¶ 1. Abstract
The T6 Planning Manual covers different authentication modes, emphasizing the importance of obtaining and validating credentials to determine user access. It details Form Authentication, recommended for internet access, providing precise instructions for configuration in T6 Planning and IIS 8.0. Additionally, it explores Active Directory authentication with and without Single Sign-On, offering specific guidance for integration with Microsoft Active Directory. The document concludes by mentioning support for authentication with Active Directory Federation Services, directing to a specific manual for additional details on this integration.
¶ 2. Authentication Modes
¶ 2.1 Overview
Authentication is the process of obtaining credentials such as Login and Password and validating this information against an entity, such as a database or domain server. If validation is successful, the authorization process determines the user's access.
T6 Planning supports Form, Active Directory (with Single Sign-On and without Single Sign-On), and Active Directory Federation Services authentication types. This manual will demonstrate how to perform each supported authentication form in T6 Planning.
¶ 3. Form Authentication
¶ 3.1 Overview
Form Authentication is the recommended model when T6 Planning is accessed via the internet. In this model, unauthorized requests are redirected to a login screen where the user enters their credentials (username and access password). These credentials are then validated in the T6 Planning database. After successful authentication, user credentials are stored in a cookie for the session. The entire authentication process is handled by T6 Planning.
This is the default mode used by Internet Information Service (IIS) applications.
¶ 3.2 Configuring Form Authentication in T6 Planning
To configure Form Authentication in T6 Planning, go to the menu -> T6 Planning -> Settings -> Parameters.
The system will display the Application Parameters screen, where you should ensure that the necessary parameters to activate Form Authentication are correct, as defined in the T6 Planning installation. If not, configure them as shown below:
Enable Active Directory
Value: No
Enable SSO
Value: No
In a standard T6 Planning installation, the values of these parameters will be No.
¶ 3.3 Configuring Form Authentication in IIS
This authentication method is the default for websites in IIS. Therefore, in most cases, no changes are necessary, just ensure that the settings are correct.
To configure Form Authentication in IIS 8.0, access the Windows Control Panel and set the view to Small Icons.
Next, click on the Administrative Tools option.
In the Administrative Tools screen, click on the Internet Information Services (IIS) Manager option.
In the IIS 8.0 screen, click on the Sites folder and then choose the WebSite related to T6 Planning.
Note the options that appear on the side in the Features View, and double-click on the Authentication icon.
In the IIS screen, ensure that the authentication statuses for the T6 PlanningWF portal are correct, as shown below:
- Enabled:
- Anonymous Authentication
- Forms Authentication
- Disabled:
- Basic Authentication
- Digest Authentication
- Windows Authentication
In the IIS screen, ensure that the authentication statuses for the T6 Planning Power Planning portal are correct, as shown below:
- Enabled:
- Anonymous Authentication
- Disabled:
- Basic Authentication
- Digest Authentication
- Windows Authentication
¶ 4. Authentication via Active Directory with Single Sign-On
¶ 4.1 Overview
Authentication via Microsoft Active Directory is the recommended authentication model when T6 Planning is accessed through the company's intranet. In this authentication form, the login screen is not presented because the browser sends the credentials of the logged-in user to the server. T6 Planning checks if the user is in the Active Directory group, and if not, redirects to an error screen.
Active Directory is a directory service for Windows networks, from version 2000 to the latest. A Directory Service is a network service that identifies all resources available in a network, maintaining information about user accounts, groups, computers, resources, security policies, etc. - in a centralized database, making these resources available to users and applications.
When integrated with Active Directory, most applications do not use their user and group database, relying on the centralized registration of Active Directory. In the case of T6 Planning, the database is still necessary and crucial because it manages access control and permissions within the solution.
When integrated with Active Directory, T6 Planning searches the directory to validate if the user's login exists and is active. If the search is positive, the next step in the authentication process is to search for this user in the T6 Planning database to verify their access permissions.
¶ 4.2 Configuring Single Sign-On Authentication in T6 Planning
To configure Single Sign-On authentication in T6 Planning, go to the menu -> T6 Planning -> Settings -> Parameters.
