Integrating CE with Existing Security Environments | Crystal Reports 10: The Complete Reference

So far, everything previously discussed is part of Enterprise Authentication, which is CE s native stand-alone security system. However, if you prefer to integrate CE security with another authentication system already in place in your organization, you have three additional authentication methods : Windows NT, Windows Active Directory (new in CE 10), and LDAP.

There are four general ways of defining and implementing Crystal Enterprise security. You may use the built-in security model that s part of the CMS. Or, if you already have a security system in place within your organization, you may tie CE to it, provided you are using one of the three standard security models. As such, you have four overall security/authentication choices:

Enterprise Authentication In this scenario, you manage all CE users and groups entirely within the CE CMS ”no external security system is used. This is separate from any existing network or server security you may already have in place. Enterprise Authentication is discussed earlier in this chapter.
Windows NT Authentication Existing Windows NT and 2000 local or domain groups can be used to populate your CE security model. Members of these groups are automatically granted access to CE, and users supply their existing network credentials to log in to CE.
Windows Active Directory If you ve set up Active Directory (AD) security with a Windows 2000 or Windows Server 2003 environment, you can use AD groups and users to authenticate CE users. AD members are automatically granted access to CE and users supply their existing network credentials to log in to CE.
LDAP If your organization s security model is based on the open LDAP (Lightweight Directory Access Protocol), you can integrate users maintained by your existing LDAP server into Crystal Enterprise. LDAP members are automatically granted access to CE, and users supply their existing network credentials to log in to CE.

Note
You are not limited to choosing just one authentication method. You may use more than one method (or all four methods) to build your total complement of CE users and groups.

Windows NT

In some CE environments, it may be easiest to use the same users and groups that are already defined in your Window NT or Windows 2000 environment. CE supports this by mapping those users and groups into the Enterprise security system. There are two basic methods for this: add the desired NT users or groups into the Crystal NT Users group inside of Windows NT, or map the desired NT groups into CE from within the CMC.

By default, when you install a CE CMS onto a Windows NT or Windows 2000 computer, a local NT group called Crystal NT Users is created. To map NT users in the Crystal NT Users group, run the Windows NT User Manager (or other similar tool, depending on your operating system). Select the Crystal NT Users group. Click Properties, then Add, and then select the users and/or groups to be added. Click OK to add the selected users and groups, and then click OK to complete the process. Once the new accounts are added, the users can log on with the user name format of \\ NTDomain \ NTUserName and their standard NT password. They ll need to ensure they select the Windows NT authentication method when they log on.

To map existing NT groups into the CE system, click Authentication in the Manage category of the CMC home page. Then, click the Windows NT tab. Confirm that NT Authentication Is Enabled is checked. The default NT Domain shown will allow users to simply supply their user ID and password without full machine name/domain qualification if they re in the default domain. If you need to change the default domain, click it and specify a new default domain when prompted.

Enter the path to the NT group you wish to add in the Add NT Group text box. For global groups, use the format NTDomain \ NTGroup . For local groups, use the format \\ Machine \ Group . Click on Add to add that group. Enter as many NT groups as desired to the list box in this manner. If you later wish to delete an existing domain, select it in the list of existing domains and click Delete.

Select various radio button options for dealing with New Alias, Update, and New User options:

New Alias Options If you choose the first option, CE will assign an alias to any existing CE accounts that have the same name as an account being imported from the security server. If an imported account does not duplicate an existing account, a new account will be created. If you choose the second option, new accounts will be created even if an existing account with the same name already exists. In the case of duplicate account names , a sequential number will be added to the new account name to distinguish it from the existing account.
Update Options If you choose the first option, CE will create a new account (or assign an alias based on your choice in New Alias Options) for every account contained in the groups being imported. This may create a large number of users if the imported groups contain large numbers of users. If you choose the second option, users in the imported groups will be created in CE once they log in to CE for the first time. If they never log in, their account will never actually be created in CE.
New User Options When new user accounts are created from imported groups, this choice determines which license type they use by default. Note that you must have enough licenses of the chosen type for all users that will be created by the import. If you don t, not all user accounts will be created. If you later decide you want to change the license type for certain imported users, you may select the individual users from the Users link and change their license type.

