Windows NT security plug-in

The Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to Crystal Enterprise; it also enables the system to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database before the APS grants them an active Crystal Enterprise session. This plug-in is compatible with NT 4 or Windows 2000 Active Directory user databases. For information on mapping Windows NT users and groups to Crystal Enterprise, see Managing NT accounts.

Once you have mapped your NT users and groups, all of the Crystal Enterprise client tools support NT authentication, except for the Crystal Import Wizard. You can also create your own applications that support NT authentication. For more information, see the Crystal Enterprise Web Developer's Guide.

Note:    The Windows NT security plug-in cannot authenticate users if the Crystal Enterprise server components are running on UNIX.

Default account

If you install Crystal Enterprise on Windows NT/2000 as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Crystal NT Users) is created on the local machine, and your NT user account is added to the group. The Crystal NT Users group is then mapped to Crystal Enterprise. The result is that you can log on to Crystal Enterprise with your usual NT user credentials.

Single Sign On

The Windows NT security plug-in supports Single Sign On, thereby allowing authenticated NT users to log on to Crystal Enterprise without explicitly entering their credentials. The Single Sign On requirements depend upon the way in which users access Crystal Enterprise. In both scenarios, the security plug-in's authentication provider verifies the credentials against the Windows NT user database before the APS grants the user an active Crystal Enterprise session:

• To obtain NT Single Sign On functionality from a thick-client application (such as the Crystal Publishing Wizard), the user must be running a Windows operating system, and the application must use the Crystal Enterprise SDK.

  In this scenario, the Windows NT security plug-in queries the operating system for the current user's credentials.

• To obtain Single Sign On functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).

  In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the user's credentials to Crystal Enterprise.

  Note:    IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation.

  For details on configuring IIS for Single Sign On, Setting up NT Single Sign On.

Note:    ePortfolio provides its own form of "anonymous Single Sign On," which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify ePortfolio) if you want to use NT Single Sign On. For information on NT Single Sign On, see Setting up NT Single Sign On.