Skip to main content
Hitachi Vantara Lumada and Pentaho Documentation

Switch to Integrated Windows Authentication (IWA)

You must download this patch JAR before you switch to Integrated Windows Authentication.

This procedure requires Microsoft Windows Server 2008 R2, IIS 7.5, and Internet Explorer. If you are using different versions of any of this software, you may adjust the instructions to fit your needs.

Additionally, you will need to ensure that the following components of IIS are installed before continuing:

  • Windows Authentication
  • ISAPI Extensions
  • ISAPI Filters
  • JK 1.2 Connector (isapi_redirect.dll)

Follow these instructions to switch to Integrated Windows Authentication in the BA Server.

  1. Stop the BA Server, DI Server, and User Console processes.
  2. Copy the downloaded patch JAR to the /WEB-INF/lib/ directory inside of the deployed Pentaho WAR. For most deployments, this will be /pentaho/server/biserver-ee/tomcat/webapps/pentaho/WEB-INF/lib/
  3. In your IIS configuration, disable anonymous authentication and enable Windows authentication for the site you are serving.
  4. Edit the /WEB-INF/web.xml file inside of the deployed Pentaho WAR, and change the value of fully-qualified-server-url to the URL served by IIS, then save and close the file.
  5. Edit the /tomcat/conf/server.xml file and set tomcatAuthentication to false in the Connector element for the connector with the AJP protocol.
    Note: If this is not already defined, then add it; the example below can be directly pasted into the file.
  6. Save and close the file, then edit /pentaho-solutions/system/applicationContext-spring-security.xml. Comment out this code block
  7. Copy and paste this code block immediately after the block you just commented out
  8. Find the authenticationManager providers list and add this line to the beginning of it:
    <ref bean="preAuthAuthenticationProvider" />
  9. Replace the authenticationProcessingFilterEntryPoint bean definition with the following:
    <bean id="preAuthenticatedProcessingFilterEntryPoint"
          PreAuthenticatedProcessingFilterEntryPoint" />
  10. Find the exceptionTranslationFilter bean and replace its authenticationEntryPoint ref with:
    <ref local="preAuthenticatedProcessingFilterEntryPoint" />
  11. Ensure that you have configured Active Directory integration properly. Refer to your Active Directory documentation and Manual MSAD Configuration for more information.
  12. Save and close the server.xml file.
  13. Configure Internet Explorer such that your IIS server is in the local intranet security zone.
  14. Start the BA Server.
  15. Access the BA Server through Internet Explorer and ensure that it automatically logs in with the local user account.
Your system should now be configured to sign into the BA Server using local user account credentials.