Windows Authentication 9.5.2 SP3 · Delphi 9.5.2 SP3 Windows Authentication ... Windows Authentication 4 Users with SQL Administrator access or users assigned to the selected SQL

Windows Authentication

Delphi 9.5.2 Service Pack 3

Document Version 1.0 11/10/09

Copyright

© 2009 Newmarket International, Inc. All rights reserved.

The information in this document is confidential and proprietary to Newmarket International, Inc., and may not be disclosed, copied, reproduced, published, translated or reduced to electronic medium or machine readable form, in whole or in part, without the prior written consent of Newmarket International, Inc.

Newmarket, Newmarket’s “N” logo, CCBreeze, Daylight, Daylight Enterprise, Delphi, Delphi Multi-Property Edition, and MeetingBroker are registered trademarks of Newmarket International, Inc. Connex, Delphi BI, Delphi Global Sales Edition, Delphi.Net, Delphi Select Edition, Delphi Select Multi-Property Edition, Delphi Single-Property Edition, DelphiSync, and Diagrams are trademarks of Newmarket International, Inc.

Additional company and product names may be the registered trademarks or trademarks of their respective companies.


Delphi 9.5.2 SP3 Windows Authentication

© Copyright 2009 Newmarket International, Inc. All Rights Reserved. NI Confidential Information.

iii


Chapter 1 : Delphi 9.5.2 SP3 Windows AuthenticationOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Sample Features of Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Installing the DDSC Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Using DDSC to Configure Windows Authentication Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Opening the DDSC Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Allowing SQL Administrator Access to Map Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Mapping Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Appending Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Finding a Network User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Unmapping a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Changing a Delphi User’s Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Enabling Windows Authentication Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Problems in the DDSC Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Problems in Delphi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8


Overview• The Delphi 9.5.2 suite of products can be integrated with Microsoft® Windows® Authentication. If the

Windows Authentication integration feature is used, Delphi users who have been mapped to one or more network users can open Delphi without having to enter their Delphi login and password credentials.

• To integrate Windows Authentication with Delphi, an Enterprise or Domain Administrator enables Windows Authentication and maps each Delphi user to one or more network users using the Delphi Directory Services Configuration (DDSC) utility. The utility can be launched from outside Delphi or within Delphi’s Setup.

• If Integrated Windows Authentication is enabled and either 1) the user does not have an active Windows session, or 2) the Windows domain user account specified in setup is not a valid account (either does not exist on the network or is not configured as stated above) then the user will not be allowed to log into the Delphi application.

Sample Features of Windows Authentication• Company-issued passwords expire after their first use

• Default vendor passwords are changed

• Alphanumeric passwords are required

• Passwords must be at least eight characters long

• New passwords must be different from the last five

• Users must enter the old and new passwords when changing a password

• Passwords are encrypted in storage and transmission

• Passwords are masked from display on the computer screen and printed material

• A user is limited to five unsuccessful log-on attempts within eight hours

• System Administrators must reset user IDs that have been locked out

• Administrators must verify the user identity prior to implementing a password change

• Users must change passwords at least every 90 days

• Minimum password age is one day

• A user session must be re-authenticated after 15 minutes of inactivity

Prerequisites• Windows 2000 or Windows 2003 servers

• SQL 2000 SP4 or SQL 2005

• .NET v2.0 Framework

• The customer site is responsible for managing local security policies for user accounts within their domain.

• Even if Windows Authentication is enabled, the Delphi application requires a Delphi specific user name for each user created in the system. Delphi stores this user name for each created user in the system. When Integrated Windows Authentication is enabled, this data is used only for authorization and the system relies on the Windows Authentication model.

Overview


1


• In order to open the DDSC utility, you must have one of the following:

• Enterprise Administrator access

• Domain Administrator access

• SQL Administrator access on the Delphi server

• SQL role that has been provided SQL Administrator access by your Enterprise or Domain Administrator

• If the DDSC utility is opened from within Delphi, you must also have access to Setup and have a Delphi access level of Director or Administrator.

• The configuration of user accounts can be completed before or after Integrated Windows Authentication is enabled via the DDSC utility.

Installing the DDSC UtilityIf you want to run the DDSC utility from outside Delphi, you must first install it on the Delphi database server.

1. On the Delphi database server, navigate to the Delphi\Utils\DDSC folder and double-click Setup.exe.

The Welcome to the Delphi Directory Services Configuration Setup Wizard opens.

2. Click Next.

3. In the Select Installation Folder window, browse to the location where you want the DDSC utility installed.

Note: By default, the utility is installed in Program Files\Newmarket International\Delphi Directory Services Configuration\.

4. Select one of the following:

• Everyone

• Just me

5. Click Next and in the Confirm Installation window, and then click Next to start the installation.

6. Click Close to close the Installation Complete window.

The DDSC.exe application is installed to the Delphi/EXE folder and can be opened from the Start button.

Note: If the utility was installed to the default location: From Start, point to All Programs, Newmarket International, and click Delphi Directory Services Configuration.

