TMW AMS Windows Authentication Server and Client Setup A… · TMW AMS Windows Authentication Server and Client Setup . ... Windows Authentication Server and Client Setup ... Start

TMW AMS

TMW AMS Windows Authentication Server and Client Setup

Server and Client Setup

Windows Authentication 01/2013

Windows Authentication Server and Client Setup Table of Contents TMW AMS Windows Authentication – Server and Client Setup ............................................................. 3

TMW AMS Setup .................................................................................................................................... 3 Running the Windows Authentication Installer ................................................................................ 3 Making the BDE Changes ................................................................................................................ 3 Setting up the Client Network Utility ................................................................................................. 7

SQL Server Setup................................................................................................................................... 7 Setting Up Server Protocols ............................................................................................................. 7 Setting Up TMW AMS Database Security ..................................................................................... 13 Creating a SQL Server Login for the User Group .......................................................................... 13

Enabling Windows Authentication for the Database ............................................................................ 16 Creating Initial SYSADMIN User .................................................................................................... 16 Enabling Windows Authentication .................................................................................................. 16 Linking the TMWAMSSecvaluser to the Database ........................................................................ 16 Creating TMW AMS Users ............................................................................................................. 19 Windows Authentication Test Environment ................................................................................... 19

Trouble Shooting .................................................................................................................................. 21 Getting SQL Login Prompt after Windows Authentication is set up .............................................. 21 Problems Connecting from a Local Install or an Application Server .............................................. 23



TMW AMS Windows Authentication – Server and Client Setup

With TMW AMS 10.00, Windows Authentication can now be used to connect to SQL Server instead of using SQL Server logins. This allows for better control of users from an IT perspective and for enforcing password policy and the changing of user passwords. The following applications have been updated to use Windows Authentication: TMW AMS, Security Administrator, Mechanic Workstation, Shop Planner, Parts Workstation, TINA Edit and Road Calls. Note: SQL User login is still supported and the default authentication continues to be SQL user login. You cannot use SQL user login and Windows Authentication at the same time on the TMW AMS database. Once Windows Authentication is enabled on the database, TMW AMS application connections must be made using Windows Authentication. With Windows Authentication, the user will be connected to the application and SQL Server based on the current user logged into the workstation. The user will not be prompted for their user ID and password when logging into TMW AMS applications.

In order to use TMW AMS, which uses the Borland Database Engine (BDE), to connect to SQL Server using Windows Authentication, changes must be made to both the client workstations and the SQL Server. These changes must be made or confirmed manually. The changes involve the BDE, client-side SQL drivers, and server-side SQL drivers. The reason for this is that the BDE requires the Named Pipes protocol in order to connect to SQL Server. The user making the changes must be a local administrator. The use of Windows Authentication requires that the following are installed on the workstation: BDE and SQL Server 2000 or SQL Server 2005 Client Drivers.

TMW AMS Setup Before making the changes necessary to run Window Authentication you should update your TMW AMS database, client and TMW AMS applications (Security Administrator, Mechanic Workstation, Shop Planner, Parts Workstation, TINA Edit and Road Calls).

Running the Windows Authentication Installer From the Client Center download the AMS-WinAuthentication installer. Double click the setup.exe and take the defaults all of the way through the install. This will create a directory with 2 SQL scripts in it, TMT100_CreateSecAdminInitialUser and TMT100_EnableWindowsAuth. The default path will be C:\Program Files (x86)\TMW Systems, Inc\AMS\WinAuthentication. These scripts will be used when you get to the Create Initial SYSADMIN User and Enabling Windows Authentication later in this document.

Making the BDE Changes The BDE Administrator needs to be modified for Windows Authentication to work. If you are doing a new install of the TMW AMS Client software on a PC the modified BDE Administrator gets installed automatically and you can proceed to step 9. If you are upgrading an existing version of the TMW AMS client you will need to follow these steps after downloading the AMS-BDEAdmin from the Client Center.

1. Double click the setup.exe. You will see the Welcome to the InstallShield Wizard for TMW AMS Borland Database Engine window. Click Next.

http://www.tmwcare.com/

http://www.tmwcare.com/



2. Next you will see the License Agreement screen. Check the I accept the terms in the license

agreement, when you do this you will be able to click Next.

3. Now you are at the Ready to Install screen. Click Install.



4. You will come to the InstallShield Wizard Completed window. Click Finish. Reboot the PC.

5. Go to Start > Control Panels > BDE Administrator > Configuration > Drivers > Native > MSSQL. If the USER NAME field is filled in delete the name, so the field is blank.



6. Save the settings by right clicking on MSSQL on the left side of the screen and selecting apply. Click

OK on the Save all edits to MSSQL window. Then exit the BDE Administrator.



