Implement Windows NT Authentication

If you use Windows 2003 as your network operating system and your users are already defined in a Windows 2003 directory, then you can enable Windows authentication in MicroStrategy to allow users access without having to enter their login information.

The Apple Safari web browser does not support Windows authentication with MicroStrategy Web.

Use the procedures in the rest of this section to enable single sign-on with Windows authentication in MicroStrategy Web. For high-level steps to configure these settings, see Steps to Enable Single Sign-On to MicroStrategy Web Using Windows Authentication.

To use Windows authentication you must create users in the MicroStrategy environment and then link them to Windows users. Linking enables Intelligence Server to map a Windows user to a MicroStrategy user. See Link a Windows Domain User to a MicroStrategy User.

You can also create MicroStrategy users from existing Windows by importing either user definitions or group definitions.

To use Windows authentication with MicroStrategy Web, you must be running MicroStrategy Web or Web Universal under Microsoft IIS. Non-IIS web servers do not support Windows authentication. See Enabling Integrated Authentication.

If the Windows domain account information is linked to a MicroStrategy user definition, a MicroStrategy Web user can be logged in automatically through MicroStrategy Web. When a user accesses MicroStrategy Web, IIS detects the Windows user and sends the login information to Intelligence Server. If the Windows user is linked to a MicroStrategy user, Intelligence Server starts a session for that user. For information on setting up MicroStrategy Web to allow single sign-on using Windows authentication, see Enable Windows Authentication Login for MicroStrategy Web.

Enable Windows Authentication in MicroStrategy Web to Allow Single Sign-On

Single sign-on authentication allows users to type their login credentials once, and have access to multiple software applications securely, because the system can apply that single authentication request to all the applications that the user need access to. It is possible to use Windows authentication to enable single sign-on for MicroStrategy Web.

There are several configurations that you must make to enable Windows authentication in MicroStrategy Web. To properly configure MicroStrategy Web, Microsoft Internet Information Services (IIS), and the link between Microsoft and MicroStrategy users, follow the procedure Steps to Enable Single Sign-On to MicroStrategy Web Using Windows Authentication.

Steps to use Windows authentication with Microsoft Sharepoint and MicroStrategy Web are in the MicroStrategy Developer Library (MSDL). The MicroStrategy SDK and MSDL contain information on customizing MicroStrategy Web.

Steps to Enable Single Sign-On to MicroStrategy Web Using Windows Authentication

1. Enable integrated Windows authentication for Microsoft IIS. See Enable Windows Authentication for Microsoft IIS.
2. Create a link between a Windows domain user and a MicroStrategy Web user for each person that will be accessing MicroStrategy Web with Windows authentication. See Link a Windows Domain User to a MicroStrategy User.
3. Define a project source to use Windows authentication. See Define a Project Source to Use Windows Authentication.
4. Enable Windows authentication in MicroStrategy Web. See Enable Windows Authentication Login for MicroStrategy Web.
5. Configure each MicroStrategy Web user's browser for single sign-on. See Configure a Browser for Single Sign-On to MicroStrategy Web.

Enable Windows Authentication for Microsoft IIS

Microsoft Internet Information Services is an Internet server that is integral to Windows authentication. You must configure IIS to enable Windows authentication in the MicroStrategy virtual directory to support integrated authentication to MicroStrategy Web.

The steps to perform this configuration are provided in the procedure below, which may vary depending on your version of IIS. The following links can help you find information on how to enable integrated authentication for your version of IIS:

• IIS 7: See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754628(v=ws.10)for information on enabling Windows authentication for IIS 7.

  If you are using IIS 7 on Windows Server 2008, ensure the following:

  • The MicroStrategyWebPool application pool is started, and the Managed Pipeline is set to Integrated.
  • ASP.NET Impersonation is enabled. For information on enabling ASP.NET Impersonation in IIS 7, see https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730708(v=ws.10).
• IIS 6: See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780160(v=ws.10)for information on enabling Windows authentication for IIS 6.

The third-party products discussed below are manufactured by vendors independent of MicroStrategy, and the information provided is subject to change. Refer to the appropriate third-party vendor documentation for updated IIS support information.

Enable Windows Authentication in Microsoft IIS

1. On the MicroStrategy Web server machine, access the IIS Internet Service Manager.
2. Navigate to and right-click the MicroStrategy virtual folder, and select Properties.
3. Select the Directory Security tab, and then under Anonymous access and authentication control, click Edit.
4. Clear the Anonymous access check box.
5. Select the Integrated Windows authentication check box.
6. Click OK.
7. Restart IIS for the changes to take effect.

Enable the MicroStrategy ISAPI Filter in IIS 6

1. In IIS, right-click the default web site, and select Properties.
2. Click the ISAPI Filters tab. A list of ISAPI filters for your IIS installation is shown.
3. Click Add.
4. Browse to the location of the MBWBAUTH.dll file. By default, the file is located in C:\Program Files (x86)\Common Files\MicroStrategy.
5. Select MBWBAUTH.dll and click OK. The MBWBAUTH ISAPI filter is added to the list of ISAPI filters.
6. Restart your IIS server.

