Posts Tagged ‘directory services’

INFO: Configuring MassTransit For Use With Directory Services

Wednesday, January 6th, 2010

Summary:

MassTransit web client and application client (i.e., FTP Server) accounts can now be manually configured to have password authentication be conducted through Active Directory. Active Directory password management is available on Enterprise, Premier or Standard products for both Macintosh and Windows-based servers running MassTransit 5.1 or higher. The MassTransit Log Viewer can now be enabled to allow any user with a valid Active Directory account, who is in a defined group, to view the MassTransit log without requiring a web client license or plug-in. Configuration instructions follow below in the Description section.

For information about configuring MassTransit Server 7 for use with Directory Services, please refer to: Active Directory page of the MassTransit 7 documentation.

Description:

This article explains how you can enable Directory Services, enable the Log Viewer for Active Directory contacts, create a contact with Active Directory authentication, and how users can log on via MTWeb and FTP.

This article assumes that MassTransit 5.1  or higher is installed and that MassTransit Web (MTWeb) configuration is already completed if using web client accounts and/or enabling an Active Directory log viewing group. See the Related Documents section for links to the Installation and Web configuration documents.

Be aware that MassTransit’s Directory Services integration currently supports Active Directory on a supported Windows server platform. Currently, MassTransit can only integrate with a single domain.

Enabling Directory Services

NOTE: All lines beginning with “%%” in the MassTransitEngine.cfg file are considered commented and therefore ignored. You must uncomment all lines mentioned in the steps below.

  1. Open the MassTransitEngine.cfg file located in the root MassTransit directory. The default location on Windows is C:\Program Files\Group Logic\MassTransit Server 5 for MassTransit 5.1.x and C:\Program Files\Group Logic\MassTransit Server 6 for MassTransit 6.0 and later; the default location on Mac OS X is \Applications\MassTransit Server 5 folder for MassTransit 5.1.x and \Applications\MassTransit Server 6 folder for MassTransit 6.0 and later.
  2. Go to the Directory Services section of the file and set the DIRECTORY_SERVICES_ENABLED setting to TRUE. Then, enter all the values for all of the flags.
    NOTE: On Windows the LDAP_BIND_DN and LDAP_BIND_PASSWORD flags may be left blank to indicate that MassTransit is to bind to the LDAP server as the currently logged in user. The machine must be bound to the domain and the MassTransit service must be running as the user MassTransit is to use to bind to the LDAP server. To configure the MassTransit service open the Services window, highlight the service named “MassTransit”, right click and select Properties, go to the Log On tab, select the “This account” option, enter the account name and password, and select OK.

  1. Once you’ve completed the above steps, you will need to restart the MassTransit Engine for the changes to take effect.

NOTE: MassTransit 6.0 implements the automatic Active Directory account management feature that allows setting up MassTransit contacts, forwarding privileges and so on automatically based on existing Active Directory groups. For more information about this feature see the INFO: Automatic Active Directory Account Management With MassTransit article.

Configuring MassTransit To Authenticate Against LDAP Organizational Units

The directory services settings located within the MassTransitEngine.cfg configuration file are configured to search the Active Directory “Users” folder by default; however, they may be modified to search Organizational Units (OUs) instead.

This may be an optimal configuration for administrators that wish to create a “MassTransit Users” organizational unit, without impacting the standard “Users” folder.

The following is a procedure to make the necessary modifications:

  1. Open the MassTransitEngine.cfg configuration file.
  2. Locate the configuration option: LDAP_SEARCH_BASE=CN=
  3. Adjust the LDAP_SEARCH_BASE setting to reflect your custom Organizational Unit. For example:LDAP_SEARCH_BASE=OU=Your_Organizational_Unit,DC=Your_Domain,DC=COM

NOTE: This configuration example reflects an Organizational Unit that resides within the root of the LDAP directory structure. If the Organizational Unit resides elsewhere, the OU= parameter will need to reflect the exact location of the OU within the tree.

