Setting up user Authentication for a Web Interface Website
 |
The Help assumes that you have a good working knowledge of setting up websites and the security issues regarding access.
|
There are many different ways in which you can control access to a Web Interface website, for example, through intranet access. How you choose to control access to a Web Interface website is outside the scope of this Help. The Help assumes that you have a good working knowledge of setting up websites and the security issues regarding access.
After connecting to a Web Interface website, a user must be authenticated before they can view any models. There are two ways in which a Web Interface website can authenticates users. You can use one or both of these methods:
LDAP Authentication
When using LDAP authentication, the Web Interface website is set up to work with one or more domains. When a user is a member of a supported domain, they can log in to the Web Interface website using their Windows user name and password. Their user name must be prefixed with the domain name followed by a backslash mark. For example, MyDomain\MyUserName.
When using LDAP authentication, a user can view the following models through the Web Interface website: Models that are Public Read or Public Write; and Models for which the user has Modeler Owner, Write or Read access permissions.
Web Interface Website Account Authentication
Web Interface website account authentication, users connect to the Web Interface website and create their own account for logging in to the Web Interface website. After their account is approved, they can view models through the Web Interface website.
A Web Interface website can be set up to automatically approve new accounts. Alternatively, a Web Interface website can be set up so that new accounts must be approved by the Web Interface website administrator.
When using Web Interface website account authentication, a user can view the following models through the Web Interface website: Models that are Public Read or Public Write.
It is important that you set up the user authentication of a Web Interface website to meet the security needs of the models that can be accessed through that website. For example:
• You may want only users that are a member of a specified domain to have access to the models.
Use only LDAP authentication.
• You may want users that are a member of a specified domain to have access to the models, and you may also want users that are outside of that domain to have access after they have been approved.
Use LDAP authentication and Web Interface website account authentication. Set up the Web Interface website so that new accounts require administrator approval.
• You may want any user to have access to the models without the need to be approved.
Use only Web Interface website account authentication. Set up the Web Interface website so that new accounts are automatically approved.
The web.config file determines how users are authenticated. When installed, the default authentication is as follows:
• LDAP authentication is disabled.
• Web Interface website account authentication is enabled, but newly created Web Interface website accounts must be approved by the Website Administrator.
To Set up the User Authentication for a Web Interface Website:
1. From the computer that is hosting the Web Interface website, ensure that the Web Interface website is not running:
a. Start Internet Information Services (IIS) Manager: from the Run text box, type inetmgr, and then press the Enter key.
b. In the Connections pane, select Application Pools.
c. In the Application Pools pane, select the PTC Integrity Modeler Web Interface entry.
d. If the Status of the Web Interface website is Started, in the Actions pane click the Stop link.
2. From the computer that is hosting the Web Interface website, locate the web.config file. The web.config file resides in the following location:
C:\inetpub\wwwroot\PTC Integrity Modeler Web Interface
3. Create a backup of the web.config file.
4. Using a text editor, open the web.config file
5. By default, a Web Interface website is not set up to support LDAP authentication.
To enable LDAP authentication for the Web Interface website:
a. In the web.config file, locate the commented out <add name="PTC_ADMembershipConnection" entry.
b. Uncomment the <add name ="PTC_ADMembershipConnection" entry by deleting the leading '<!--' characters and trailing '-->' characters.
c. Replace the two placeholders named 'myDomain' and the two placeholders named 'local' with the names of the domain and domain local group that you want to use to authenticate users.
d. In the web.config file, locate the commented out <add name ="PTC_ADMembershipProvider" entry.
e. Uncomment the <add name="PTC_ADMembershipProvider" entry by deleting the leading '<!--' characters and trailing '-->' characters.
f. For the connectionUsername and connectionPassword, type the user name and password of a user that is valid within the LDAP domain. Note that companies often enforce regular changes of passwords for user accounts. If the password is changed for the user account you use, you must change the password in the web.config file accordingly.
|
|
You can encrypt the user name and password in the web.config file. For more information see the Microsoft Developer Network website.
|
g. If you want to also use other domains and local groups to authenticate users, create a copy of the <add name ="PTC_ADMembershipConnection" and <add name ="PTC_ADMembershipProvider" entries, and change them accordingly.
6. By default, a user can be authenticated through its REST service. If you are not using the REST service, you may want to disable it for security reasons.
To disable the REST service:
a. In the web.config file, locate the <add key="EnableModelerService" value="true" /> entry.
b. Change the value to false.
|
|
If you disable the REST service, Integrity Modeler's OSLC consumer will not be able to authenticate its users.
|
7. By default, a user can be authenticated through the Web Interface website. If you have created a Web Interface website only for its REST service, you may want to disable website access for security reasons.
Note that the website is required to create Web Interface website accounts. In addition, when learning to use the REST service, the website provides a way of logging in to the REST service without the use of access tokens.
To disable the website:
a. In the web.config file, locate the <add key="EnableModelerServiceHTML" value="true"/> entry.
b. Change the value to false.
8. Save the changes you have made to the web.config file.
After setting up the user authentication, you can set up the contact details for the Contacts page. See
Setting up the Contacts Page of a Web Interface Website.