Using DDSC to Configure Windows Authentication Integration

Opening the DDSC UtilityThe Delphi Directory Services Configuration (DDSC) utility can be opened from within Delphi, or as a standalone outside of Delphi. To open the utility you must have one of the following:



Installing the DDSC Utility

© Copyright 2009 Newmarket International Inc. All Rights Reserved. NI Confidential Information.

2




Opening from outside Delphi

1. If the DDSC utility was installed to the default location, from Start, point to All Programs, Newmarket International, and click Delphi Directory Services Configuration.

The SQL Server Login window opens.

2. Enter the connection information.

• In the SQL Server box, type the name of the server.

• Enter the SQL Server login name and password.

• Select the Windows Authentication check box if you want the user to log in to the SQL Server under the context of the current user.

Note: Selecting the check box disables the Login and Password fields.

3. Click the Connect button to enable the Database box.

4. Select the Delphi database, usually nss_database.

5. Click OK.

The Delphi Directory Services Configuration utility opens and the Property Filter box is populated with all properties in the Delphi database.

The Delphi User Information list populates with all users for all properties and the Network User Information grid is blank.

Opening from within Delphi• Do one of the following:

• If using Delphi Multi Property Edition, from File, point to MPE Setup, and double-click DDSC.

• If using Delphi Single Property Edition or Global Sales Edition, from File, point to Setup, and double-click DDSC.

The Delphi Directory Services Configuration utility opens and the Property Filter box is populated with all properties in the Delphi database.

Allowing SQL Administrator Access to Map UsersYou can allow SQL Administrators to map, append, and unmap Delphi users. This enables you to have a team of administrators who can manage and maintain your Delphi logins through the DDSC.

Note: To allow SQL Administrators access, you must have Enterprise or Domain Administrator access.

1. Open the DDSC utility.

The Delphi Directory Services Configuration window opens.

2. Select the Allow SQL Administrator Access check box.

3. (If applicable) From the Select SQL drop-down list, select the appropriate SQL role. This will provide users in that SQL group with access to map Delphi users.

4. Click Close.



3


Users with SQL Administrator access or users assigned to the selected SQL role can now map Delphi users in the DDSC window.

Mapping UsersIf you have the appropriate access (as listed in “Prerequisites” on page -1), you can map Delphi users to network users using the Delphi Directory Services Configuration (DDSC) utility. Once users are mapped and Windows Authentication integration is enabled, Delphi users will not need to log in to Delphi since the application will use their network user login.

1. Open the DDSC utility. See “Using DDSC to Configure Windows Authentication Integration” on page -2.


2. In the Property Filter box, select a property.

A list of all users for the selected property are displayed in the Delphi User Information grid.

3. Right-click an unmapped Delphi user and select Map.

Note: You cannot select more than one Delphi user since you cannot have one network user mapped to multiple Delphi users.

The Select Users window opens.

4. Do one of the following:

• If you know the user's network name, enter it in the Enter the Object Names to Select (examples) box (for example, msmith).

• If you need to change the domain, click the Locations button.

• If you need to locate the user(s), use the Advanced button to find one or more network users to map to the Delphi user. See “Finding a Network User” on page -5.

5. Click OK to close the Select Users window and return to the DDSC window.

The Delphi user now contains a icon in the Map column, and the Network User Information grid populates with the network users you selected.

Note: If you are ready for users to begin using Windows Authentication, you must enable it in the DDSC utility. See “Enabling Windows Authentication Integration” on page -6.

Appending UsersWhen mapping users in the DDSC utility, you can append multiple network users to one Delphi User ID. For example, you might have numerous Banquet Managers who need to access Delphi occassionally. Therefore, you could map the network user names of the many Banquet Managers to the one Banquet Delphi user.

First you have to map one network user to the Delphi user (See “Mapping Users” on page -4). Then when you right-click that Delphi user you have the ability to append additional network users.





3. Click a mapped Delphi user .

The Network User Information grid displays the network user that is mapped to the Delphi User.



4


Note: You must have one network user mapped to the Delphi user before you can append additional network users. See “Mapping Users” on page -4 for instructions on mapping a user.

4. Right-click the mapped Delphi user and select Append.



• If you know the user's network name, enter it in the Enter the Object Names to Select (examples) box (for example, msmith).




The Network User Information grid populates with the network users that are mapped or appended to the highlighted Delphi user.

7. Repeat Step 4 - Step 6 to append more network users to the Delphi user.

Note: If you are ready for users to begin using Windows Authentication, you must enable it in the DDSC utility. See “Enabling Windows Authentication Integration” on page -6.

Finding a Network UserIf Windows Authentication is enabled for your Delphi database, you can map Delphi users to one or more network users. This then allows Delphi users to open Delphi without having to log in to Delphi, since the user is already logged in to Windows.

The Advanced Select Users window allows you to enter search criteria.

1. Select an unmapped Delphi user.

2. In the Select Users window, click the Advanced button.

3. Enter search criteria. For example, to find all users whose network user name begins with the letter "m", under Common Queries-->Name box, select Starts with and enter m in the text box. You can further narrow the search by entering more letters for the network user. For example, to find msmith, enter “ms”.

