Secure Global Desktop 4.31 Administration Guide
> Users and authentication
> Enabling web server authentication for the browser-based webtop
Enabling web server authentication for the browser-based webtop
To enable web server authentication for the browser-based webtop:
- On each array member, configure the web server to protect access to the
/sgd
URL. - In Array Manager, click Secure Global Desktop Login, Properties.
- Check the box next to Use third party authentication.
- Check one or more boxes in User identity mapping.
- Configure the Tomcat component of the Secure Global Desktop Web Server to trust the web server authentication. On each array member, edit the
/opt/tarantella/webserver/tomcat/version/conf/server.xml
file. Add the following attribute to the connector element (<Connector>
) for the Coyote/JK2 AJP 1.3 Connector:
tomcatAuthentication="false"
Notes
- How you protect the
/sgd
URL depends on your web server, see your web server documentation for details. For the Secure Global Desktop Web Server, see the Apache documentation. - The boxes you select in User identity mapping are the search methods Secure Global Desktop uses to determine a web user's identity and login profile. For details on how the search methods work, see third party authentication.
- If you select more than one search method, the methods are processed in the order they are shown. As web server authentication does not support ambiguous users users will get the webtop of the first match found.
- If you are using the either of the LDAP User identity mapping search methods, you may also want to configure secure connections to the LDAP directory server.
- If you are using the Secure Global Desktop Web Server, you can protect the
/sgd
URL in either the Apache or the Tomcat components. We recommend you use Apache. - By default, for security reasons, Secure Global Desktop Administrators can't log in to the browser-based webtop with web server authentication. The standard login page always displays for these users even if they have been authenticated by the web server. To change this behavior, run the following command:
tarantella config edit --tarantella-config-login-thirdparty-allowadmins 1
Example of how to configure the Secure Global Desktop Web Server
The following is an example of how you might configure the Secure Global Desktop Web Server for web server authentication:
- Use the
/opt/tarantella/webserver/apache/version/bin/htpasswd
binary to create a web server password file. - Edit the
/opt/tarantella/webserver/apache/version/conf/httpd.conf
file and insert the following directory directives:
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
<LocationMatch /sgd>
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthUserFile file-path
AuthName auth-domain
Authtype Basic
Require valid-user
Satisfy any
</LocationMatch>
where file-path is the full path to the web server password file
and auth-domain is the name of authorization realm that appears in the web
browser's authentication dialog. - Restart the Secure Global Desktop Web Server
(
tarantella webserver restart
)
for the configuration changes to take effect.
Notes
- This example uses a SetEnvIf directive as a workaround to the problem where some versions of Sun Java™ Plug-in fail to "remember" the user's credentials (see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4943729).
- This example uses a LocationMatch directive rather than a Directory directive because the management of the
/sgd
URL is delegated to Tomcat in the standard httpd.conf
file for the Secure Global Desktop Web Server. This also means you can't use an .htaccess
file to protect the /sgd
URL.
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.