Active Directory Setup for Windchill 9.1

Ajay Valviavalvi@ptc.com

Document PropertiesFile NameStatus

ActiveDirectorySetupR91.docReleased

Change HistoryDateAuthorVersionChange Reference

OCT/08/2009Ajay Valvi0.1Draft

NOV/30/2009Ajay Valvi1.0Released

Accepted By

Accepted By:Approval DateComments

Hemant ShadraNOV/30/2009

Table of Content41.Introduction

42.Assumptions

43.Understanding Windchill and LDAP Directory Service

54.Enabling Active Directory Integration with Windchill

54.1.Required Inputs from Active Directory

75.Enabling Active Directory Integration during New Installation

95.1.2.Specifying user organization

105.1.3.Testing the configuration

116.Enabling Active Directory Integration for Existing Windchill Instance

116.1.Connecting to Active Directory

116.1.1.Updating EnterpriseLDAP Adapter to connect to Active Directory

146.1.2.Configuring Apache to connect to EnterpriseLDAP

146.1.3.Setting authentication in MapCredentials.xml file

146.2.Retargeting Users

166.2.1.Retargeting procedure

19Appendix

19Sample Summary.htm File

20Sample app-Windchill-AuthProvider.xml file

20Sample mapCredentials.txt file

21LDAP Browser login sequence

22External References

1. Introduction

The purpose of this document is to provide information to the consultant about the specific configuration involved to set up an Active Directory Integration with Windchill 9.1. Active directory can be integrated with a Windchill instance during a new installation or with an existing Windchill Instance. When an existing instance of Windchill is integrated with an existing instance of Active Directory, the users from Aphelion must be retargeted to the Active Directory such that Windchill maintains to use the Active Directory references. This document covers the following topics:

Enabling Active Directory Integration for a New Windchill Instance

Enabling Active Directory Integration for an Existing Windchill Instance

Retargeting UsersThis document should be used as a reference for configuring Active Directory integration with Windchill 9.1; however, it is imperative that the consultant refers to the Configuring Additional Enterprise Directories section from the Windchill Installation and Configuration Guide - Advanced.It is strongly recommended that any of these techniques be tested, repeatedly, in a controlled test environment to insure that they are functioning as desired before executing them in a production.2. Assumptions

This document introduces you to the required steps for configuring Active Directory integration with Windchill 9.1.

This document assumes that the consultant has a good understanding of Windchill System Administration and a basic understanding of LDAP structure and Active Directory.It is strongly recommended that before performing any of the modifications to the Aphelion LDAP or database, the consultant should contact tech support for more direct assistance and guidance in their efforts with the LDAP.3. Understanding Windchill and LDAP Directory ServiceWindchill utilizes an LDAP directory service or multiple LDAP directory services for two purposes:

Provide user and group administration.

Store application-specific configuration information to Windchill.

PTC bundles an LDAP directory service with Windchill. The LDAP that is bundled can be leveraged for both purposes or solely for managing the application-specific information. Windchill has no specific limitation as to the number of LDAP instances that are integrated with Windchill for user and group administration.

Note

Windchill 9.1 M030 introduces new LDAP Directory Server Option (Windchill DS powered by OpenDS Technology), an alternative to Aphelion directory server. Windchill releases before 9.1 M030 used Aphelion as a part of the bundled LDAP directory service. The steps mentioned in this document are applicable to all releases of Windchill 9.0 and 9.1

Various configurations have been utilized to satisfy a variety of customers requirements. One such requirement is to integrate Windchill with an already existing Active Directory Server (ADS) for both authentication and account management.If the customer is already using Active Directory Server (ADS) as enterprise LDAP service, Windchill can be integrated with ADS such that the user information is maintained in the existing ADS directory. Windchill can query entries in ADS using a JNDI adapter.

An Active Directory integration with Windchill is a read-only configuration. Therefore, Windchill cannot create, modify, or delete entries in an ADS directory. This means Windchill cannot be used to administer user information in ADS (standard Microsoft administration tools must be used instead). Windchill must have the ability to update group information and organization information; therefore, these must be stored in Aphelion that provides full access to Windchill, not ADS. As a result, in this scenario you would maintain two different LDAP directories, one to maintain groups and the other for Users in support of Windchill.

