INFO: Configuring MassTransit For Use With Directory Services

1 Star2 Stars3 Stars4 Stars5 Stars
Loading...
  • Product:
    MassTransit
  • Version:
    version 5.1-6.1.1
  • Document Type:
    Info
  • Revised:
    8/24/2010
  • Reviewed:
    1/6/2010

Summary:

MassTransit web client and application client (i.e., FTP Server) accounts can now be manually configured to have password authentication be conducted through Active Directory. Active Directory password management is available on Enterprise, Premier or Standard products for both Macintosh and Windows-based servers running MassTransit 5.1 or higher. The MassTransit Log Viewer can now be enabled to allow any user with a valid Active Directory account, who is in a defined group, to view the MassTransit log without requiring a web client license or plug-in. Configuration instructions follow below in the Description section.

For information about configuring MassTransit Server 7 for use with Directory Services, please refer to: Active Directory page of the MassTransit 7 documentation.

Description:

This article explains how you can enable Directory Services, enable the Log Viewer for Active Directory contacts, create a contact with Active Directory authentication, and how users can log on via MTWeb and FTP.

This article assumes that MassTransit 5.1  or higher is installed and that MassTransit Web (MTWeb) configuration is already completed if using web client accounts and/or enabling an Active Directory log viewing group. See the Related Documents section for links to the Installation and Web configuration documents.

Be aware that MassTransit’s Directory Services integration currently supports Active Directory on a supported Windows server platform. Currently, MassTransit can only integrate with a single domain.

Enabling Directory Services

NOTE: All lines beginning with “%%” in the MassTransitEngine.cfg file are considered commented and therefore ignored. You must uncomment all lines mentioned in the steps below.

  1. Open the MassTransitEngine.cfg file located in the root MassTransit directory. The default location on Windows is C:\Program Files\Group Logic\MassTransit Server 5 for MassTransit 5.1.x and C:\Program Files\Group Logic\MassTransit Server 6 for MassTransit 6.0 and later; the default location on Mac OS X is \Applications\MassTransit Server 5 folder for MassTransit 5.1.x and \Applications\MassTransit Server 6 folder for MassTransit 6.0 and later.
  2. Go to the Directory Services section of the file and set the DIRECTORY_SERVICES_ENABLED setting to TRUE. Then, enter all the values for all of the flags.
    NOTE: On Windows the LDAP_BIND_DN and LDAP_BIND_PASSWORD flags may be left blank to indicate that MassTransit is to bind to the LDAP server as the currently logged in user. The machine must be bound to the domain and the MassTransit service must be running as the user MassTransit is to use to bind to the LDAP server. To configure the MassTransit service open the Services window, highlight the service named “MassTransit”, right click and select Properties, go to the Log On tab, select the “This account” option, enter the account name and password, and select OK.

  1. Once you’ve completed the above steps, you will need to restart the MassTransit Engine for the changes to take effect.

NOTE: MassTransit 6.0 implements the automatic Active Directory account management feature that allows setting up MassTransit contacts, forwarding privileges and so on automatically based on existing Active Directory groups. For more information about this feature see the INFO: Automatic Active Directory Account Management With MassTransit article.

Configuring MassTransit To Authenticate Against LDAP Organizational Units

The directory services settings located within the MassTransitEngine.cfg configuration file are configured to search the Active Directory “Users” folder by default; however, they may be modified to search Organizational Units (OUs) instead.

This may be an optimal configuration for administrators that wish to create a “MassTransit Users” organizational unit, without impacting the standard “Users” folder.

The following is a procedure to make the necessary modifications:

  1. Open the MassTransitEngine.cfg configuration file.
  2. Locate the configuration option: LDAP_SEARCH_BASE=CN=
  3. Adjust the LDAP_SEARCH_BASE setting to reflect your custom Organizational Unit. For example:LDAP_SEARCH_BASE=OU=Your_Organizational_Unit,DC=Your_Domain,DC=COM

NOTE: This configuration example reflects an Organizational Unit that resides within the root of the LDAP directory structure. If the Organizational Unit resides elsewhere, the OU= parameter will need to reflect the exact location of the OU within the tree.

The search base may actually contain any part of the directory tree. In such configurations, the AD Administrator must specify the Fully Qualified Domain Name (FQDN) without the DC= connection strings. For example:

LDAP_SEARCH_BASE=CN=Development,OU=MassTransit

Enabling the Log Viewer

  1. If you would like to enable the MassTransit Log Viewer for an authorized group, open the mtweb.ini file located in the MTWeb directory. On Windows, the default folder is C:\Program Files\Group Logic\MassTransit Server 5\MTWeb for MassTransit 5.1.x and C:\Program Files\Group Logic\MassTransit Server 6\MTWeb for MassTransit 6.0 and later. On the Mac, the default folder is /Applications/MassTransit Server 5 Folder/MTWeb for MassTransit 5.1.x  and /Applications/MassTransit Server 6 Folder/MTWeb for MassTransit 6.0 and later.
  2. Go to the Application section of the file and follow the instructions for configuring the AUTHENTICATE_METHODS and AUTHORIZED_LOG_VIEWING_GROUP flags.NOTE: The order of the AUTHENTICATE_METHODS flag can be reversed. If the original order of the flags is used (AUTHENTICATE_METHODS = AuthMethod_SOAP,AuthMethod_LogViewingGroup), then a web client that is both a MassTransit contact with Active Directory authentication and a member of the authorized log viewing group will be navigated to the MassTransit plug-in once authenticated. The only way that user will be able to view the Log is if privileges are given to that individual user via the MassTransit Administrator when the account is created or edited; then the Log tab will be present. If the current order of the flags is reversed (AUTHENTICATE_METHODS = AuthMethod_LogViewingGroup,AuthMethod_SOAP), then the user will be navigated to the Log Viewer, but will not be navigated to the plug-in for file transfer. The default approach is recommended.
  3. Once you’ve completed the above steps, you will need to restart IIS or Apache and the MassTransit Engine for the changes to take effect.

Creating a Contact with Active Directory Authentication

  1. Via the MassTransit Administrator, Add either a Web Client or Application Client Contact.
  2. In the Authentication section of the General tab, select the Active Directory option.
  3. In the Account field, enter the user logon name in either of the following formats: username@domain.com or DOMAIN\username.
  4. Select the Search button; once the user is found in the directory, a green light will appear, and the contact can now be saved.
  5. Once a contact configured to use Active Directory authentication has been saved, the corresponding contact information from Active Directory will populate to the Contact Information fields on the General Tab. All of the populated information from Active Directory is read-only.

Logging on via MTWeb

  1. Via a supported browser, log on to the configured server.
  2. Enter your Active Directory logon name in either of the following formats: user name or DOMAIN\username.
  3. Enter your Active Directory password.

Logging on via FTP

  1. Via a supported browser or stand-alone FTP client, log on to the configured server.
  2. Enter your Active Directory logon name in either of the following formats: user name or DOMAIN\username.
  3. Enter your Active Directory password.

Related Article:

Tags: , , ,