cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Partial AD configuration with Apache Windchill 10.2 M020

Wayne_Beck
11-Garnet

Partial AD configuration with Apache Windchill 10.2 M020

At my last company I setup what was called a partial AD connection.  Where I just authenticated agents AD.  I don't remember setting up a InfoEngine  to use this.  I am drawing a complete blank on how I did it and it is not in my notes.  Any input and help would be great.  I have read all the current information on the Help and community and still cannot figure it out.

1 ACCEPTED SOLUTION

Accepted Solutions

I see you want to use AD just for authentication and keep the users in Windchill Directory Server. You are right, you don't have to configure an additional JNDI adapter for this.

  1. Create Windchill users with the "username =  Active Directory SAMaccount name". You can provide a random password of your choice as this password will not be used. The email address needs to manually entered for each of the users. You can either create users manually or use load from file - https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS23818.
  2. Add  Active Directory auth provider as the first provider entry in <Apache>\conf\extra\app-Windchill-AuthProvider.xml

<provider>

      <name>Corporate-AD</name>

      <ldapUrl>ldap://domain-controller.domain.com:3268/CN=Users,DC=company,DC=internal?sAMAccountName?sub?(objectClass=*)</ldapUrl>

      <bindDn>an=service_Account,CN=serviceaccount,DC=company,DC=internal</bindDn>

      <bindPwd>password</bindPwd>

  </provider>

  3. Open Windchill shell, navigate to ptc/HTTPServer and run the command, ant -f webAppConfig.xml regenWebAppConf. This will propagate the entries from above xml to conf file.

Few +ves of this approach are

We can keep the windchill user tables clean. Active Directory is extremely volatile, IT administrators would add/remove/move/rename users as per their need and often Windchill will not like it.  No issues with disconnected principals, unless you delete users from Windchill DS directly. To be compliant with licensing policy, you can  create a group in  WindchillDS and move all the separated user accounts to this group.

Few -ves of this approach are

To add a new account, every you need to manually create user in Windchill. If you configure JNDI adapter, this will be populated automatically. Another pitfall is, if you ever have to use CFR part 11, authenticated  workflow task completion, users will have to enter the password which you provide in Windchill, unless you have some third party tool for password synchronization

Thank you

Binesh Kumar

Medtronic-MITG

View solution in original post

11 REPLIES 11
TomU
23-Emerald IV
(To:Wayne_Beck)

A partial connection is where you only configure Apache to authenticate against Active Directory and leave InfoEngine pointed at the Windchill Directory Server.  Of course the user account will need to exist in both systems...

There are pros and cons to each method.  For our environment, I prefer the full integration (Apache and InfoEngine pointed to AD.)

I see you want to use AD just for authentication and keep the users in Windchill Directory Server. You are right, you don't have to configure an additional JNDI adapter for this.

  1. Create Windchill users with the "username =  Active Directory SAMaccount name". You can provide a random password of your choice as this password will not be used. The email address needs to manually entered for each of the users. You can either create users manually or use load from file - https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS23818.
  2. Add  Active Directory auth provider as the first provider entry in <Apache>\conf\extra\app-Windchill-AuthProvider.xml

<provider>

      <name>Corporate-AD</name>

      <ldapUrl>ldap://domain-controller.domain.com:3268/CN=Users,DC=company,DC=internal?sAMAccountName?sub?(objectClass=*)</ldapUrl>

      <bindDn>an=service_Account,CN=serviceaccount,DC=company,DC=internal</bindDn>

      <bindPwd>password</bindPwd>

  </provider>

  3. Open Windchill shell, navigate to ptc/HTTPServer and run the command, ant -f webAppConfig.xml regenWebAppConf. This will propagate the entries from above xml to conf file.

Few +ves of this approach are

We can keep the windchill user tables clean. Active Directory is extremely volatile, IT administrators would add/remove/move/rename users as per their need and often Windchill will not like it.  No issues with disconnected principals, unless you delete users from Windchill DS directly. To be compliant with licensing policy, you can  create a group in  WindchillDS and move all the separated user accounts to this group.

Few -ves of this approach are

To add a new account, every you need to manually create user in Windchill. If you configure JNDI adapter, this will be populated automatically. Another pitfall is, if you ever have to use CFR part 11, authenticated  workflow task completion, users will have to enter the password which you provide in Windchill, unless you have some third party tool for password synchronization

Thank you

Binesh Kumar

Medtronic-MITG

Thanks for the information.  While this is what I remember doing I am having no luck at it.  This is what I have.

   <provider>

      <name>Corporate-AD</name>

      <ldapUrl>ldap://domain-controller.domain.com:389/OU=Service Account,OU=Corporate,OU=Franklin Users,DC=franklin,DC=fele?sAMAccountName?sub?(objectClass=*)</ldapUrl>

      <bindDn>cn=wcadmin</bindDn>

      <bindPwd>willnottell</bindPwd>

   </provider>

If you provide OU=Service Account,OU=Corporate,OU=Franklin Users,DC=franklin,DC=fele in ldap URL, you are defining search base and apache will only search inside OU=Service Account for users. Going by the name, it is a place for service accounts. This shoud be changed to OU=Franklin Users,DC=franklin,DC=fele. Do you have cn=windchill account created in AD?

yes we have our windchill admin account setup in AD.

So do you see any error while trying to login? HTTPServer/logs/error.log should have some information

when I log in I get this.

The system is not available. There could be a server error or your credentials could be invalid or expired (for example, you may have entered the wrong password or your account may be locked). Contact your help desk or administrator for assistance.

Error clearly says windchill has problem in connecting to AD. Could you give the entire dn of wcadmin user here <bindDn>cn=wcadmin</bindDn> ?

I am not sure if this is what you are asking for?

CN=FE WCAdmin,OU=Service Account,OU=Corporate,OU=Franklin Users,DC=franklin,DC=fele

Yes it is

Got it working thanks for your help.  My LDAP guy missed a "-" in the url.

Top Tags