Once you ve made all desired choices, click Update to complete the process. If you chose to immediately create users and groups from the imported groups, you can now navigate to user and group lists to see the newly added users and groups.

Windows Active Directory

Similar to Windows NT authentication is Windows Active Directory (AD) authentication. New in Crystal Enterprise 10, AD authentication can connect using native AD protocols (NT authentication can use AD mixed mode ) to connect to existing Windows 2000 or Windows Server 2003 Active Directory security models.

To map existing AD groups into the CE system, click Authentication in the Manage category of the CMC home page. Then, click the Windows AD tab. Confirm that Windows Active Directory Authentication Is Enabled is checked. Click the ellipses to specify an AD administrator name and password for CE to use when authenticating AD users and groups. Also, click the ellipses to specify a default AD domain. You won t have to fully qualify groups in this domain when adding them. And, users in that domain won t have to provide a fully qualified user ID when signing on to CE.

Enter the path to the AD group you wish to add in the Add AD Group text box. Click Add to add that group. Enter as many AD groups as desired to the list box in this manner. If you later wish to delete an existing group, select it in the list of existing groups and click Delete.

Select various radio button options for dealing with New Alias, Update, and New User options:

New Alias Options If you choose the first option, CE will assign an alias to any existing CE accounts that have the same name as an account being imported from the security server. If an imported account does not duplicate an existing account, a new account will be created. If you choose the second option, new accounts will be created even if an existing account with the same name already exists. In the case of duplicate account names, a sequential number will be added to the new account name to distinguish it from the existing account.
Update Options If you choose the first option, CE will create a new account (or assign an alias based on your choice in New Alias Options) for every account contained in the groups being imported. This may create a large number of users if the imported groups contain large numbers of users. If you choose the second option, users in the imported groups will be created in CE once they log in to CE for the first time. If they never log in, their account will never actually be created in CE.
New User Options When new user accounts are created from imported groups, this choice determines which license type they use by default. Note that you must have enough licenses of the chosen type for all users that will be created by the import. If you don t, not all user accounts will be created. If you later decide you want to change the license type for certain imported users, you may select the individual users from the Users link and change their license type.

Tip

A potentially useful feature for Microsoft web server/web browser environments is NT Single Sign-On. When properly configured, this allows CE users to pass their already-supplied Windows user ID and password to the CMS without actually specifying them ”the web browser supplies them automatically. This requires, however, that Microsoft IIS be running as the web server and that users use the Internet Explorer browser. This option requires settings on both the IIS web server and the CE Web Component Server. Information about enabling NT Single Sign-On is available in the CE Administrator s Guide.

LDAP

Another authentication method supported by CE is via Lightweight Directory Access Protocol, or LDAP. LDAP users and groups maintained in your organization s LDAP server are mapped to CE, with LDAP user accounts being used either to create a new CE account or to map to an existing CE account.

The first step in enabling LDAP authentication is to be sure your LDAP directory is set up and operating properly. Then, click Authorization in the Manage area of the CMC home page. Click the LDAP tab. If you have not previously set up LDAP authentication, a message indicating such will appear with a button to start the LDAP Configuration Wizard. Click the button.

The wizard will proceed through various screens asking for specific information relating to your particular LDAP server. These screens allow you to supply the hostname (or hostnames, if you want to add failover LDAP servers), the server type, the base LDAP distinguished name, the ID and password the CMS should use when querying the server, the type of secure connection to use, and the same CE account and licensing options specified when using NT or AD authentication. Details on LDAP server settings can be found in the online Administrator s Guide, and details on the CE account and licensing options are described in the previous NT and AD authentication sections.

Once you ve successfully specified all wizard options, click Finished. The wizard will gather necessary information from your LDAP server and display the LDAP summary page in the LDAP tab. Now, you can specify existing LDAP groups to map to CE. Enter the name of the LDAP group you wish to add in the Add LDAP Group text box. Click Add to add that group. Enter as many groups as desired to the list box in this manner. If you later wish to delete an existing group, select it in the list of existing groups and click Delete.