CE10 - Windows AD security not available?

[JennL]

I thought I was logged in as a local administrator when installing CE10 Pro, but the Windows AD plug-in was not enabled by default. In the CMC I get the error:

"The secWinAD security plugin is not available. Please contact your system administrator for details"

I found how to download/install the 8.5 and 9 versions of secWindowsNT.dll. Anyone know if there's one specific for version 10? If so, where?

Thanks!

 

[Turkbear]

Hi,secWinNT is not the same as secWinAD..

Try modifying your CE10 to add the AD part..It should have been one of your choices when installing.

 

[JennL]

I ran through a "modify" install with CE and was not given the option to add the plug in. I made sure everything was installed and am still getting the error message. Where do I get the secWinAD.dll???

 

[mjrusso45]

secWinAD.dll is installed by default. You can't "not" install it. Check the Authorization tab on the CMC to make sure you have AD enabled.

 

[JennL]

Thought I'd write back with the solution. The DLLs were there but for some reason they didn't register. I registered them and was able to get at the AD security tab - then import the applicable AD group.

Unfortunately this did not resolve the original issue. As long as a user authenticates they can see whatever RPT they want, even if its in a directory that explicitly denies them access (CE10 & CR10 both installed on server, type in the URL of an RPT).

 

[Turkbear]

Hi,
If you Publish the report then users can be blocked from accessing it..In the folder where it is published, set the rights to exclude everyone but those you want to see it.

No one but CE itself should have direct file system access to the underlying .rpt files..everything should go through a CMS authentication step.

 

[JennL]

Unfortunately CE/ePortfolio isn't robust enough to handle our currently deployed CR web. We have a third party that dynamically sets and passes parameters at login - Business Objects came up with excel spreadsheet parameters tied to a business view as a workaround, but that source couldn't be used to generate ASP pages (our current 3rd party solution does). Plus the scheduler can't handle the 100+ reports we generate with saved data off hours using a third party batcher. BO said I should schedule each report separately (there's 10 reports times 12 sales reps). So, instead of having 1 batch file scheduled to run all the jobs sequentially I would have to manually set up all 120 jobs and try to schedule them in increments manually so they don't trip over each other.

I can type in a URL to an RPT file and have the viewer open the report - so somehow CE is not the only direct file system access point to the rpts...

 

[Turkbear]

Hi,Yes that is called ( in most CE docs) an unmanaged report and is still supported - but unless you set the file system access rights correctly, anyone who can find the directory can run the report ( assumes CR and database access).

 

[JennL]

I have the file system right set correctly (even had an independent security audit on it).

Situation:
/intranet/secure_sales/order.rpt
supplier group DENIED access to secure_sales folder and inherited rights verified. Put the rpt in a url, get a windows log in. Log in as a supplier and you're able to view the report.

The only way not to be able to view the report is if the System account is removed from the rights - which means no one can view it. According to the audit:

"Therefore, although it looks like the filename.RPT is being accessed directly as a file in IIS in reality it is being processed by Crystal services and dynamically generated into HTML and sent to the IE web browser of any domain user account –regardless of security group membership. Therefore, it is the conclusion of this investigation that Windows 2000 NTFS permissions and IIS are setup correctly, however, their control over the file is lost as Crystal retranslates the file.

 

[Turkbear]

Hi,
Upon reflection, that makes sense..the account that the Crystal Services ( especially pageserver) run under is the 'actual' account used to retrieve the file..
It does not look like you can restrict users who know what URL to use from running those reports, since the CE services obviously need access to function.

 

[ke62]

How did you register the DLL as I have the same problem that you had with the DLL?

 

[JennL]

Assuming you took the default install directory, run:

regsvr32 "C:\Program Files\Crystal Decisions\Enterprise 10\win32_x86\plugins\auth\secWinAD\secWinAD.dll"

You'll also have to sign into the Admin CMC via Enterprise and enable Windows AD authentication under Manage -Authentication.