BusinessObjects Enterprise Administrator's Guide
Windows NT security plug-in
The Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database, and have their membership in a mapped NT group verified before the CMS grants them an active BusinessObjects Enterprise session.
This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to BusinessObjects Enterprise, see "Managing NT accounts" on page 275. For information on the Windows AD security plug-in, see Windows AD security plug-in.
Once you have mapped your NT users and groups, all of the BusinessObjects Enterprise client tools support NT authentication, except for the Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD.
Note: The Windows NT and Windows AD security plug-ins cannot authenticate users if the BusinessObjects Enterprise server components are running on UNIX, or if your system uses the BusinessObjects Enterprise Java SDK.
Default account
If you install BusinessObjects Enterprise on Windows as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Business Objects NT Users) is created on the local machine, and your NT user account is added to the group. The Business Objects NT Users group is then mapped to BusinessObjects Enterprise. The result is that you can log on to BusinessObjects Enterprise with your usual NT user credentials.
Single sign-on
The Windows NT security plug-in supports single sign-on, thereby allowing authenticated NT users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped NT group:
- To obtain NT single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK.
In this scenario, the Windows NT security plug-in queries the operating system for the current user's credentials when the client is launched.
- To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).
In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the user's credentials to BusinessObjects Enterprise.
Note: IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation.
For details on configuring IIS for single sign-on, see "Setting up NT single sign-on" on page 283.
Note: InfoView provides its own form of "anonymous single sign-on," which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify InfoView) if you want to use NT single sign-on. For information on NT single sign-on, see "Setting up NT single sign-on" on page 283.