When considering Active Directory integration with Windchill, it is implied that the Groups are stored in Aphelion and Users are maintained in the Active Directory.In PDMLINK 8.0, during the configuration a new custom adapter has to be created for LDAP integration. But in PDMLINK 9.0 and later versions, we dont have to create any new adapter or repository; we can use the existing adapter that is created OOTB (for example com.example.EnterpriseLdap).

The EnterpriseLdap adapter is defined such that it enables a site to easily connect to an existing Corporate LDAP to allow existing corporate users to be validated for Windchill use.

Active directory can be integrated with a Windchill instance during a new installation or to an existing Windchill Instance. Both the methods have been explained later in this document.

4. Enabling Active Directory Integration with Windchill While installing a new Windchill instance, the following three steps are required.

Connecting to Active Directory during installation

Specifying user organization (optional)

Editing JNDI entry to change search scope

4.1. Required Inputs from Active Directory

Before starting with any installation or configuration activities, following is the minimum required information that needs to be obtained to connect to an Active Directory.

Inputs from Active Directory

Enterprise Repository LDAP Server Host Name

DescriptionHost name to connect to the Microsoft Active Directory Service (ADS) Server

Exampleseha074.ptcnet.ptc.com

Search Base or Base Distinguished Name for Enterprise Users

DescriptionThe distinguished name of an LDAP subtree under which Enterprise LDAP entries reside.

Users and groups under this subtree will be visible to Windchill

ExampleCN=Users,DC=example,DC=com

Enterprise Repository LDAP User Distinguished Name or Directory System Agent User

DescriptionThe distinguished name of an existing ADS user

ExampleCN= Bind User, CN=Users,DC=example,DC=com or user@domain

Enterprise Repository LDAP Password or Directory System Agent Credentials

DescriptionEnter the password of the specified user -

Enterprise Repository LDAP Server Port

DescriptionPort to bind to the Active Directory Server

Always use 3268 for the port when configuring Windchill with Active Directory, rather than the default LDAP port (i.e. port 389). If you bind to port 389 (even if you bind to a Global Catalog server) your search includes a single domain directory partition. If you bind to port 3268, your search includes all directory partitions in the forest. Subtree search seems to work better with 3268.Verify the port number with the Customers System Administrator

The following flowchart helps to visualize the steps involved in Active Directory Integration

5. Enabling Active Directory Integration during New InstallationDuring installation, Active Directory specific information needs to be entered on various PSI pages.

5.1.1.1. LDAP settings page

On the LDAP settings page, you must perform the following two settings:

1. Enter the Base Distinguished Name for Enterprise Users You need to mention the distinguished name of the LDAP subtree, also called the search base, in Active Directory where the users and groups reside. For Example : CN=Users,DC=example,DC=com You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes. However, setting the Search Base to the root might result in poor performance.Note

For more information refer to the 'Entering Your LDAP Settings' section in the Windchill Installation and Configuration Guide Advanced. Windchill 9.12. Select the Enable Separate Enterprise LDAP Server check box to enable it

On selecting this check box, the next screen displays JNDI Adapter Settings page to specify the settings for the separate LDAP server.

Ensure the Enable Separate Enterprise LDAP Server check box is enabled else the next page wont display the JNDI settings page.5.1.1.2. JNDI settings pageOn the JNDI settings page, enter the following information:3. Enter the fully qualified hostname of the Microsoft Active Directory Service (ADS) Server in the Enterprise Repository LDAP Server Host Name text field.4. Enter 3268 in the Enterprise Repository LDAP Server Port text field. When configuring Windchill with Active Directory, always use 3268 for the port rather than the default LDAP port (i.e. port 389).

5. Select the Bind as User radio button for LDAP Connection type.6. Enter the distinguished name of an existing ADS user in the Enterprise Repository LDAP User Distinguished Name text field. For Example : CN= Bind User, CN=Users,DC=example,DC=com7. Enter the password for the specified user in the Enterprise Repository LDAP Password text field.8. Select the Groups check box, and ensure that the Users check box is enabled as well.9. Select the Active Directory Service (ADS) radio button as LDAP service.

5.1.1.3. Core Product Settings page

On the Core Product Settings page, select the Administrative radio button option for Select the Repository Where the Site Administrator is Stored setting. Since Windchill has Read Only access to the Active Directory, the Windchill Administrator must be created in the Administrative LDAP.