4. Once you have entered the search criteria, click Find Now.

The network user names that match the search criteria are displayed in the user grid along with their e-mail address.

5. Select one or more network user and click OK.

Note: To select more than one network user to map to the Delphi user, press the CTRL key and click each user.

The advanced Select Users window closes and the selected rows appear in the grid in the standard Select Users window.

6. Click OK to close the standard Select Users window.

This brings you back to the Delphi Directory Services Configuration window where you can see the new user map that was just created, listing the Delphi user and mapped network users.



5


Unmapping a UserIf Windows Authentication is enabled, you can remove the mapping between a Delphi user and network users. Once a Delphi user is unmapped, the user can no longer access the Delphi application if Windows Authentication is still enabled.






• In the Delphi User Information area, right-click the mapped Delphi user and select Unmap All. This will unmap all network users listed in the Network User Information grid.

• In the Network User Information grid, right-click the network user you want to unmap and select Unmap Selected. This will unmap only the selected network user and leave all other network users mapped.

Changing a Delphi User’s MappingYou can change the mapping of a Delphi user from one network user to another.





3. Right-click the mapped Delphi user and select Map.



• If you know the network name you want to map to, enter it in the Enter the Object Names to Select (examples) box (for example, msmith).




The Network User Information grid populates with the network user you selected.

Enabling Windows Authentication IntegrationOnce you enable Windows Authentication integration, only users mapped to a network user can log in to Delphi.

If a user is already logged in Delphi when Windows Authentication is enabled, the current user's credentials are not re-validated until the user logs out of Delphi and reopens Delphi.

To enable Windows Authentication in Delphi, you must have access to MPE Setup (or Setup when using Delphi Single-Property Edition or Global Sales Edition) and have Enterprise or Domain Administrator access. To enable Windows Authentication from outside the Delphi application you must have Enterprise or Domain Administrator access.



2. Ensure that all Delphi users have been mapped to a network user. See “Mapping Users” on page -4.



6


3. Select the Enable Delphi Directory Services Integration check box.

4. Click Close.

Note: To disable Windows Authentication integration, clear the Enable Delphi Directory Services Integration check box. If login names and passwords are not entered for each Delphi user when you disable Windows Authentication, you must create them using the Sales Rep option in Setup. If the users do not have assigned login names and passwords, they will not be able to log in to Delphi.



7


Troubleshooting

Problems in the DDSC Utility

Problems in Delphi

Problem Error Possible Causes Solution

User cannot open the DDSC utility from within or outside Delphi.

You are not authorized to access this application. Please contact your administrator.

User does not the appropriate access. You must have one of the following:





Your Enterprise or Domain Administrator must grant you Network Administrator rights.

If opening the utility from within Delphi, you must also have rights to Setup or MPE Setup (in DMPE only).

User cannot map network login (active directory) accounts to specific Delphi login accounts.

Object reference not set to an instance of an object.Some or all identity references could not be translated.

Entries are not stored correctly in the wa_mapped_user table.

The delete query removes incorrectly stored entries from the wa_mapped_user table and allows new SIDs to be added to the Delphi account. Before deleting an account, you must first un-map the Delphi user, and then delete the account.


Errors when opening Delphi:

User cannot log in to Delphi (Windows Authentication is enabled).

If the user is prompted for a user name and password:

Windows Authentication may not be enabled.

Open the DDSC utility and verify the Enable Delphi Directory Services Integration check box is selected.

User receives error when opening Delphi.

Windows user is not mapped to a valid Delphi user. Please contact your System Administrator for details.

The network user name is not valid and does not exist on the domain.

Open the DDSC utility and verify the network user name entered in the DDSC is a valid user name.

Troubleshooting


8


User receives error when opening Delphicont....

Windows user is not mapped to a valid Delphi user. Please contact your System Administrator for details.

The Delphi user has been retired since the user was mapped to a Windows user in the DDSC utility.

The Delphi user is not mapped to a network user in the DDSC utility.

To reinstate the Delphi user, open Delphi’s Setup Sales Reps option and clear the Retired check box.

If the Delphi user is to remain retired, open the DDSC utility and map the Windows user to a different Delphi user.Note: When you now open the DDSC utility, the retired Delphi user is not listed.

Open the DDSC utility and map the Delphi user to a network user.

Mapped Delphi user name is empty.

Delphi’s Sales Rep Details window is missing a user name for the user.

Open Delphi’s Setup window and open the Sales Rep option. Double-click the user whose user name is missing. Enter a user name.

If Windows Authentication is enabled, a password is not required. However, if later on Windows Authentication is disabled, users with a blank password will not be allowed to log in to the application.


Troubleshooting


9

Documents

Windows Authentication 9.5.2 SP3 · Delphi 9.5.2 SP3 Windows Authentication ... Windows Authentication 4 Users with SQL Administrator access or users assigned to the selected SQL