Open the file [root_install_dir]\appserv\web\WEB-INF\web.xml and do the following:
How administrators can configure single sign-on (SSO) for an Adobe Connect account to authenticate via proxy server or NTLM.
Single sign‑on is a mechanism that allows a user to authenticate once and gain access to multiple applications. Single sign‑on uses a proxy server to authenticate users so they need not log in to Adobe Connect.
Adobe Connect supports the following single sign‑on mechanisms:
HTTP header authentication
Configure an authentication proxy to intercept the HTTP request, parse the user credentials from the header, and pass the credentials to Adobe Connect.
Microsoft NT LAN Manager (NTLM) authentication
Configure Adobe Connect to attempt to automatically authenticate connecting clients against a Windows domain controller using the NTLMv1 protocol. Microsoft Internet Explorer on Microsoft Windows can negotiate NTLM authentication without prompting the user for credentials.
NTLM authentication doesn't work on edge servers. Use LDAP authentication instead.
Mozilla Firefox clients may be able to negotiate NTLM authentication without prompting. For information about configuration, see this Firefox document.
You can write your own authentication filter as well. For more information, contact Adobe Support.
When HTTP header authentication is configured, Adobe Connect login requests are routed to an agent positioned between the client and Adobe Connect. The agent can be an authentication proxy or a software application that authenticates the user, adds another header to the HTTP request, and sends the request to Adobe Connect. On Adobe Connect, you must uncomment a Java filter and configure a parameter in the custom.ini file that specifies the name of the additional HTTP header.
To enable HTTP header authentication, configure a Java filter mapping and a header parameter on the computer hosting Adobe Connect.
Open the file [root_install_dir]\appserv\web\WEB-INF\web.xml and do the following:
Remove the comment tags around the filter and filter-mapping elements for HeaderAuthenticationFilter.
Add comment tags around the NtlmAuthenticationFilter filter and filter-mapping elements.
Stop Adobe Connect Central Application Server and Meeting Server.
Add following row to the custom.ini file. Your authentication agent must add a header to the HTTP request that is sent to Adobe Connect. The name of the header must be header_field_name.
Your authentication agent must add a header to the HTTP request that is sent to Adobe Connect. The name of the header must be header_field_name.
Save the custom.ini file and restart Adobe Connect Meeting Server and Adobe Connect Central Application Server.
The authentication code must authenticate the user, add a field to the HTTP header that contains the user login, and send a request to Adobe Connect.
Set the value of the header_field_name header field to an Adobe Connect user login.
The Java filter on Adobe Connect intercepts the request, looks for the header_field_name header, then looks for a user with the ID passed in the header. If the user is located, the user is authenticated and a response is sent.
You must pass the BREEZESESSION cookie in any subsequent requests to Adobe Connect during this client session.
The following procedure describes a sample HTTP header authentication implementation that uses Apache as the authentication agent.
Install Apache as a reverse proxy on a different computer than the one hosting Adobe Connect.
Choose Start > Programs > Apache HTTP Server > Configure Apache Server > Edit the Apache httpd.conf Configuration file and do the following:
Uncomment the following lines:
Add the following lines to the end of the file:
RequestHeader append custom-auth "ext-login" ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://hostname:[port]/ ProxyPassReverse / http://[hostname]:[port]/ ProxyPreserveHost On
Stop Adobe Connect Central Application Server and Adobe Connect Meeting Server.
Add the following to the custom.ini file. The HTTP_AUTH_HEADER parameter must match the name configured in the proxy. The parameter is the additional HTTP header.
Save the custom.ini file and restart Adobe Connect Meeting Server and Central Application Server.
Open the file [root_install_dir]\appserv\web\WEB-INF\web.xml and uncomment the complete HeaderAuthenticationFilter filter and NtlmAuthenticationFilter filter.
NTLMv1 is an authentication protocol used with the SMB network protocol in Microsoft Windows networks. You can use NTLM to allow a user to prove their identity to a Windows domain once and thereafter be authorized to access another network resource, such as Adobe Connect. To establish the user's credentials, the user's web browser automatically performs a challenge and response authentication with the domain controller through Adobe Connect. If this mechanism fails, the user can log in to Adobe Connect directly. Only Internet Explorer on Windows supports single sign-on with NTLMv1 authentication.
Set up Adobe Connect and NTLM on Windows 2003, as Adobe Connect supports NTLM v1. Also, Windows 7 and later versions do not support NTLM v1 SSO.
By default, Windows Server 2003 domain controllers require a security feature called SMB signatures. The default configuration of the NTLM authentication filter does not support SMB signatures. You can configure the filter to work within this requirement. For more information on this and other advanced configuration options, see the JCIFS NTLM HTTP authentication documentation.
Do the following for each host in an Adobe Connect cluster:
Synchronize LDAP users from your domain in Adobe Connect via 8510 Management Console. To integrate Adobe Connect with LDAP, see Integrate Adobe Connect with an LDAP directory.
After synchronizing LDAP in Adobe Connect, filter LDAP data in such a way that NTLM Domain user name is populated in the Adobe Connect database. Otherwise NTLM SSO login does not work and you notice logon failures in debug.log.
Edit Login Policies for Adobe Connect, to change login to DOMAIN user name. By default its email but NTLM does not allow email.
Open the [root_install_dir]\custom.ini file in a text editor and add the following parameters:
The value [domain] is the name of the Windows domain that users are members of and authenticate against, for example, CORPNET. If necessary, set this value to the pre-Windows 2000 compatible version of the domain name. For more information, see TechNote 27e73404. This value is mapped to the filter property jcifs.smb.client.domain. Setting the value directly in the web.xml file overrides the value in the custom.ini file.
The value [WINS_server_IP_address] is the IP address or a comma-separated list of IP addresses of WINS servers. Use the IP address, the host name does not work. The WINS servers are queried in the order specified to resolve the IP address of a domain controller for the domain specified in the NTLM_DOMAIN parameter. (The domain controller authenticates users.) You can also specify the IP address of the domain controller itself, for example, 10.169.10.77, 10.169.10.66. This value is mapped to the filter property jcifs.netbios.wins. Setting the value in the web.xml file overrides the value in the custom.ini file.
Save the custom.ini file.
Open the file [root_install_dir]\appserv\web\WEB-INF\web.xml in a text editor and uncomment:
Save the web.xml file and restart Adobe Connect Server.
Adobe Connect and NTLM have different login policies for authenticating users. Reconcile these policies before users can employ a single login.
The NTLM protocol uses a login identifier that can be a user name (jdoe), an employee ID number (1234), or an encrypted name, depending on the policy or the organization. By default, Adobe Connect uses an email address (firstname.lastname@example.org) as a login identifier. Change the Adobe Connect login policy so that Adobe Connect shares a unique identifier with NTLM.
To open Adobe Connect Central, open a browser window and enter the FQDN of the Adobe Connect Host (for example, http://connect.mycompany.com). You entered the Adobe Connect Host value on the Server Settings screen of the Application Management Console.
In the Login Policy section, select No for Use email address as the login.