5.1.2. Specifying user organization

In order to assign an initial organization name to a user, the EnterpriseLDAP Adapter must be modified to include an additional property. Add the usersOrganizationName custom property to set the initial organization name for all users accessed through the EnterpriseLDAP Adapter. Navigate to Info*Engine Administrator page from Site > Utilities > Info*Engine Administrator. Log on by entering cn=Manager and the appropriate password.

Select the JNDI adapter by the name com..EnterpriseLDAP to open the Property Editor page.

Edit the Adapter to change the LDAP search scope and add an additional property Select the drop down list for LDAP Search Scope and set it to SUBTREE.

Enter 'com.test.example.EnterpriseLdap.windchill.mapping.usersOrganizationName' in the Property text field and '' in the Value text field and click the Add button.This property associates an initial organization name to the user. Refer to the "Setting the User Organization" section in the Windchill Installation and Configuration Guide Advanced for more information about the need for setting this property

Click OK to complete the modification to the Adapter. Select OK again on the confirmation window.

5.1.3. Testing the configuration

Search and add Active Directory users and groups to various roles, such as Product Creators, Members, Guests, etc., in test products and libraries.

Log on as new users and create products and documents to verify successful login and object creation abilities.

6. Enabling Active Directory Integration for Existing Windchill InstanceFor an existing instance of Windchill, two aspects should be considered while adding an additional Enterprise Directory: First is connecting to a Corporate LDAP like Active Directory to Windchill so that one can add users and groups from Active Directory to Windchill. Second is to be able to retarget the existing users from Aphelion to the Active Directory so that next time the users login they are maintained and authenticated against the Active Directory Before starting with any configuration activity, it is necessary that one reads through the Retargeting Users section. Though the retargeting users is done after making the configuration changes to connect to Active Directory, it is important to understand and analyze the effort and complexities involved before starting the configuration changes.

6.1. Connecting to Active Directory

Connecting to Active Directory involves the following three steps: Update EnterpriseLDAP Adapter to connect to Active Directory. Configure Apache to connect to EnterpriseLDAP. Set Authentication in MapCredentials.xml file.6.1.1. Updating EnterpriseLDAP Adapter to connect to Active Directory

Before you start updating the EnterpriseLDAP, collect the required information as mentioned in the Required Inputs from Active Directory section

10. Navigate to the Info*Engine Administrator page from Site > Utilities > Info*Engine Administrator.11. Log on by entering cn=Manager and the appropriate password.12. Select the JNDI adapter by the name com..EnterpriseLDAP to open the Property Editor page.13. Edit the following Adapter properties settings.JNDI Adapter PropertyValue

Service Namecom.example.EnterpriseLdap

Runtime Service Namecom.example.EnterpriseLdap

Service Classcom.infoengine.jndi.JNDIAdapterImpl

Host , PortLeave it Blank

Provider Urlldap://activedirectoryhost.example.com:3268

Directory System Agent UserCN=Bind User,CN=Users,DC=example,DC=com

Directory System Agent Credentials

Search BaseCN=Users,DC=example,DC=com

You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes. However, setting the Search Base to the root might result in poor performance.

LDAP Search ScopeSUBTREE

14. Add the following Adapter properties one by one in the Additional Properties section

Additional PropertiesValue

com.test.example.EnterpriseLdap.windchill.config.doesNotContainGroupstrue

com.test.example.EnterpriseLdap.windchill.config.directoryTypeADS

com.test.example.EnterpriseLdap.windchill.config.readOnlytrue

com.test.example.EnterpriseLdap.windchill.mapping.group.descriptiondescription

*com.test.example.EnterpriseLdap.windchill.mapping.group.objectClassgroup

*com.test.example.EnterpriseLdap.windchill.mapping.group.uniqueIdAttribute**sAMAccountName

com.test.example.EnterpriseLdap.windchill.mapping.group.uniqueMembermember

*com.test.example.EnterpriseLdap.windchill.mapping.user.cncn

com.test.example.EnterpriseLdap.windchill.mapping.user.facsmileTelephoneNumberfacsmileTelephoneNumber