Enable the MicroStrategy ISAPI Filter in IIS 7

1. In IIS, select the default web site. The Default Web Site Home page is shown.
2. In the Default Web Site Home page, double-click ISAPI Filters. A list of ISAPI filters for your IIS installation is shown.
3. In the Actions pane, click Add.
4. In the Filter name field, type a name for the filter. For example, MicroStrategy ISAPI Filter.
5. Next to the Executable field, click Browse (...).
6. Browse to the location of the MBWBAUTH.dll file. By default, the file is located in C:\Program Files (x86)\Common Files\MicroStrategy.
7. Select MBWBAUTH.dll and click OK.
8. Click OK.
9. Restart your IIS server.

Link a Windows Domain User to a MicroStrategy User

Once IIS has been configured to allow integrated Windows authentication, a link must be created between a user's MicroStrategy user name and the user's Windows domain user name. The required steps are detailed below.

1. In Developer, log in to a project source using an account with administrative privileges.
2. From the Folder List, expand a project source, then expand Administration, and then expand User Manager.
3. Navigate to the MicroStrategy user you want to link a Windows user to. Right-click the MicroStrategy user and select Edit.
4. Expand Authentication, then select Metadata.
5. Under Windows Authentication, in the Link Windows user area, provide the Windows user name for the user you want to link the MicroStrategy user to. There are two ways to do this:
• Click Browse to select the user from the list of Windows users displayed.
• Click Search to search for a specific Windows user by providing the Windows login to search for and, optionally, the Windows domain to search. Then click OK to run the search.
6. Click OK.

Link a Windows Login to an LDAP User

When using LDAP with MicroStrategy, you can reduce the number of times a user needs to enter the same login and password by linking their Windows system login with their LDAP login used in MicroStrategy.

By creating a link between a Windows system login, an LDAP user, and a MicroStrategy user, a single login into the machine authenticates the user for the machine as well as in MicroStrategy.

For example, a user logs in to their Windows machine with a linked LDAP login and password and is authenticated. The user then opens Developer and connects to a project source using Windows authentication. Rather than having to enter their login and password to log in to MicroStrategy, the user's login and password authenticated when logging in to their machine is used to authenticate the user. During this process, the user account and any relevant user groups are imported and synchronized for the user.

The LDAP Server is configured as the Microsoft Active Directory Server domain controller, which stores the Windows system login information.

1. In Developer, log in to a project source. You must log in as a user with administrative privileges.
2. From the Administration menu, select Server, and then select Configure MicroStrategy Intelligence Server.
3. Expand the LDAP category, then expand Import, and then select Options.
4. Select the Synchronize user/group information with LDAP during Windows authentication and import Windows link during Batch Import check box.
5. Click OK.

Define a Project Source to Use Windows Authentication

For MicroStrategy Web users to gain access to a project in a specific project source using Windows authentication, the project source must first be configured have Windows authentication enabled. The steps for enabling this configuration are detailed below.

1. In Developer, log in to a project source using an account with administrative privileges.
2. Right-click the project source and select Modify Project Source
3. On the Advanced tab, select the Use network login id (Windows authentication) option.
4. Click OK.

Enable Windows Authentication Login for MicroStrategy Web

There are two ways to enable access to MicroStrategy Web using Windows authentication. Access can be enabled for the MicroStrategy Web application as a whole, or it can be enabled for individual projects at the project level.

For steps to enable Windows authentication for all of MicroStrategy Web, see Enable Windows Authentication Login for MicroStrategy Web.

For steps to enable Windows authentication for a project, see Enable Windows Authentication Login for a Project.

1. From the Windows Start menu, point to All Programs, then MicroStrategy Tools, and then select Web Administrator
2. On the left, under Intelligence Server, select Default Properties.
3. In the Login area, for Windows Authentication, select the Enabled check box.

   If you want Windows authentication to be the default login mode for MicroStrategy Web, for Windows Authentication, select the Default option.

4. Click Save.

Enable Windows Authentication Login for a Project

1. Log into a MicroStrategy Web project as a user with administrative privileges.
2. At the upper left of the page, click the MicroStrategy icon, and select Preferences.
3. On the left, select Project Defaults, then Security.
4. In the Login modes area, for Windows Authentication, select the Enabled check box.

   If you want Windows authentication to be the default login mode for this project in MicroStrategy Web, also select the Default option.

5. Next to Apply, choose whether to apply these settings to all projects, or just to the one you are currently logged into.
6. Click Apply.

Configure a Browser for Single Sign-On to MicroStrategy Web

If a MicroStrategy Web user plans to use single sign-on to log in to MicroStrategy Web, each user's browser must be configured to enable integrated authentication. The process to enable integrated authentication is different depending on the browser they use:

• For Internet Explorer, you must enable integrated authentication for the browser, as well as add the MicroStrategy Web server URL as a trusted site. Depending on your security policy, integrated authentication may be enabled by default for Internet Explorer.
• For Firefox, you must add the MicroStrategy Web server URL as a trusted site. The URL must be listed in the about:config page, in the settings network.negotiate-auth.trusted-uris and network.negotiate- auth.delegation-uris.