Setting up the Client Network Utility If you are using Microsoft SQL Server 2000 you will need to configure the SQL Server Client Network Utility on the workstation for the Named Pipes Protocol. If you do not have the Client Network Untility installed, it can be installed from your Microsoft SQL Server CD by installing the Client Connectivity Tools.

1. Go to Program Files > Microsoft SQL Server > Client Network Utility.

2. On the General tab make sure that Named Pipes and TCP/IP are enabled and that they appear with

Named Pipes first on the list. Note: If SQL Server 2000 is not installed then the TMW AMS and BDE installers should have already set Named Pipes as the first entry.

SQL Server Setup

Setting Up Server Protocols You will need to change the server protocol settings for the TMW AMS database on Microsoft SQL Server 2005.



1. Go to Start > All Programs > Microsoft SQL Server 2005 > Configuration Tools > SQL Server Surface Area Configuration > Surface Area Configuration for Services and Connections.

2. Click on Remote Connections on the left hand side.

3. On the right side click on Local and remote connections and then on Using both TCP/IP and named pipes.

4. Click on Apply.

5. When the Connection Settings Change Alert appears click OK.

6. Then Ok out of the open windows.



7. If you have Microsoft SQL Server 2008 skip to step 12. Go to Start > All Programs > Microsoft SQL Server 2005 > Configuration Tools > SQL Server Configuration Manager > SQL Server 2005 Network Configuration > Protocols for MSSQLSERVER.

8. On the right hand side make sure that Named Pipes and TCP/IP are enabled. Exit the SQL Server

Configuration Manager.

9. To verify the client has Named Pipes first you will have to look in the registry. Extreme caution must be taken when working in the Registry. To look at this go to Start > Run. Enter Regedit and click OK.



10. Now go to HKEY_LOCALMACHINE\SOFTWARE\MICROSOFT\MSSQLSERVER\CLIENT\SuperSocketNetLib

11. Double click the ProtocolOrder, the order should be NP TCP.



12. If you have Microsoft SQL Server 2005 you are done with this part. Steps 12 through 15 are for Microsoft SQL Server 2008 users only. Go to Start > All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools > SQL Server Configuration Manager.

13. Next go to SQL Server Network Configuration > Protocols for MSSQLSERVER. Make sure

TCP/IP and Named Pipes are enabled. If they are not, right-click on each one and select Enable. Click Ok when the notice that SQL Server will need to be restarted for the change to take effect. Note: Protocols for MSSQLSERVER may be named differently on your server. The default name is Protocols for whatever you named the instance when setting up SQL. Microsoft defaults this name to the version number if you don't change it so for 2008R2 it would say Protocols for SQL2008R2. If you upgraded from one version of SQL to another this protocol will keep the old name even though you have a newer version.



14. While still in the SQL Server Configuration Manger go to SQL Server Configuration Manager > SQL Server Services and right-click on SQL Server (SQL2008R2) and select Stop. Note: As with the Protocols above the name will my vary as the it uses the name you gave the instance when you installed SQL.

15. Once it has stopped, right-click on SQL Server (SQL2008R2) and select Start.



Setting Up TMW AMS Database Security Now we will create a security group for TMW AMS users. Have your Domain Administrator set up a TMW AMS user group in Active Directory. Name the group TMTFleetMaint.

Creating a SQL Server Login for the User Group 1. Go to Start > All Programs > Microsoft SQL Server 2005 > SQL Server Management Studio

>Security > Logins.

2. Right click on Logins and select New Login.



3. You are now at the new login screen. Type the name of the group that you just created in the Login name box.

Note: The first time that you add a group click on the Search button. In the select User or Group box click on Object Types and check the Groups box. Then add the group name to the Enter the object name to select box and check name. Click OK.The name will now be in the Login name box.



4. Now select User Mapping on the left hand side of the window. On the right hand side Under Users Mapped to this login check the TMW AMS database (this will normally be called TMWAMS). In the Database role membership for TFW check Public and TFWUser.

5. When a new TMW AMS user needs to be created add them to the TMTFleetMaint group. Then you

will need to add him to TMW AMS and assign them a role by using the SecAdmin tool that comes with TMW AMS. See the Security Administrator Guide for details on how to add a new user.



Enabling Windows Authentication for the Database In order to turn Windows Authentication on for the TMW AMS application, two scripts must be run against your TMW AMS database.

Creating Initial SYSADMIN User Open the script TMT100_CreateSecAdminInitialUser.sql in SQL Server Management Studio or Query Analyzer. Make sure you run this script against the TMW AMS. Set the @WINDOMAIN and @WINUSER variables equal to the current domain and user that will be the new TMW AMS SYSADMIN. Do not include a ‘\’ in the domain or user name. Now run the script. The new user should now be able to log into Security Administrator when Windows Authentication is enabled. If other SYSADMIN users must be created, then this can be done using Security Administrator as in the past.