The system will display the Application Parameters screen, where you should ensure that the necessary parameters to activate Single Sign-On authentication are correct, as defined in the T6 Planning installation. If not, configure them as shown below:
Enable Active Directory
Value: Yes
Enable SSO
Value: Yes
Additionally, it is possible to define Active Directory groups according to the T6 Planning application. For example:
- In the Planning application, the Active Directory Management group can be defined.
- In the HR application of T6 Planning, the Active Directory Personnel Department group can be defined.
To configure group parameterization, access the Application Parameters screen. Select the desired application and locate the ActiveDirectory Group T6 Planning parameter, where you should enter the name of the Active Directory group.
Repeat the procedure, specifying the Active Directory group for each application you want to configure. To finish, enter the global parameter of the ActiveDirectory Server that will respond to T6 Planning requests:
¶ 4.3 Configuring Single Sign-On Authentication in IIS
To configure Single Sign-On authentication in IIS 8.0, access the Windows Control Panel and set the view to Small Icons.
Next, click on the Administrative Tools option.
In the Administrative Tools screen, click on the Internet Information Services (IIS) Manager option.
In the IIS 8 screen, click on the Sites folder and then choose the WebSite related to T6 Planning.
Note the options that appear on the side in the Features View, and double-click on the Authentication icon.
In the IIS screen, ensure that the authentication statuses are correct, as shown below:
- Enabled:
- Windows Authentication
- Disabled:
- Anonymous Authentication
- Basic Authentication
- Forms Authentication
- Digest Authentication
¶ 5. Authentication via Active Directory without Single Sign-On
¶ 5.1 Overview
When T6 Planning is integrated with Active Directory, some details in the information flow, specifically user authentication, become different.
When accessing the T6 Planning portal, the user sees the Login screen, where they must enter their Active Directory credentials. T6 Planning then connects to Active Directory and searches for this information. Once the user is located, T6 Planning checks if the user belongs to the group indicated in the application parameter. Finally, T6 Planning checks if this user is already registered in the database, and if not, a new registration is created based on the data returned by Active Directory, with the simplest profile available in the current T6 Planning license.
¶ 5.2 Configuring Authentication without Single Sign-On in T6 Planning
To configure authentication without Single Sign-On in T6 Planning, go to the menu -> T6 Planning -> Settings -> Parameters.
The system will display the Application Parameters screen, where you should ensure that the necessary parameters to activate Single Sign-In authentication are correct, as defined in the T6 Planning installation. If not, configure them as shown below:
Enable ActiveDirectory
Value: Yes
Enable SSO
Value: No
Additionally, it is possible to define Active Directory groups according to the T6 Planning application. For example:
- In the Planning application of T6 Planning, the Active Directory Management group can be defined.
- In the HR application of T6 Planning, the Active Directory Personnel Department group can be defined.
To configure group parameterization, access the Application Parameters screen. Select the desired application and locate the ActiveDirectory Group T6 Planning parameter, where you should enter the name of the Active Directory group.
Repeat the procedure, specifying the Active Directory group for each application you want to configure. To finish, enter the global parameter of the ActiveDirectory Server that will respond to T6 Planning requests:
¶ 5.3 Configuring Authentication without Single Sign-On in IIS
To configure authentication without Single Sign-On in IIS 8.0, access the Windows Control Panel and set the view to Small Icons.
Next, click on the Administrative Tools option.
In the Administrative Tools screen, click on the Internet Information Services (IIS) Manager option.
In the IIS 8.0 screen, click on the Sites folder and then choose the WebSite related to T6 Planning.
Note the options that appear on the side in the Features View, and double-click on the Authentication icon.
In the IIS screen, ensure that the authentication statuses are correct, as shown below:
- Enabled:
- Anonymous Authentication
- Forms Authentication
- Disabled:
- Basic Authentication
- Digest Authentication
- Windows Authentication
¶ 6. Authentication and Integration with Active Directory Federation Services
T6 Planning now also supports authentication with AD FS. For more details, refer to the T6 Planning Integration with Active Directory Federation Services Manual.