*com.test.example.EnterpriseLdap.windchill.mapping.user.mailmail

com.test.example.EnterpriseLdap.windchill.mapping.user.mobilemobile

*com.test.example.EnterpriseLdap.windchill.mapping.user.ocompany

*com.test.example.EnterpriseLdap.windchill.mapping.user.objectClassuser

com.test.example.EnterpriseLdap.windchill.mapping.user.postalAddresspostalAddress

com.test.example.EnterpriseLdap.windchill.mapping.user.preferredLanguagepreferredLanguage

com.test.example.EnterpriseLdap.windchill.mapping.user.snsn

com.test.example.EnterpriseLdap.windchill.mapping.user.telephoneNumbertelephoneNumber

*com.test.example.EnterpriseLdap.windchill.mapping.user.uid**sAMAccountName

*com.test.example.EnterpriseLdap.windchill.mapping.user.uniqueIdAttribute**sAMAccountName

com.test.example.EnterpriseLdap.windchill.mapping.user.userCertificateuserCertificate

*com.test.example.EnterpriseLdap.windchill.mapping.usersOrganizationName

The * marked properties are mandatory properties. The other properties may or may not be included.

**If you have an Active Directory forest then the sAMAccountName name might not be unique across different Active Directory domains. In that case please use the userPrincipalName. The format of the userPrincipalName is @ which guaranties userPrincipalName to be unique across all domains.

6.1.2. Configuring Apache to connect to EnterpriseLDAPConfigure Apache Web Server such that it points to the Active Directory for authentication.

Execute the following command in a Windchill shell and from the Apache load point folder to update the authentication properties: ant -f webAppConfig.xml addAuthProvider -DappName= -DproviderName=EnterpriseLdap -DldapUrl=" ldap:// actdirhost.test.com:3268/OU=ptc,DC=actdirhost,DC=test,DC=com?sAMAccountName?sub?(objectClass=*)" -DbindDn="CN=BindUser,CN=Users,DC=actdirhost,DC=test,DC=com" -DbindPwd=""

Note

The Ant command must be entered in a single line though it appears to be multiline command

To verify if the Ant script has updated the changes appropriately, refer to the sample file of the app-Windchill-AuthProvider.xml in the Appendix to compare with and verify after making the Apache Configuration Changes.6.1.3. Setting authentication in MapCredentials.xml fileThe MapCredentials.xml file is used to specify the authentication access to a specific Info*Engine adapter. If no parameters are added to the MapCredentials file, the default access to the enterprise directory is anonymous. To access ADS, a proper Bind user must be specified.

Add the following two properties to the site.xconf and propagate the changes using the Windchill shell.

Additional properties

There are chances that these properties already exist. Ensure that the values for these properties include the Bind User path and password.To verify if the properties have been propagated appropriately, compare with the sample mapCredentials.txt file in the Appendix.6.2. Retargeting UsersFor customers who wish to manage users in Active Directory, retargeting existing users in Aphelion to Active directory is the most common method for moving users. Retargeting users involves changing the Windchill reference to a user from Aphelion to the corporate Active Directory. This is either done in an effort to utilize a single sign on method or to reduce the administrative overhead of maintaining users in multiple LDAPs.

There are a couple of significant relationships that a user has inside of the data found within Windchill. All data records in Windchill are related to a WTUser, which has a relationship to a specific entry in the database that maintains the users DN (Distinguished Name) and LDAP adapter.

The DN of the user is also referenced in a multitude of Groups that are also found in the LDAP. Moving users from Aphelion to an Active Directory will not include moving the Groups to the corporate LDAP simply based on the volume of the groups that Windchill can create and their relative insignificance to the entire organization. However, it is possible to select and add groups managed in Active Directory in Windchill.Retargeting users essentially involves changing the references of users in Windchill to the newly connected Active Directory instead of Aphelion with the following condition:

The users in Aphelion already exist in Active Directory. If the users exist in Active Directory, they must have the same UID.To retarget users, the above condition must be satisfied. Out-of-the-box ADS does not have a uid attribute for user objects. Instead there are two attributes that contain the user id (uid) information. The first is sAMAccountName, which is the uid itself. The second is userPrincipalName, which is the uid with the domain appended (for example user@myco.com). In Aphelion or WindchillDS the UID corresponds to the username.Before retargeting users to the corporate Active Directory, a few pre-migration steps need to be performed to ensure that the data to which Windchill expects to have access to is readily available.

A detailed analysis of both the LDAPs must be done to find out any mismatch. Do all of the users exist in the corporate LDAP?

