Active Directory integration features
Marketing Platform integration with Windows™ Active Directory provides the features described in this section.
Authentication with Active Directory integration
HCL® Marketing Software applications query Marketing Platform for user authorization information.
- Previous versions of Marketing Platform supported
NTLMv1 based Microsoft Windows Integrated login. With the arrival of Microsoft Windows 2008 Server
and Microsoft Windows 7, the default minimum standard has changed and requires the NTLMv2 protocol.
NTLMv2 is not natively supported by Marketing Platform.
However, you can configure NTLMv2 authentication, so that users are authenticated to all HCL Marketing Software applications when they log in to the corporate network, and no password is required to log in to HCL Marketing Software applications. User authentication is based on their Windows login, bypassing the applications' login screens.
To configure NTLMv2 authentication, you perform the steps described in this chapter, plus some additional configuration as described in the following developerWorks article:
This article provides details on how to implement NTLMv2 authentication using Microsoft Internet Information Services (IIS), an application server plug-in for Microsoft Internet Information Services, and a URL re-writer such as ISAPI Rewrite Lite Edition.
- If NTLMv2 authentication is not enabled, users must still log in on the HCL Marketing Software login screen, using their Windows credentials.
Managing internal and external users
When NTLMv2 authentication is enabled, all users are created and maintained in the Active Directory server. (You do not have the option of creating some users in Marketing Platform, which are known as internal users in this guide). If you require the ability to create internal users, do not enable NTLMv2 authentication.
When integration is configured, you cannot add, modify, or delete the imported user accounts in Marketing Platform. You must perform these management tasks on the LDAP side, and your changes are imported when synchronization occurs. If you modify imported user accounts in Marketing Platform, users may encounter problems with authentication.
Any user accounts you delete on the LDAP side are not deleted from Marketing Platform. You should disable these accounts manually in Marketing Platform. It is safer to disable these deleted user accounts rather than deleting them, because users have folder ownership privileges in Campaign, and if you delete a user account that owns a folder, objects in that folder will no longer be available.
Synchronization
When HCL Marketing Software is configured to integrate with an Active Directory server, users and groups are synchronized automatically at pre-defined intervals.
Automatic synchronization has limited functionality.
- Automatic synchronization updates user attributes only. Because group membership changes such as adding, removing, or changing members in a group require administrator oversight, import of these changes is confined to the manual synchronization process by default.
- Users deleted from the LDAP server are not deleted during automatic synchronization.
You can force a full synchronization of all users and groups by using the Synchronize function in the Users area of HCL Marketing Software. Alternatively, you can contact HCL® Services to request that they set a hidden configuration property that causes the automatic synchronization to perform a full synchronization.
Importing users based on groups or attributes
You can choose one of two types of filtering to select the user accounts that are imported from the LDAP server into Marketing Platform.
You must choose between group based or attribute based import; multiple methods are not supported simultaneously.
Group based import
Marketing Platform imports groups and their users from the directory server database through a periodic synchronization task that automatically retrieves information from the directory server. When Marketing Platform imports users and groups from the server database, group memberships are not changed. To pick up these changes, you must perform a manual synchronization.
You can assign HCL Marketing Software privileges by mapping an Active Directory group to an HCL Marketing Software group. This mapping allows any new users added to the mapped Active Directory group to assume the privileges set for the corresponding HCL Marketing Software group.
A subgroup in Marketing Platform does not inherit the Active Directory mappings or user memberships assigned to its parents.
Details for configuring group based import are provided in the remainder of this chapter.
Attribute based import
If you do not want to create groups in your Active Directory server that are specific to HCL Marketing Software products, you have the option to control the users who are imported by specifying attributes. To achieve this, you would do the following during the configuration process.
- Determine the string used in your Active Directory server for the attribute on which you want to filter.
- Set the HCL Marketing Platform | Security | LDAP synchronization | LDAP user
reference attribute name property to DN.
This indicates to Marketing Platform that the synchronization is not based on a group with member references but is based on an Org Unit or an Org.
- When you configure the LDAP reference map property, set the Filter portion of the value to the attribute on which you want to search. For the Filter, use the string you determined in step 1.
When you use attribute based synchronization, the periodic synchronization is always a full synchronization, instead of a partial synchronization, which is done for group based synchronization. For attribute based synchronization, you should set the LDAP sync interval property to a high value, or set it to 0 to turn off automatic synchronization and rely on manual full synchronization when users are added to the directory.
Follow the instructions provided in the remainder of this chapter to configure integration, using the instructions above in the steps where you set configuration properties.
About Active Directory and partitions
In multi-partition environments, user partition membership is determined by the group to which the user belongs, when that group is assigned to a partition. A user can belong to only one partition. Therefore, if a user is a member of more than one Active Directory group, and these groups are mapped to HCL Marketing Software groups that are assigned to different partitions, the system must choose a single partition for that user.
You should try to avoid this situation. However, if it occurs, the partition of the HCL Marketing Software group most recently mapped to an Active Directory group is the one that the user belongs to. To determine which Active Directory group was most recently mapped, look at the LDAP group mappings displayed in the Configuration area. They are displayed in chronological order, with the most recent mapping listed last.
Special characters in login names
Only three special characters are allowed in login names: dot (.), underscore ( _ ), and hyphen (-). If any other special characters (including spaces) are present in the login name of a user you plan to import into Marketing Platform from your Active Directory server, you must change the login name so that the user does not encounter issues when logging out or performing administrative tasks (if the user has administration privileges).