Momentus allows for the following authentication types:
- Momentus - Authenticates users against a table within the Momentus Enterprise database where the password is encrypted and stored.
- Active Directory - Allows users to log into the software with their Active Directory credentials.
- Windows - Allows Enterprise to automatically sign the user into the site if the user has access to the software. This authentication type allows the user to never see a logon screen.
- Defined Per User - Allows for concurrent use of multiple authentication types. When using the Defined Per User authentication type, users sign in to the software using the authentication configuration assigned to each individual user in Enterprise. You can not use Defined Per User authentication with Windows Authentication due to necessary setup differences in IIS.
- Single Sign-on - Only applicable if your database is in the Momentus Cloud. Do not use if you use an on-premise Momentus Enterprise database.
Configuring Momentus Authentication
Momentus authentication authenticates the user against a table within the SQL database where users’ passwords are encrypted and stored. This authentication type only requires a SQL logon for USIADMIN and the USI76 users. See Adding a User in SQL Server for more information on creating SQL logons.
- Navigate to the Enterprise program files on the web server. The default location is c:\Inetpub\Ungerboeck.
- Right-click on the UngerboeckWebConfiguration.exe file.
- Select Run as administrator. The Momentus Web Configuration Utility screen opens.
- Select the Site Authentication tab.
- Select the Momentus radio button.
- Click OK.
Configuring Active Directory Authentication
Active Directory authentication allows users to log into the software with their Active Directory credentials.
- Navigate to the Enterprise program files on the web server. The default location is c:\Inetpub\Ungerboeck.
- Right-click on the UngerboeckWebConfiguration.exe file.
- Select Run as administrator. The Momentus Web Configuration Utility screen opens.
- Select the Site Authentication tab.
- Select the Active Directory radio button.
- Configure the following check boxes in the Sign-In section:
- Enable Remember Me – If checked, users can select “Remember me on this computer” when logging in.
- Enable Single Sign-On - Leave unchecked.
- Enter the following information in the Active Directory section:
- LDAP - Click the Use Current Domain button. This fills in the LDAP Path and Domain automatically.
- User and Password – If the domain requires an authenticated user, enter the credentials of an authenticated service account on the domain.
- LDAP over SSL – If checked, Momentus submits requests to the Domain Controller using SSL.
- Use Active Directory Membership Provider – Keep this option unchecked. If Active Directory Membership Provider is an option you need to use, contact your regional Client Care Team.
- Use Comprehensive Authentication – Keep this option unchecked. If Comprehensive Authentication is an option you need to use, contact your regional Client Care Team.
- User Group Authorization – If checked, you can configure which groups on the domain are authorized to access Enterprise. The ? User Deny group is required by Momentus and cannot be removed.
- Enable Reset Password – Uncheck this option. Contact your regional Support Services team before leaving this check box checked.
- Click OK.
Configuring Defined Per User Authentication
When using Defined Per User authentication, additional authentication configuration is completed in the software instead of the Momentus Web Configuration Utility. There are three types of authentication configurations available: Momentus, Active Directory, and Windows.
Active Directory authentication configurations are the only type that can be added, modified, or deleted. Creating multiple Active Directory authentication configurations allows the system to authenticate users against multiple domains. The Momentus Enterprise and Windows authentication configurations are both defined by Momentus. They cannot be modified or deleted. If the site is configured using Windows, the authentication configuration field is ignored.
To configure the system for Defined Per User authentication, follow the below steps:
- Navigate to the Enterprise program files on the web server. The default location is c:\Inetpub\Ungerboeck.
- Right-click on the UngerboeckWebConfiguration.exe file.
- Select Run as administrator. The Web Configuration Utility screen opens.
- Select the Site Authentication tab.
- Select the Defined Per User radio button.
- Click OK.
Configuring Authorization Configurations
- Log in to Momentus Enterprise.
- Click the Auth Configurations link from the Main Menu. The Auth Configurations screen opens.
- Click the Add button. The Add Auth Configuration screen opens.
- Enter the following information:
- Name – Description for the authentication configuration type.
- Code – Code for the authentication configuration type.
- LDAP Path – LDAP path for the Active Directory domain. If the web server is attached to a domain, click the Tools button and select Use Current Domain to default the LDAP Path field.
- Domain – Name of the Active Directory domain. If the web server is attached to a domain, click the Tools button and select Use Current Domain to default the Domain field.
- Connection User and Connection Password – If the domain requires an authenticated user, enter the credentials of an authenticated service account on the domain.
- Use SSL – If checked, Enterprise submits requests to the Domain Controller using SSL.
- Use Group/User Authorization – If checked, a specific Active Directory group or users can be allowed or denied for the sign in. Once this option is checked, an Authorization section displays so you can configure which groups and/or users can be allowed or denied.
- Click OK.
Assigning an Authentication Configuration to a User
- Click the Users link from the Main Menu. The Users screen opens.
- Select the user who needs the Authentication Configuration assigned.
- Right-click and select Edit -> Edit. The Edit User screen opens.
- Select the configuration to be assigned to the user in the Auth Configuration drop-down. If the Auth Configuration field is not available, follow the below steps:
- Click the Edit Layout link in the lower right corner.
- Locate the Auth Configuration field in the Available Fields section on the left.
- Click on it and drag it to the preferred location on the right.
- Release the mouse button.
- Click OK.
- Click OK.
Repeat for all users who need to be assigned an Authentication Configuration.
Configuring the Default Authentication Configuration
The default authentication configuration is defined in System Parameter 113. If the system parameter does not exist or does not have a value, then the Momentus Enterprise authentication configuration is used. This parameter should be left blank if is configured to use Windows. To use a different authentication configuration as the default, follow the below steps.
- Click the System Parameters link from the Main Menu. The System Parameters screen opens.
- Click the Add button. The Add System Parameter screen opens.
- Enter the following information:
- Application – (2-digit alphanumeric code)
- Code – 113
- Parameter Description – Default Auth Configuration Code
- Amount – Leave blank. It is not used for this system parameter.
- Alphanumeric – Enter the code for the default Auth Configuration being used.
- Active – Checked
- Click OK.
- Click OK on the System Parameters screen.
- Log out and back into Momentus Enterprise to activate the parameter.
Configuring IIS Authentication
In IIS, authentication permissions are set on the application itself for all authentication types. On the left side of the Connections screen, select the website or application. On the right side of the Service screen, double-click Authentication.
Depending on the authentication type, the following settings need to be used:
Momentus |
Windows |
Active Directory |
|
Anonymous |
Enabled |
Enabled |
Enabled |
Forms |
Enabled |
Disabled |
Enabled |
Windows |
Disabled |
Enabled |
Disabled |
Comments
0 comments
Please sign in to leave a comment.