Skip to main content
Pentaho Documentation

Switch to Integrated Windows Authentication (IWA)

You must download this patch JAR before you switch to Integrated Windows Authentication.

This procedure requires Microsoft Windows Server 2008 R2, IIS 7.5, and Internet Explorer. If you are using different versions of any of this software, you may adjust the instructions to fit your needs.

Additionally, you will need to ensure that the following components of IIS are installed before continuing:

  • Windows Authentication
  • ISAPI Extensions
  • ISAPI Filters
  • JK 1.2 Connector (isapi_redirect.dll)

Follow these instructions to switch to Integrated Windows Authentication in the Pentaho Server.

  1. Stop the Pentaho Server and User Console processes.
  2. Copy the downloaded patch JAR to the /WEB-INF/lib/ directory inside of the deployed Pentaho WAR. For most deployments, this will be /pentaho/server/pentaho-server/tomcat/webapps/pentaho/WEB-INF/lib/
  3. In your IIS configuration, disable anonymous authentication and enable Windows authentication for the site you are serving.
  4. Edit the /pentaho/server/pentaho-server/pentaho-solutions/system/server.properties file inside of the deployed Pentaho WAR, and change the value of fully-qualified-server-url to the URL served by IIS, then save and close the file.
  5. Edit the /tomcat/conf/server.xml file and set tomcatAuthentication to false in the Connector element for the connector with the AJP protocol:

    If this is not already defined, then add it; the example below can be directly pasted into the file.

    tomcatAuthentication="false"
  6. Save and close the file, then edit /pentaho-solutions/system/applicationContext-spring-security.xml. Comment out this code block:
    <![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT 
    /**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,
    httpSessionReuseDetectionFilter,logoutFilter,preAuthenticatedProcessingFilter,
    authenticationProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,
    anonymousProcessingFilter,pentahoSecurityStartupFilter,exceptionTranslationFilter,
    filterInvocationInterceptor]]>
    
    
  7. Copy and paste this code block immediately after the block you just commented out:
    <![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT 
    /**=httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter,
    logoutFilter,preAuthenticatedProcessingFilter,authenticationProcessingFilter,
    basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,
    securityContextHolderAwareRequestFilter,pentahoSecurityStartupFilter,
    exceptionTranslationFilter,filterInvocationInterceptor]]>
  8. Find the authenticationManager providers list and add this line to the beginning of it:
    <ref bean="preAuthAuthenticationProvider" />
  9. Replace the authenticationProcessingFilterEntryPoint bean definition with the following code block:
    <bean id="preAuthenticatedProcessingFilterEntryPoint"
        class="org.springframework.security.ui.preauth.
          PreAuthenticatedProcessingFilterEntryPoint" />
  10. Find the exceptionTranslationFilter bean and replace its authenticationEntryPoint ref with the following code block:
    <ref local="preAuthenticatedProcessingFilterEntryPoint" />
  11. Ensure that you have configured Active Directory integration properly. Refer to your Active Directory documentation and Manual MSAD Configuration for more information.
  12. Save and close the server.xml file.
  13. Configure Internet Explorer such that your IIS server is in the local intranet security zone.
  14. Start the Pentaho Server.
  15. Access the Pentaho Server through Internet Explorer and ensure that it automatically logs in with the local user account.

Your system should now be configured to sign into the Pentaho Server using local user account credentials.

Related Information