The search base may actually contain any part of the directory tree. In such configurations, the AD Administrator must specify the Fully Qualified Domain Name (FQDN) without the DC= connection strings. For example:

LDAP_SEARCH_BASE=CN=Development,OU=MassTransit

Enabling the Log Viewer

  1. If you would like to enable the MassTransit Log Viewer for an authorized group, open the mtweb.ini file located in the MTWeb directory. On Windows, the default folder is C:\Program Files\Group Logic\MassTransit Server 5\MTWeb for MassTransit 5.1.x and C:\Program Files\Group Logic\MassTransit Server 6\MTWeb for MassTransit 6.0 and later. On the Mac, the default folder is /Applications/MassTransit Server 5 Folder/MTWeb for MassTransit 5.1.x  and /Applications/MassTransit Server 6 Folder/MTWeb for MassTransit 6.0 and later.
  2. Go to the Application section of the file and follow the instructions for configuring the AUTHENTICATE_METHODS and AUTHORIZED_LOG_VIEWING_GROUP flags.NOTE: The order of the AUTHENTICATE_METHODS flag can be reversed. If the original order of the flags is used (AUTHENTICATE_METHODS = AuthMethod_SOAP,AuthMethod_LogViewingGroup), then a web client that is both a MassTransit contact with Active Directory authentication and a member of the authorized log viewing group will be navigated to the MassTransit plug-in once authenticated. The only way that user will be able to view the Log is if privileges are given to that individual user via the MassTransit Administrator when the account is created or edited; then the Log tab will be present. If the current order of the flags is reversed (AUTHENTICATE_METHODS = AuthMethod_LogViewingGroup,AuthMethod_SOAP), then the user will be navigated to the Log Viewer, but will not be navigated to the plug-in for file transfer. The default approach is recommended.
  3. Once you’ve completed the above steps, you will need to restart IIS or Apache and the MassTransit Engine for the changes to take effect.

Creating a Contact with Active Directory Authentication

  1. Via the MassTransit Administrator, Add either a Web Client or Application Client Contact.
  2. In the Authentication section of the General tab, select the Active Directory option.
  3. In the Account field, enter the user logon name in either of the following formats: username@domain.com or DOMAIN\username.
  4. Select the Search button; once the user is found in the directory, a green light will appear, and the contact can now be saved.
  5. Once a contact configured to use Active Directory authentication has been saved, the corresponding contact information from Active Directory will populate to the Contact Information fields on the General Tab. All of the populated information from Active Directory is read-only.

Logging on via MTWeb

  1. Via a supported browser, log on to the configured server.
  2. Enter your Active Directory logon name in either of the following formats: user name or DOMAIN\username.
  3. Enter your Active Directory password.

Logging on via FTP

  1. Via a supported browser or stand-alone FTP client, log on to the configured server.
  2. Enter your Active Directory logon name in either of the following formats: user name or DOMAIN\username.
  3. Enter your Active Directory password.

Related Article:

How Do I Configure a Firewall to Support Directory Services Outside the DMZ?

Monday, September 10th, 2007

Question:

How Do I Configure a Firewall to Support Directory Services Outside the DMZ?

Answer:

MassTransit 5.1 and later allows for authentication of application and web client contacts against Active Directory on Windows 2000 Server and greater. Because MassTransit systems may sit outside of an organization’s firewall in the demilitarized zone (DMZ), it may be necessary to open the ports on a firewall to allow Active Directory queries to pass through without hindrance.

Ports Used by MassTransit

MassTransit uses TCP and UDP port 389 to communicate with Active Directory. This port number is the default for Active Directory. If your organization uses a different port number, or, if your firewall is configured to do port forwarding/mapping, you can specify this port number in the MassTransitEngine.cfg file, located in the root folder of your MassTransit installation, which is generally C:\Program Files\Group Logic\MassTransit Server 5 for MassTransit version 5 and C:\Program Files\Group Logic\MassTransit Server 6 for MassTransit version 6, on Windows and Macintosh HD:Applications:MassTransit Server 5 for MassTransit version 5 and Macintosh HD:Applications:MassTransit Server 6 for MassTransit version 6,  on Macintosh.

In the Directory Services Settings of the MassTransitEngine.cfg file, locate the LDAP_SERVER_PORT option. The default port is 389. Change this to the port in use by your organization.

When complete, restart the MassTransit Engine to apply the changes.