Enabling Windows Authentication In order to enable Windows Authentication on a database, a script must be run. Once enabled, TMW AMS applications (TMW AMS, Security Administrator, Mechanic Workstation, Shop Planner, Parts Workstation, TINA Edit and Road Calls) will use Windows Authentication and the current Windows user will be verified for access. Open the script TMT100_EnableWindowsAuth.sql in SQL Server Management Studio or Query Analyzer. Change the database to the TMW AMS database. Execute the script.

Linking the TMWAMSSecvaluser to the Database If you have backed up restored your database to another location, you might get the following error:

If this is the case you will need to make the following fix:



1. Go to Start > All Programs > Microsoft SQL Server XXXX > SQL Server Management Studio > Databases > TFW > Security > Users > TMWAMSSecVal right click and delete the TMWAMSSecVal User.

2. Now go to Start > All Programs > Microsoft SQL Server XXXX > SQL Server Management

Studio > Security > Logins > TMWAMSSecVal right click and select Properties.



3. On the Login Properties - TMWAMSSecVal screen select User Mapping

4. Now check the box in front of the TMW AMS database name (Usually TMWAMS) from the Users

mapped to this login box on the right hand side of the login properties box.



5. After the database is selected go the Database role membership for DATABASE Name box. Check the public and SECVAL boxes.

Creating TMW AMS Users Existing users will have to be re-added to Sec Admin. All TMW AMS users should now be created using Security Administrator. Each user now needs a Windows Authentication user created by using the Windows Domain and Windows Username before they can log into TMW AMS.

Windows Authentication Test Environment If you created your test environment by backing up your database and restoring it, you may have to run a script to get Windows Authentication to work correctly. The script is CreateWASecurityLoginUser.sql. This script will create a security validation login, determines the database login authentication type and creates a new user role "SECVAL" and adds user as a member.

Note: This script is hardcoded with TFW as database name, you will need to replace TFW with the name of your test database (the 5th line of the script below).

DECLARE @SQL NVARCHAR(4000) DECLARE @USER_NAME VARCHAR(36) DECLARE @MAGICCOOKIE NVARCHAR(64) DECLARE @DBNAME NVARCHAR(100) SET @DBNAME = 'TFW' --!!!!!!do not change these!!!!!! SET @USER_NAME = 'TMWAMSSecVal' SET @MAGICCOOKIE = '!Very@NastyL0g1n' SET @SQL = 'IF (SELECT ISNULL(USER_ID('''+@USER_NAME+'''),-1)) = -1 EXEC '+'[dbo].'+'[sp_addlogin] '+@USER_NAME+', '''+@MAGICCOOKIE+''', '''+@DBNAME+''''



EXEC SP_EXECUTESQL @SQL SET @SQL = 'IF NOT EXISTS(select * from sysusers WHERE NAME = ''SECVAL'' AND status = 0) EXEC sp_addrole ''SECVAL''' EXEC SP_EXECUTESQL @SQL SET @SQL = 'IF NOT EXISTS(select * from sysusers WHERE NAME = '''+@USER_NAME+''') EXEC sp_grantdbaccess '+@USER_NAME+', '+@USER_NAME EXEC SP_EXECUTESQL @SQL SET @SQL = (' EXEC '+ '[dbo].'+ '[SP_ADDROLEMEMBER] ''SECVAL'', ''' + @USER_NAME + '''') EXEC SP_EXECUTESQL @SQL



Trouble Shooting

Getting SQL Login Prompt after Windows Authentication is set up After setting up the database to use Windows Authentication the user is still getting prompted for the SQL login you will need to check the following:

1. In Microsoft SQL Management Studio, go to Databases > TFW > Programmability > Stored Procedures



2. Then highlight the USP_TFWLOGIN_METHOD stored procedure. Right click and select Properties.

3. Highlight Permissions and make sure that the SECVAL role has Grant checked under Explicit

Permissions for SECVAL > Execute.



Problems Connecting from a Local Install or an Application Server If connection cannot be made after following all of the steps in this document you can try this method.

1. Go to Start > Run. Enter Regedit and click OK.

2. Now go to

HKEY_LOCALMACHINE\SOFTWARE\MICROSOFT\MSSQLSERVER\CLIENT\SuperSocketNetLib

3. Now delete everything in this folder except the Default. To do this right click on the Name and select

Delete from the menu.

4. Close out of the Registry Editor and try to connect.

Documents

TMW AMS Windows Authentication Server and Client Setup A… · TMW AMS Windows Authentication Server and Client Setup . ... Windows Authentication Server and Client Setup ... Start