Showing results for 
Search instead for 
Did you mean: 
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need help navigating or using the PTC Community? Contact the community team. X

Multiple Authentications before login


Multiple Authentications before login


We want to have a second level authentication (RSA) for a group of users.

Once, the user inserts username, password, they get authenticated against LDAP.

Now, at this point, we will check LDAP groups of the user.

If user belongs to certain groups, we will ask to insert RSA credentials to the user.

After this second authentication, Windchill will get launched.

If the user is not in those particular LDAP groups, Windchill will get launched without RSA authentication.

The help we need is, how can we plug all these new mechanism?

I have created a servlet which accepts username as input and does remaining things.

But, where can we put it in the configuration? (in between OOTB login and launch).

Thank you.


Interesting, I was about to start a discussion on this. We are on a similar path with our Windchill system and have a prototype working in our development environment.

First of all, customizing Windchill to achieve is a costly affair to design,develop and maintain. You can do only so much with basic authentication and to have better flexibility you will have to switch to a form based authentication. I am not sure how many of these authentication servlets are supported for customization. Needless to say, you are on your own for any upgrades or updates.

  1. Best option is to use an SSO/ADC solution to manage the application delivery and authentication. Netscaler has something called nFactor authentication which does exactly what you said. It extracts the group information from a directory service to determine the authentication policy. I have some notes on how to set this up which I can share if you are interested.  The downside of this is that you need to procure a SSO solution, most of the companies own some sort of SSO solution, look to see whether you can leverage this if you have one. By installing an agent on the Webserver you can control the authentication,
  2. Alternate option is to use Apache with radius server and a 2F authentication provider - RSA or WIKID or Google Authenticator, if you can configure a reverse proxy dedicated for this  group of  users, you can turn on authentication specific header variable from the reverse proxy. Radius server can be configured to read the header variable, and turn 2 factor authentication on or off.  Need a WiKID Secure Windchill System?‌ - LiveWorx16 this is a very good presentation on this by Shawn from Boston Engineering
5-Regular Member

Hello Binesh,

Could you share a bit details about the  SSO/ADC solution that you talked about as option 1.

We can connect offline as well if you want.




Hi Binesh,

Please share the SSO/ADC solution that you talked about as option 1.


5-Regular Member


Has anyone done successful 2 factor / dual  Authentication with Windchill 10 or Windchill 11?