Administrative Setup

This section describes the options that the administrator can enable in an Aras Innovator instance.

Enabling Windows Authentication

In order to enable the Windows Authentication Plugin, you must first enable the Windows Authentication feature on the OAuth server. A server administrator needs to enable the following feature in the roles and services section:

Figure 1.

If you do not have Windows Authentication setup, the following URL takes you to the login selection page so you can select the login type:

?prompt=select_account 

If you have Windows Authentication set up, the following code forces the user to log in to the specified database:

?auth=Windows&db=InnovatorSolution

Manual Configuring of Windows Sign-In Endpoint

In the general case the Aras Innovator installer sets up this endpoint automatically and no additional steps are required.

In case the Aras Innovator installer was not used for OAuth server 11.0 SP15 or 12.0 SPX deployment, the /OAuthServer/signin-windows endpoint must be configured manually. This endpoint must have Windows Authentication enabled and should have Anonymous Authentication disabled. It could be done using the appcmd.exe tool located in %WINDIR%\System32\inetsrv folder.

Run the following command to see if the signin-windows endpoint is protected by Windows Authentication:

appcmd list config "Default Web Site/<web_alias>/OAuthServer/signin-windows" -section:system.webServer/security/authentication/ windowsAuthentication /text:enabled

>

true

The command should return true.

If false is returned, run the following command to enable Windows Authentication:

appcmd set config "Default Web Site/<web_alias>/OAuthServer/signin-windows" /section:windowsAuthentication /enabled:true /commit:appHost

It is further recommended to disable Anonymous Authentication:

appcmd set config "Default Web Site/<web_alias>/OAuthServer/signin-windows" /section:anonymousAuthentication /enabled:false /commit:appHost

Configuring the Windows Authentication Plugin (Optional)

After enabling Windows Authentication, you must configure the OAuth server to use the Windows Authentication Plugin. This section describes how to configure the plugin for use when Microsoft Active Directory single sign-on is desired. This plugin is used to receive the Windows Identity from the authentication module with a trusted value of Windows user account name in the form DomainName\UserName. This method of authentication is described in section Reference Diagrams.

Enabling the Windows Authentication Plugin

Use the following procedure to enable the OAuth Windows Authentication Plugin in the OAuth server Installation Directory.

  1. Go to the <Installation Directory>\OAuthServer\ folder.

  2. Open the OAuthServer.Plugins.json file.

  3. Enable the Aras.OAuth.Server.Plugins.WindowsAuthentication plugin:

    {

    "Name": "Aras.OAuth.Server.Plugins.WindowsAuthentication",

    "Enabled": true,

    "Options": {

    "AuthenticationType": "WindowsRemote",

    "DisplayName": "Windows"

    }

    }

Warning Do not change the AuthenticationType because it is used internally in the OAuth server. Do not use the Windows value for AuthenticationType because it is already reserved by the IIS Integration module.

Enabling the WindowsUserByNameClaimMapper Plugin

  1. Go to the <Installation Directory>\OAuthServer\ Folder.

  1. Open the OAuthServer.Plugins.json file.

  2. Enable the Aras.OAuth.Server.Plugins.WindowsUserByNameClaimMapper plugin:

    {

    "Name": "Aras.OAuth.Server.Plugins.WindowsUserByNameClaimMapper",

    "Enabled": true,

    "Options": {

    "AuthenticationType": "WindowsRemote",

    "AllowedDomainNames": ".*",

    "AllowedDomainUsers": ".+",

    "DeniedDomainUsers":

    "^admin$|^root$|^vadmin$|^authadmin$|^esadmin$"

    }

    }

Use this plugin to specify the following parameters:

  • AuthenticationType – Describes the authentication type to be used with the current mapper.

  • AllowedDomainNames – This is a regular expression. The domain portion of the Windows user account name must match this expression in order to be used in Aras Innovator. If there is a finite list of domains to recognize then it is best to use a fixed list with the or “|” operator, for example, ‘^europe$|^usa$|^fareast$’. The ‘^’ character in this context means matching the start of a string. The ‘$’ character matches the end of the string. A string without these, e.g. ‘east’ would match ‘FarEast’ and also ‘EasterIsland’ and any string containing the sequence ‘east’. Matches are case insensitive.

  • AllowedDomainUsers – This is a regular expression. Usually it is best to keep it at ‘.+’ which means to match one or more characters. This expression must match in order for the logon to Aras Innovator to be allowed. The username portion of the Windows user account name is matched against this. If it matches then it becomes the login_name used to log into Aras Innovator.

  • DeniedDomainUsers – This is matched against the username if it passes the allowed_domain_users test. If the match is true, then access to Aras Innovator is denied. This prevents domain users from logging in as Aras Innovator users with the same username. This option should be set to a list of special purpose Aras Innovator users. The ‘Innovator Admin’ (username=admin) user for example is often used when batch loading data or managing AML upgrades. The ‘Super User’ (username=root) user must be used when applying database upgrade patches to the Aras Innovator database. The ‘Vault Admin’ (username=vadmin) user is used only by the Vault server in order to access the mime type database. Other denied_domain_users might include the user used by the Aras Innovator Scheduler Service, or a test user used to review upgrades in functionality.

Warning AuthenticationType must be equal to the authentication type specified in the appropriate authentication plugin.

Enabling the CustomProtocol Plugin

If you want to use full windows authentication for all servers you will need to enable the Aras.OAuth.Server.Plugins.CustomProtocol plugin. Use the following procedure:

  1. Go to the <Installation Directory>\OAuthServer\ Folder.

  1. Open OAuthServer.Plugins.json file.

  2. Enable the Aras.OAuth.Server.Plugins.CustomProtocol plugin:

    {

    // Enables Custom protocol type for OAuthServer

    "Name": "Aras.OAuth.Server.Plugins.CustomProtocol",

    "Enabled": true

    }

Aras Innovator User Setup

In order to use authentication plugin with mapper plugin, a user Item with the required login_name must exist in the Aras Innovator database, with logon_enabled = true. The user’s login_name must match the Windows Account Name. If no such user exists, the Login Form appears, but upon pressing the Login button the error message ‘Authentication failed for X’ is seen.

Warning Users must have a non-null password. Users with a null password will not be able to log in; however, the actual password is not used and can be set to anything.

Logging in as an Authenticated User

To log in as a Windows Authenticated user, you must select Windows from the Login with drop down:

Figure 2.

Logging in as a Standard User

To log in as a standard user, you must select Aras Innovator from the Login with drop down:

Figure 3.

Switching Between Logon Types

For end user convenience, the Aras Innovator Login Screen caches your logon method (Windows/Standard). To return to the logon mode selection dialog, you will need to add the prompt query parameter with the select_account value. The full URL is:

http://<host_name>/<application_alias>/?prompt=select_account

Another option is to clear Aras.OAuth.Preferences.AuthenticationType and Aras.OAuth.Preferences.Database cookies.