About TEAM Mentor

Accessing and Reading Content

Installation

Administration

Editing Content

Eclipse for Fortify plugin

HP Fortify SCA UI Integration

Using the Jade Fail Safe Version

Active Directory Support

This is configured on the TEAM Mentor 3.6 Backend.

By default TEAM Mentor uses its Xml-based User Store, however Active Directory integration is also supported. TEAM Mentor can use AD to authenticate and authorize users.

Set-up

These are the steps required to set it up

Step 1: Configure web.config file

In this file which you will find in the Web Root \Web Applications\TM_Website you need to make the following changes:

In the system.web identity element:

Set the impersonate value to true, by default it is set to false,
<identity impersonate="true"></identity>

Set the authentication mode to Windows, by default it is set to None
<authentication mode="Windows"></authentication>

Your new <system.web> properties should have these values:

    <system.web>
    ...
    <identity impersonate="true"></identity>
    <authentication mode="Windows"></authentication>
    ... 
    </system.web>


In system.webServer section:

Add the this tag: <validation validateintegratedmodeconfiguration="false"></validation>

Set the modules runAllManagedModulesForAllRequest to true <modules runallmanagedmodulesforallrequest="true"></modules>

Your new <system.webserver> should have these values:

   <system.webserver>
    ...
    <validation validateintegratedmodeconfiguration="false"></validation>
    <modules runallmanagedmodulesforallrequest="true"></modules>    
    ...	
    </system.webserver>


Step 2: Configure TMConfig.Config file

Open the TMConfig editor by clicking on Tbot in the Admin menu and selecting Edit TMConfig from the Admin - Config row. In the Windows Authentication section you need to Enable Windows Authentication and set the relevant security groups. By default Windows Authentication is set to false, so you will need to set the Enabled element to true and change the ReaderGroup, EditorGroup, AdminGroup values to match your Active Directory security group names. Your Windows Authentication section should look something similar to this.


Alternatively you can make the same changes in the actual TMConfig.Config xml file if necessary. This file you will find in the Library_Data\XmlDatabase\User_Data or an alternative location if you have set one. Make sure that the Active Directory groups names are correct. You can verify this information by following the instructions in Step 4: Security settings.

Your TMConfig file Windows Authentication section should look similar to the below.

		<windowsauthentication>
			<enabled>true</enabled>
			<readergroup>TMREAD</readergroup>
			<editorgroup>TMEDIT</editorgroup>
			<admingroup>TMADMIN</admingroup>
		</windowsauthentication>
	


Step 3: Disabling IIS Anonymous access and Enabling Windows Authentication

Make sure you have already installed Windows Authentication in the server where you are configuring TEAM Mentor to use Active Directory. Windows Authentication can be installed from the Add Roles and Features from the Server Manager Dashboard. You can read more about how to install Windows Authentication here http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication

This is the server roles screen that shows how to install Windows Authentication:


Once Windows Authentication has been installed, then it's necessary to enable it for the current Web site and then disable Anonymous access. In order to to that, you need to select the TEAM Mentor Web site and then select the Authentication feature from the IIS group. Make sure Anonymous access is disabled and Windows Authentication is enabled for this Web site.


Step 4: IIS Application Pool configuration

When configuring TEAM Mentor Web site in the Internet Information Services (IIS), you need to create a new Application Pool or assign it to an existing Application Pool. In any of those cases, this pool needs to be configured to always use the Microsoft .NET framework 4.0 or higher. Also the Managed pipeline mode needs to be Integrated.

Step 5: Security settings

Now that you have created the Web site, you need to assign security permissions. First you need grant the application pool identity with permissions on the Web Site. When discovering the user, you will need to use the format IIS AppPool\[Name of the Application Pool].You need to find this user at the server level and not at the domain level.

Then you need to grant the Active Directory groups with permissions in the TEAM Mentor Web application. If there is an Active Directory group called TeamMentorReader for instance, which should be used just for readers, then you need to grant this group with permissions in the TEAM Mentor site. You need to select the Web site, right click on it, and select the Edit Permissions option from the contextual menu, from there you need to enter the group name.

Make sure that the Active Directory groups have access to the TEAM Mentor Web Application by adding them to the target folder and grant them with read and write permissions.

Troubleshoot

Q: You get a 401 error when connecting to the IIS server from a remote computer, but it works locally

A: See this Microsoft KB for a workaround http://support.microsoft.com/kb/871179

Q: You get this error when running TEAM Mentor on a fresh IIS installation: "Handler'"WebServiceHandlerFactory-Integrated' has a bad module 'ManagedPipelineHandler' in its module list."

A: Try running aspnet_regiis.exe -i from the .Net 4.0 folder. See this post for more details: http://forums.iis.net/p/1149449/1869918.aspx

References