Active Directory ADSI and LDAP authentication systems

The Active Directory ADSI and LDAP systems authenticate at the group level. You can select the ADSI or LDAP authentication system option from the Datacap Server Manager list of authentication systems. When you select the ADSI or LDAP authentication option, the credentials from the Windows account are used for authentication. For Active Directory domains that have a mutual trust relationship, ADSI and LDAP systems support the authentication of users in multiple domains.

When you log into a Datacap application, you enter a password only if the authentication template string requires password entry. For information about authentication template strings, see Configuring the Datacap Server service to use an external authentication system.

Active Directory ADSI or LDAP authentication in Datacap

Active Directory is referred to as ADSI in Datacap. You must ensure that the following tasks are completed when you are using the ADSI or LDAP authentication system.
  • Appropriate security groups in Active Directory are created.
  • Windows accounts are created for Datacap users, background services and processes, and application pools.
  • The Windows accounts for Datacap are added to the appropriate Active Directory security groups.

ADSI or LDAP Datacap Server Service

In Datacap Server Manager, set the Authentication system to ADSI or LDAP.

ADSI or LDAP Datacap groups and stations

Depending on the number of ADSI or LDAP security groups you created, add corresponding groups to your Datacap application and assign Datacap permissions to each group. The Datacap group name must be in the following format:
  • Active Directory security group name
  • A dot
  • Short domain name (domain without top level)

For example, if the Active Directory security group name is TMUsers and the full domain name is domain02.com, then the Datacap Group name must be TMUsers.domain02.

There is no need to create Datacap groups for the Datacap server service or for the Datacap Web Client, Report Viewer, and Fingerprint service application pools.

Add Datacap stations to your application with the appropriate permissions. Users of interactive Datacap software components enter station names manually so the station names for these users do not need to match their machine names.

For Maintenance Manager, Rulerunner, Datacap Web Services, and the Datacap Web Client Upload service, the machine names are provided automatically as the station name. These machine names must be added to your Datacap application as station names. Station names are case-sensitive.

When you are using ADSI or LDAP, authentication is performed at the group level and there is no need to add Datacap users to your Datacap applications.

ADSI or LDAP Datacap users

If password entry is not required, the Windows account of the user, background service, or background process is used for authentication. The following items apply when password entry is not required:
  • Users that log in to interactive Datacap software components must enter a user name and station name. The user must not enter a password even though the Windows account information is used for authentication.
  • Background services or processes must leave the user name, password, and station name blank because the Windows account information is used for authentication and the machine name is used as the station name.

For ADSI authentication, Internet Explorer users might need to add the Datacap Web Client tmweb.net address as a trusted site in their internet security options (for example, add http://WebServerName).

ADSI or LDAP Datacap Studio users

If password entry is not required, users must select the NT Authentication check box to log into Datacap Studio. Otherwise, if password entry is required, users must enter their full credentials.

ADSI or LDAP Maintenance Manager

The Windows Scheduler runs the Maintenance Manager application automatically. The Windows account that is used by the Maintenance Manager application and the computer name is used for authentication.
  • Add a Datacap station to your application for Maintenance Manager that has the same name as the machine name and assign appropriate permissions.
  • The Windows domain and user name must be used for SetUser to configure Maintenance Manager to authenticate to the Datacap server service.
  • In Windows Scheduler, set the account in Security Options to the Windows account that is used by Maintenance Manager to run with highest privileges.

ADSI or LDAP Rulerunner Service

The Rulerunner Service is a background service that supplies its credentials automatically.
  • Add a Datacap station to your application for each Rulerunner server and assign appropriate permissions. The station name in Datacap is case-sensitive and must match the machine name because it is maintained in the domain controller.
  • If password entry is not required, set up the credentials in each Rulerunner Manager by selecting the Windows Authentication option on the Rulerunner Login tab. Otherwise, if password entry is required, users enter their full credentials.

ADSI or LDAP Datacap Web Client Upload Service

The Datacap Web Client upload service is a Windows service that supplies its credentials automatically.
  • Add a Datacap station for the upload service to the Datacap application and assign appropriate permissions.
  • Set up a blank password to be used by the upload service by adding a name and value pair in the Application Manager Advanced values fields.
    • Value name: Must be dc2run.User
    • Value: Leave this field blank.
  • In the Datacap Web Client Upload configuration file, set the value of the <setting name="User" node to the domain and Windows account (for example DOMAIN\UserID) of the Datacap Upload Service user.
  • In the Datacap Web Client Upload configuration file, set the value of the <setting name="Station" node to the Datacap Upload Service station.

ADSI or LDAP Application Pools

Datacap uses application pools for Datacap Web, Report Viewer, and the Fingerprint Service. When Datacap Web and Report Viewer are installed on the same web server, they must use the same Windows account. When the Fingerprint Service is also installed on the same web server, it can use the same Windows account or a different one. The Windows account that is assigned to the application pool allows the application pool to function. When you assign the Windows account to the application pool, you provide the Windows credentials that the application pool uses.

There is no need to set up ADSI or LDAP groups or Datacap users, stations, or groups for application pools.

ADSI or LDAP Datacap stations

Add a Datacap station to your application for wTM with the same name as the machine name and assign appropriate permissions.

Set up credentials as indicated by the following table:
Value name Value Credentials location
wTMUser Leave this field blank. Application Manager General string values fields
wTMStation Set to the Datacap station name. Application Manager General string values fields
wTMPassword Leave this field blank. Application Manager Advanced values fields

When you log into the station, you are prompted for credentials if password entry is required.