Windows NT security plug-in

The Windows NT security plug-in (secWindowsNT.dll) allows you to map user accounts and groups from your Windows NT user database to Crystal Enterprise; it also enables Crystal Enterprise to verify all logon requests that specify Windows NT Authentication. Users are authenticated against the Windows NT user database, and have their membership in a mapped NT group verified before the CMS grants them an active Crystal Enterprise session.

This plug-in is compatible with NT 4 and Windows 2000 Active Directory user databases (when Windows 2000 Active Directory is configured in non-native mode only). If a Windows 2000 Active Directory user database is configured in native mode and contains universal groups that span several domains, you must use the Windows AD security plug-in. For information on mapping Windows NT users and groups to Crystal Enterprise, see Managing NT accounts. For information on the Windows AD security plug-in, see Windows AD security plug-in.

Once you have mapped your NT users and groups, all of the Crystal Enterprise client tools support NT authentication, except for the Crystal Import Wizard. You can also create your own applications that support NT authentication. For more information, see the developer documentation available on your product CD.

Note:    The Windows NT and Windows AD security plug-ins cannot authenticate users if the Crystal Enterprise server components are running on UNIX.

Default account

If you install Crystal Enterprise on Windows NT/2000 as an Administrator of the local machine, then this plug-in is enabled by default. A new NT group (called Crystal NT Users) is created on the local machine, and your NT user account is added to the group. The Crystal NT Users group is then mapped to Crystal Enterprise. The result is that you can log on to Crystal Enterprise with your usual NT user credentials.

Single Sign On

The Windows NT security plug-in supports Single Sign On, thereby allowing authenticated NT users to log on to Crystal Enterprise without explicitly entering their credentials. The Single Sign On requirements depend upon the way in which users access Crystal Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active Crystal Enterprise session if the user is a member of a mapped NT group:

• To obtain NT Single Sign On functionality from a thick-client application (such as the Crystal Publishing Wizard), the user must be running a Windows operating system, and the application must use the Crystal Enterprise SDK.

  In this scenario, the Windows NT security plug-in queries the operating system for the current user's credentials when the client is launched.

• To obtain Single Sign On functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).

  In this scenario, Internet Explorer and IIS engage in Windows NT Challenge/Response authentication before IIS forwards the user's credentials to Crystal Enterprise.

  Note:    IIS performs the Challenge/Response authentication for every web page viewed. This can result in severe performance degradation.

  For details on configuring IIS for Single Sign On, see Setting up NT Single Sign On.

Note:    The Crystal Enterprise web desktop provides its own form of "anonymous Single Sign On," which uses Enterprise authentication, as opposed to Windows NT authentication. Design your own web applications accordingly (or modify the Crystal Enterprise web desktop) if you want to use NT Single Sign On. For information on NT Single Sign On, see Setting up NT Single Sign On.