for example, external users such as contractors, vendors, and customers (Group 2).

Follow these steps:

1. Verify that you have two CA Service Catalog computers installed, using the same instances of the MDB and CA EEM. This procedure calls these CA Service Catalog computers Server 1 and Server 2.
2. Verify the following requirements:
   • Group 1 users log in to Server 1 only.
   • Group 2 users log in to Server 2 only.
   • If necessary, notify users in each group of this requirement.
3. On Server 2, edit the USM_HOME\webapps\usm\WEB-INF\web.xml file. Comment the following lines:

   <!--
       <filter> 
         <filter-name>NtlmAuthFilter</filter-name>
         <filter-class>com.ca.usm.httpfilter.NtlmAuthenticationFilter</filter-class> 
         <init-param>
           <param-name>debug</param-name> 
           <param-value>false</param-value>
         </init-param>
       </filter>
   -->
    <!--
      <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>*.rpc</url-pattern> </filter-mapping>
       <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/wpf/*</url-pattern> </filter-mapping>
       <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/uslm/*</url-pattern> </filter-mapping>
       <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/assure/*</url-pattern> </filter-mapping>
       <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/documents/*</url-pattern> </filter-mapping>
       <filter-mapping> <filter-name>NtlmAuthFilter</filter-name> <url-pattern>/FileStore/*</url-pattern> </filter-mapping>
   -->
   

   Commenting these lines deactivates SSO functionality from this CA Service Catalog computer.

4. Restart CA Service Catalog.