Document toolboxDocument toolbox

MSSQL SSO Configuration

Owned by Jason Andrew
Sept 17, 2024
2 min read

On This Page:

SSO (Single Sign-On) is implemented using the services of ntlmauth.dll.  This DLL is required by the database driver to obtain the currently logged in user's credentials.  Versions for various processor architectures are located within the SERVICEManager\misc\sso subdirectory available within the both the servicemanager-release-windows-tomcat.zip and servicemanager-update-windows-tomcat.zip bundles.

Enabling SSO requires a number of steps:

  1. Ensure that the SQL Server instance has the appropriate user defined and that user has the appropriate database access permissions.
  2. Determine which of the ntlmauth.dll libraries to use (dependent upon processor architecture).
  3. Configure Tomcat to include the directory containing the desired ntlmauth.dll in its java.library.path.
  4. Update the hibernate.cfg.xml file for this Tomcat/SERVICEManager instance to use SSO.
  5. Restart Tomcat instance.

 java.library.path Configuration

When the Tomcat service is installed, the configuration it requires is saved in the Windows registry.  This configuration needs modifying for SSO to add the path to the ntlmauth.dll, which can be done using the tomcat8w.exe configuration application located in SERVICEManager\tomcat\bin. Use the optional //ES// command line argument to specify the service name if it is different to the default Tomcat8, eg:

> tomcat8w //ES//anotherName

The Java system property java.library.path is used to define where a Java process should locate any additional native libraries, so add the following property to the Java Options on the Java tab:

 -Djava.library.path=<path to directory containing ntlmauth.dll>

Note

  • There is no space between the -D and the property name, nor are there spaces either side of the = (equals) sign. 
  • The library path is the path to the directory containing ntlmauth.dll and not the full path to the DLL itself.


hibernate.cfg.xml Configuration

The file hibernate.cfg.xml (located within SERVICEManager\sm_properties) contains the database connection parameters defined for a given installation.  These should be edited as follows:

  1. The connection.url needs extending to include the domain containing the SSO, specified by the domain property. If the NTLMv2 protocol is required, the optional useNTLMv2 property can be used to specify this (default is false if omitted).
  2. The connection.username property should be removed/commented out.
  3. The connection.password property should be removed/commented out.

An example of this file after editing might be (assuming that the SSO user exists within the domain SP):

<property name="connection.url">
  jdbc:jtds:sqlserver://spdb;databaseName=sp-demo;domain=SP;useNTLMv2=true;
</property>

<property name="connection.driver_class">
  net.sourceforge.jtds.jdbc.Driver
</property>
<property name="dialect">
  org.hibernate.dialect.SQLServerDialect
</property>
<!--** These properties have been commented out for SQLServer and SSO **
<property name="connection.username">
  testdbuser
</property>
<property name="connection.password">
  Test
</property>
-->

Starting Tomcat with the right user

ServiceManager must be started by the SSO user, ie the user starting ServiceManager must have sufficient permission to connect to the Scheduling database using Windows Authentication and perform all operations required by ServiceManager.

Using the Tomcat service

If ServiceManager is started using the Windows service, this defaults to the System user, who probably is not the desired database user.

Edit the Tomcat services properties using the Windows Services tool (services.msc) to log on as "This account" and enter the desired account and password.

It is recommended that this user has a password that does not expire, and only has the permissions it needs to run ServiceManager.

Using the command line

ServiceManager can be run from the command line, in which case it will run as the current user.  The current user will therefore need to have the correct database permissions.  Note that ServiceManager may stop if the user logs out.

See Execution Environment for details on how to run ServiceManager from the command line.