If some of them do not exist, create users in the Corporate Active directory.

In some cases, most users may no longer be employed, which means such users do not need to be retargeted. Is the UID of the user in the corporate LDAP equivalent to the ID stored within Aphelion?

If the ID is not the same, rename the user in Aphelion to match the entry in the Active Directory LDAP first

Does the corporate LDAP use the same attributes as Aphelion?

If not, the attributes must be mapped appropriately. This means when you configure the JNDI adapter you must provide additional attribute-mapping properties to map the default Windchill user and group attributes to the corresponding user and group and group attributes used by your LDAP directory. Refer to the 'Mapping User and Group and Group LDAP Values in an Existing Directory' section in the 'Windchill Installation and Configuration Guide Advanced'. Is the DN structure of the corporate LDAP such that you need multiple search base DNs to search for all required users?

It is possible that the customer may provide with multiple search base DNs for users within its Active Directory. If the corporate LDAP is structured such that it has multiple DNs for various users, a unique JNDI adapter will be required for each DN node. Refer to the 'Create JNDI Adapter Entry' and 'Create Repository Definition' sections to add additional adapter in the 'Windchill Installation and Configuration Guide Advanced' Are suppliers and external IDs stored in Aphelion?

Investigate how suppliers are handled in the corporate LDAP. It is possible that suppliers or external users are stored in a different LDAP server or may be a separate forest is created for them. In such a case you may have to create a separate JNDI Adapter in order to search for those users or you could still maintain them in the Aphelion or Windchill DS.This document does not provide methods to troubleshoot or correct any discrepancies in the data if the UIDs do not match. It is strongly recommended that before performing any of the modifications to the Aphelion LDAP or database, the consultant should contact Technical support for more direct assistance and guidance in their efforts with the LDAP.6.2.1. Retargeting procedureThis procedure involves disconnecting the user in Windchill by deleting it from Aphelion and then connecting the disconnected user to the user in Active Directory. Another method is to replace the DN info within the database with a new DN such that it points to Active Directory.

Before starting with the retargeting procedure: Remember that the Administrator (wcadmin) user always stays in Aphelion. Take Aphelion and Database backups to restore to the original state if necessary. Ensure that no users are accessing Windchill during the retargeting procedure. Ensure users being retargeted exist in Active Directory and have the same UID as in Aphelion.The following steps list down the method to retarget a Windchill User pat2. A similar method should be used to retarget users either one by one or all at a time.

6.2.1.1. Listing the entries in the databaseOpen Windchill Shell, navigate to /db/sql, and log onto sqlplus as a database user. sqlplus /@Note

The dbuser, dbpasswd and Windchill_db_name values can be found in the \db\db.properties wt.pom.dbUser, wt.pom.dbPassword & wt.pom.jdbc.service

Enter the following query to review the remoteobjectid values and review the returned results. select remoteobjectid from remoteobjectid;

6.2.1.2. Delete user from Aphelion or Windchill DS

Browse through the LDAPBrowser to locate and delete the required user to be retargeted.

6.2.1.3. Replace user from the Principal Administrator page

Once the user has been deleted from the Aphelion, it becomes a disconnected principal in Windchill. This user must be retargeted to the user in Active Directory. Navigate to the Site > Utilities page and click the Principal Administrators link to open the Principal Administrators page. Click the Maintenance link to open the Disconnected Principals table. Click the Search for Disconnected Principals icon.

The Find All Disconnected Principals page lists the deleted user. Select the user and click OK. Click the Edit Principal button to edit the disconnected principal address.

Search for the user by entering the username of the deleted user and clicking Search on the Associate New User with Disconnected User page

The search returns the same user from Active Directory. Select the radio button against the user and click OK.

