Windows AD security plug-in

Windows AD security plug-in enables you to map user accounts and groups from your Windows 2000 Active Directory (AD) user database to Crystal Enterprise; it also enables Crystal Enterprise to verify all logon requests that specify Windows AD Authentication. Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Crystal Management Server (CMS) grants them an active Crystal Enterprise session.

This plug-in is compatible with Windows 2000 Active Directory domains running in either native mode or mixed mode. Note that in order to use the Windows AD security plug-in, the CMS needs to run under a user account that has the "Act as Part of the Operating System" right. See your Windows 2000 documentation for more information.For information on mapping Windows AD users and groups to Crystal Enterprise, see Managing AD accounts.

Once you have mapped your AD users and groups, all of the Crystal Enterprise client tools support AD authentication, except for the Crystal Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on your product CD. For information on mapping Windows AD users and groups to Crystal Enterprise, see Managing AD accounts.

Note:    

• AD authentication only works for servers running on Windows systems.
• AD authentication and aggregation is not functional without a network connection.
• AD authentication and aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).

Single Sign On

The Windows AD security plug-in supports Single Sign On, thereby allowing authenticated AD users to log on to Crystal Enterprise without explicitly entering their credentials. The Single Sign On requirements depend upon the way in which users access Crystal Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active Crystal Enterprise session if the user is a member of a mapped AD group:

• To obtain AD Single Sign On functionality from a thick-client application (such as the Crystal Publishing Wizard), the user must be running a Windows operating system, and the application must use the Crystal Enterprise SDK.

  In this scenario, the Windows AD security plug-in queries the operating system for the current user's credentials when the client is launched.

• To obtain Single Sign On functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).

Note:    Crystal Enterprise provides its own form of "anonymous Single Sign On," which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify the Crystal Enterprise web desktop) if you want to use AD Single Sign On. For information on AD Single Sign On, see Using AD Single Sign On.