This section describes how to set up and configure the FioranoMQ Windows NT security realm (Fiorano NT Realm) for the FioranoMQ server. Fiorano NT Realm works both on Windows NT 4.0 and Windows 2000.
Fiorano NT Realm requires that the FioranoMQ Server should be run by a Windows administrative User, who is able to read security-related data from the Windows NT Domain Controller. To use the Fiorano NT Realm, FioranoMQ is run on the Windows NT domain.
To manage User and User Group information, the FioranoMQ Server must be able to make system calls to the Windows NT computer on which the FioranoMQ server runs. To perform authentication, FioranoMQ needs the privileges that would allow it to communicate with the Primary Domain Controller.
7.7.2 Setting up
- Launch the Fiorano Studio. Configure the NT based PrincipalManager as explained in the section Modifying Principal Manager Implementation.
- Right-click on the FioranoMQ domain from the Server Explorer and select the Save option from the pop-up menu.
Configuring Windows NT
- Login to Windows NT using Administrator permissions. Navigate to User Manager in the Administrative Tools program group from the Windows NT machine on which FioranoMQ is installed.
- Select a User that is enabled to run the FioranoMQ server. Choose User Rights from the Policies menu.
- Select the Show Advanced User Rights from the Rights list and click Add. Enter the name of the User who is to execute FioranoMQ.
- Select Replace Process Level Token from the Rights list. Click Add and enter the name of the ser who is to execute FioranoMQ.
- Restart the system for the new permissions for the User to take effect.
Configuring Windows 2000
- Login with Administrator permissions onto the Windows 2000 machine where the FioranoMQ Server is installed.
- Open Control Panel > Administrative Tools > Local Security Policy.
- Open the Local Policies tree.
- Click User Rights Assignments.
- On the right-hand pane, right-click Act.
- Select Security from the menu.
- Click Add on the next panel and choose the name of the User who is to execute FioranoMQ.
- Click on the OK button. Restart the system for the new permissions for the User to take effect.
Additional Configuration – Adding FioranoMQ Users to Administrators Group
In the NT Principal Manager, only users registered with the Administrators group have the rights to open/create AdminConnection. Other Users can be given these rights by adding/registering them with the default Administrators' group as explained below:
- Open Control Panel > Administrative Tools > Users and Passwords.
- Browse to reach Local Users and Groups > Groups > Administrators.
- Click on Add to display a list of all the Users that exist in the WinNT Realm. Users can be included in the Administrators group by adding them from the list.
The User admin used by default to create admin connections is not a member of the Administrators group for the FioranoMQ NT Realm. In order to use FioranoMQ default admin tools and APIs, the admin User must register with the Administrators' group.
When starting the FioranoMQ Server after installing and configuring FioranoNTRealm, the verification checks listed below need to be performed:
- Open a Command-shell. Navigate to the Samples\Realm folder.
- Compile the test case by using compile-client TestFioranoNTRealm.java.
- Run the test case by using run-client TestFioranoNTRealm. On successful execution, the test case displays a message.
- Run the AdminGUI. Check that the list of Windows NT Users and Groups are displayed on the User and Group Panel.
Below is a list of those 'aspects'/'functions' not supported by the FioranoMQ 9 version of the Fiorano NT Realm. However, these functions are supported within the File-based Implementation of the FioranoMQ Realm:
- A Group cannot have a Group as a member.
- Changing the password for a User through FioranoNTRealm API is not allowed.
Troubleshooting FioranoMQ NT Realm
The most common configuration problems encountered with Fiorano NT Realm are related with Windows NT policies and specifically with the User who runs the FioranoMQ server. The User requires special permissions to access the Windows NT domain. The steps for granting these permissions are in configuration instructions as mentioned in the section 7.7.2 Setting up. Another common problem is the inability of the FioranoMQ Server to load the fioranorealm.dll file. If FioranoMQ is unable to load the fioranorealm.dll, the following message is displayed: