Local authentication using NTLM

Jan 23, 2018

This is definitely not our best kept secret, however you would think so for the lack of schools using it.

Every school should be using Local Authentication – it makes access for staff so much easier.  By pass the login screen forever!

What is Local Authentication?

Local Authentication is authenticating the user within your school environment and then redirecting them to the Sobs website.

Does it compromise our school security?

Not at all.

Is it difficult to install and configure?

No.

Okay, tell me how does it works

Instead of going to sobs.com.au the staff member clicks a link on your Intranet taking them to a web server within your school network, say http://sobsla.intranet/…

This link, http://sobsla.intranet/…, identifies the username of the user (this is your regular network login name).  We then perform a ‘one-way’ encryption using the username and other data to create a very secure key.  We then send back an http redirection to the staff member, so their web browser is automatically redirected to the http://sobs.com.au site along with this secure key.

At http://sobs.com.au the secure key is checked against your staff list and a match is found.  The user is automatically authenticated and redirected to the initial page of the Sobs application.

How do I install this option?

  1. Go to your ‘School Settings’ page, the Authentication tab, and click the ‘Edit’ button (top right)
  2. Check the option for ‘Local Authentication’
  3. Enter a ‘Local Authentication Password’ – this can be any collection of alphanumeric characters.  You will be asked to put this same password in the INI file when you install the option locally
  4. If you are using ‘Local Authentication’ with an in-house installation of Sobs you need to specify your local domain name (the part that would appear before the login name, eg “THISBIT\username”).  For schools using the the hosted option (your data at sobs.com.au) then the domain is not required
  5. Click the ‘Save’ button to save these changes
  6. When the page is redisplayed you will see an option ‘Download file’ option just below the local values.  Click this link to download the file and save it locally
  7. Extract the file ‘sobslocalauth.doc’ from this download – this contains the remaining instructions to configure your local authentication
  8. If you have any problems please call me and I will do everything I can to help

Are there any pre-requisites?

The program included is for a Microsoft Windows based computer, however your web server needs to support NTLM authentication.  NTLM is built-in to the Microsoft range of web servers.  NTLM is available as an add-on module to Apache.

What do I do if it doesn’t work?

We have included two versions of the program in the file, one with logging turned on and one without.  Try running the program with the logging turned on and it will generate a log file with (hopefully) helpful information.

Ensure your network login name is the same as the username stored in Sobs.  The comparison made with Local Authentication is case sensitive, so your Sobs username must match exactly the network login name.

Installing Local Authentication for EQ schools

[A big thanks to Steven Gehle – Ormeau Woods SHS – for supplying these.  Please let me know if you find any mistakes so that we can correct them.]

Create application folder for SOBS

  1. In ZTP, click File and Folder Services
  2. Click File and Folder Creation
  3. Select your District and School Within District
  4. Select the server you wish to create the SOBS application folder on – we used a member server to avoid any incompatibilities
  5. Click Application for Folder Type
  6. Type SOBS in the text field below Folder Type
  7. Click No for Should this folder inherit permissions
  8. Click No to Share this folder
  9. Click No to Do additional GGs need to be created for this folder
  10. Click Next
  11. Tick I agree to the Terms and Conditions and click Submit Request
  12. Wait until you receive the ZTP Success Notification for the ZTP request before proceeding

Assign staff group to application group

  1. In ZTP, click Group Services
  2. Click Group membership
  3. Select your District and School Within District
  4. Click Groups for Select Object Type to Add
  5. Click School for Query School DC or Core DC (to allow for any delay in replication)
  6. Find and tick xxxxGG_UsrStaff in Groups To Add (xxxx is your school code)
  7. Find and tick xxxxGG_App_SOBS_R in Groups To Populate (to allow all site staff read access to the application folder)
  8. Tick I agree to the Terms and Conditions and click Submit Request

Assign OC group to application group

 

  1. In ZTP, click Group Services
  2. Click Group membership
  3. Select your District and School Within District
  4. Click Groups for Select Object Type to Add
  5. Click School for Query School DC or Core DC (to allow for any delay in replication)
  6. Find and tick xxxxGG_OrangeCard in Groups To Add (xxxx is your school code)
  7. Find and tick xxxxGG_App_SOBS_C in Groups To Populate (to allow all site OC users change access to the application folder)
  8. Tick I agree to the Terms and Conditions and click Submit Request

Configure SOBS

  1. Ensure you are logged into SOBS at your school with School administrator access
  2. Click Configuration: School Settings
  3. Click the Authentication tab
  4. Click the Edit button at top right
  5. Tick the Local Authentication box
  6. Populate the Local auth password box with a strong password
  7. Enter your region three-character code in Local domain (eg SOC)
  8. Click Save
  9. Click the Download file link and save the file to D: on your workstation
  10. Extract the contents to a folder on D:
  11. Copy the sobslocalauth.exe and sobslocalauth.ini file that you extracted to the application folder on the server you chose in the previous steps
  12. Edit and save sobslocalauth.ini so the password you entered in step 6 matches and immediately follows PASSWORD=, with no spaces
Configure IIS

 

  1. Log on to the server you chose in Create application folder for SOBS step 4 as an OC user
  2. Click Start > Administrative Tools > Internet Information Services (IIS) Manager
  3. Double click on EQxxxyyyyzzz (local computer)
  4. Double click on Web Sites
  5. Right click Default Web Site, select New then click Virtual Directory…
  6. Click Next
  7. Type sobs for the Alias and click Next
  8. Click Browse and select the application folder you created (eg D:\xxxx_DATA\Applications\SOBS) and click Next
  9. Tick the Read and Execute boxes, click Next then click Finish
  10. Close Internet Information Services (IIS) Manager

 

Create user shortcut

  1. Navigate to a location where you would like to create the SOBS shortcut eg G:\Coredata\Common\Facilities
  2. Right click in a free area, select New then Shortcut
  3. Paste the following for Type the location of the item, including the quotes: “C:\Program Files\Internet Explorer\iexplore.exe” “http://eqxxxyyyyzzz/sobs/sobslocalauth.exe”
  4. Type SOBS for Type a name for this shortcut and click Finish
  5. Right click the SOBS shortcut and click Properties
  6. Select Maximized in the drop down menu for Run then click OK