On selecting OK, the user is removed from the Disconnected Principals table. The user is now retargeted. Verify this by running the SQL query select remoteobjectid from remoteobjectid; again. The results should show the new DN value.Appendix

Sample Summary.htm File

Here is a sample file of the Summary.htm file extract for New Windchill Installation to compare with. LDAP Settings

LDAP Server DNS Registered Host Name:

windchillhost.example.test.com

LDAP Port Number:

389

Administrator Distinguished Name:

cn=Manager

Administrator Password:

**********

Confirm Administrator Password:

**********

Base Distinguished Name for Product Properties:

cn=configuration,cn=Windchill_9.1,o=adplm

Base Distinguished Name for Administrative Users:

ou=people,cn=AdministrativeLdap, cn=Windchill_9.1,o=adplm

Base Distinguished Name for Enterprise Users:

CN=Users,DC=windchillhost,DC=example,DC=test,DC=com

Enable Separate Enterprise LDAP Server

Yes

JNDI Adapter Settings

Enterprise Repository LDAP Server Host Name:

actdirhost.test.com

Enterprise Repository LDAP Server Port:

3268

Enterprise Adapter Name

com.test.example.EnterpriseLdap

LDAP Connection

Bind as User

Enterprise Repository LDAP User Distinguished Name:

CN=Bind User,CN=Users,DC=actdirhost,DC=test,DC=comEnterprise Repository LDAP Password:

Windchill Privileges for Repository

Read Only

LDAP Service

Active Directory Service (ADS)

Repository Contains

Users

Groups

User Filter:

CN=*

Group Filter:

CN=*

Core Product Settings

Windchill Site Administrator:

Create New

Windchill Site Administrator User Name

wcadmin

Windchill Site Administrator Password:

********

Confirm Windchill Site Administrator Password:

********

Select the Repository Where the Site Administrator is Stored:

Administrative

Web Application Context Root:

Windchill

Info*Engine Server Task Processor Port Number:

10002

Initial Organization Name:

adplm

Organization Internet Domain Name:

example.test.com

Sample app-Windchill-AuthProvider.xml file

Here is a sample of the app-Windchill-AuthProvider.xml file to compare with after making the Apache Configuration Changes.

Alternatively, you can accomplish the Apache Configuration by editing the "/conf/extra/app-Windchill-AuthProvider.xml and propagating the changes as shown below:app-Windchill-AuthProvider.xml

Windchill-AdministrativeLdap ldap://windchillhost.example.test.com:389/ou=people,cn=AdministrativeLdap,cn=Windchill_9.1,o=ptc

cn=Manager

Windchill-EnterpriseLdap

ldap:// actdirhost.test.com:3268/OU=ptc,DC=actdirhost,DC=test,DC=com?sAMAccountName?sub?(objectClass=*)

CN= Bind User,CN=Users, DC=actdirhost,DC=test,DC=com

To propagate these properties into .conf files, execute the following command in a Windchill shell and from the Apache load point folder:

ant -f webAppConfig.xml regenWebAppConf

Sample mapCredentials.txt file

Here is a sample of the \codebase\WEB-INF\mapCredentials.txt file to compare with after adding to the mapcredentials.admin.adapters property.mapCredentials.txt

mapcredentials.admin.adapters=com.test.example.Ldap^cn\=Manager^;com.test.example.Ldap-Pending^cn\=Manager^;com.test.example.EnterpriseLdap^ CN=BindUser,CN=Users, DC=actdirhost,DC=test,DC=com ^

mapcredentials.admin.default.ldap=$(wt.rmi.server.hostname)$(credentials.fieldsep)$(ie.ldap.managerDn)$(credentials.fieldsep)$(ie.ldap.managerPw)

mapcredentials.admin.pendinguser.ldap=$(wt.rmi.server.hostname)$(credentials.fieldsep)$(ie.ldap.managerDn)$(credentials.fieldsep)$(ie.ldap.managerPw)

mapcredentials.nonprivileged.adapters=

LDAP Browser login sequence

The Image below shows the sequence to log onto Aphelion LDAP Browser. Connecting to LDAP using a valid LDAP User (cn=Manager) allows deleting or modifying access.

Select browser > Select Edit > Uncheck Anonymous bind checkbox > Enter Password > Select Save > Select Connect

For starting up WindchillDS browser or the control panel double click the control-panel.bat located at \server\bat folder

External References

ReferenceDescription

Configuring Additional Enterprise Directories Windchill Installation and Configuration Guide Advanced

Windchill 9.1

TANTANs and TPITPIs135027 , 126775, 124774, 137040, 133029, 139095, 137919, 134754,124667

White Paper Windchill LDAP Integration, Migration and Common Challenges Authored by Steve Dertien

Confidential - PTC Proprietary

ActiveDirectorySetupR91.docLast printed Jul/01/2009 | Page 14 of 22