Beruflich Dokumente
Kultur Dokumente
Guidance for technical staff assisting with the implementation of the TeamMate Suite Software
December 2010
.
December 2010
Table of Contents
INTRODUCTION.................................................................................................................................................. 3 PREREQUISITES .................................................................................................................................................. 3 RELATED DOCUMENTS ..................................................................................................................................................... 3 REQUIRED TASKS ............................................................................................................................................................ 3 CONFIGURATION OPTIONS................................................................................................................................. 3 WEB SERVER CONFIGURATION ........................................................................................................................... 4 CONFIGURATION CHANGES BETWEEN R8 AND R9 ................................................................................................................. 4 LOAD BALANCING ........................................................................................................................................................... 5 AUTHENTICATION ........................................................................................................................................................... 5 Types of Authentication ......................................................................................................................................... 5 How to change authentication .............................................................................................................................. 6 Windows Authentication Setup ............................................................................................................................. 6 LDAP Authentication Setup .................................................................................................................................... 6 DATABASE CONNECTION .................................................................................................................................................. 7 INTERNET INFORMATION SERVICES (IIS) .............................................................................................................................. 7 IIS 6 and IIS 7 Differences ....................................................................................................................................... 8 APPLICATION CONFIGURATIONS ........................................................................................................................................ 9 TeamCentral .......................................................................................................................................................... 9 TeamRisk................................................................................................................................................................ 9 TeamSchedule ........................................................................................................................................................ 9 TEC ......................................................................................................................................................................... 9 Portal ..................................................................................................................................................................... 9 Unattended Console .............................................................................................................................................. 9 TeamMate Services ................................................................................................................................................ 9 SECURE SOCKET LAYER (SSL) ............................................................................................................................................ 9 MULTIPLE VIRTUAL DIRECTORIES ..................................................................................................................................... 10 SERVICES CONFIGURATION ............................................................................................................................... 10 TYPE OF SERVICES ......................................................................................................................................................... 10 IIS CONFIGURATION ...................................................................................................................................................... 10 WINDOWS SERVICE CONFIGURATION ............................................................................................................................... 10 Port ...................................................................................................................................................................... 10 Startup Options .................................................................................................................................................... 11 SERVICE CONFIGURATION OPTIONS .................................................................................................................................. 11 Configuring Service Cache Location ..................................................................................................................... 11 Load Balancing (Web Farm) with Services ........................................................................................................... 11 Services with External Work Papers Storage ....................................................................................................... 11 Services with Multiple Host Headers ................................................................................................................... 12 CONFIGURING SERVICES WITH SERVICE CONFIGURATION TOOL .............................................................................................. 13 CLIENT CONFIGURATION ................................................................................................................................... 14 DATABASE CONNECTION ................................................................................................................................................ 14 Centralized Model ................................................................................................................................................ 14 Distributed Model ................................................................................................................................................ 14 SERVICE CONFIGURATION ............................................................................................................................................... 14 Connection to a Global (Centralized) Database ................................................................................................... 15 Connection to a local file share ............................................................................................................................ 16 DATA EXECUTION PREVENTION (DEP) .............................................................................................................................. 16
December 2010
CLIENT APPLICATIONS ON SERVER OPERATING SYSTEMS ........................................................................................................ 17 OTHER CONFIGURATION ................................................................................................................................................ 17 TeamMate Registration File (tmreg.ini) .............................................................................................................. 17 TeamMate Project Conversion File (conversion.tml) ........................................................................................... 17 APPLICATIONS .............................................................................................................................................................. 17 Setup Administrative User ................................................................................................................................... 17 Database Connections ......................................................................................................................................... 18 USING THE TEAMMATE SOFTWARE WITH A TERMINAL SERVER ......................................................................... 18 MICROSOFT TERMINAL SERVER ....................................................................................................................................... 18 CITRIX PRESENTATION SERVER ........................................................................................................................................ 18 Considerations ..................................................................................................................................................... 18 RESETTING PROFILES ..................................................................................................................................................... 19 SECURITY .................................................................................................................................................................... 19 OTHER CONSIDERATIONS ............................................................................................................................................... 19 APPENDIX A: CONFIGURATION CHECK LIST ........................................................................................................ 20 APPENDIX B: USING THE UNATTENDED CONSOLE .............................................................................................. 23 SMTP SERVER CONFIGURATION...................................................................................................................................... 23 UNATTENDED CONSOLE CONFIGURATION.......................................................................................................................... 23 Modify the Application Configuration File ........................................................................................................... 23 Running the console for the first time ................................................................................................................. 24 Setting up a scheduled Task................................................................................................................................. 24 Configuration Options.......................................................................................................................................... 25 APPENDIX C: LOAD BALANCING......................................................................................................................... 27 PERSISTENT ................................................................................................................................................................. 27 NON-PERSISTENT ......................................................................................................................................................... 27 APPENDIX D: WINDOWS AUTHENTICATION....................................................................................................... 28 CLIENT........................................................................................................................................................................ 28 WEB SERVER ............................................................................................................................................................... 28 APPENDIX E: LDAP AUTHENTICATION ................................................................................................................ 28 APPENDIX F: TEAMMATE REGISTRATION FILE (TMREG.INI) ................................................................................ 32 CREATING THE CONFIGURATION FILE ................................................................................................................................. 33 Create Manually .................................................................................................................................................. 33 Create from Existing Settings ............................................................................................................................... 34 SPECIFYING NUMERIC VALUES ......................................................................................................................................... 34 SPECIFYING SPECIAL FOLDERS.......................................................................................................................................... 34 EXAMPLE TMREG.INI FILE................................................................................................................................................ 35 CONFIGURATION FILE SECTIONS ...................................................................................................................................... 37 MANUALLY APPLYING THE CONFIGURATION FILE ................................................................................................................. 38 AUTOMATICALLY APPLY THE CONFIGURATION FILE ............................................................................................................... 38 APPENDIX G: EWP PROJECT CONVERSION FILE (CONVERSION.TML) ................................................................... 39 CONVERTING EXISTING PROJECTS ..................................................................................................................................... 39 CONVERTING EXCEPTION TABS (R7 PROJECTS ONLY) .......................................................................................................... 39 IMPLEMENTING NEW CATEGORIES ................................................................................................................................... 40 IMPLEMENTING NEW TERMINOLOGY LABELS ..................................................................................................................... 40 IMPLEMENTING NEW POLICIES ........................................................................................................................................ 40 SAMPLE CONVERSION.TML FILE (XML FORMAT) ................................................................................................................. 43
December 2010
Introduction
The intended audience for this document includes technical staff and TeamMate Champions. This document will provide guidance to new and existing users of the TeamMate Suite software to setup and configure the TeamMate Suite. The steps in this document should only be carried out by trained IT Professionals.
Required Tasks
Before continuing the following items must be complete Client Software installed (see TeamMate Installation Guide, Planning for R9 Guide, and the TeamMate Suite IT Overview) Web Server Software installed if using web applications (see TeamMate Installation Guide, Planning for R9 Guide, and the TeamMate Suite IT Overview) Tools installation (see the TeamMate Installation Guide) Database(s) setup and configured (see Planning for R9, TeamMate Suite IT Overview, and the TeamMate Database Guide for details) Local Administrative access to the web server and client machines
Configuration Options
Before continuing be sure to consult the other related guides to determine the deployment scenario to setup. Appendix A: Configuration Check List contains the most common deployment scenarios at the highest level. Use the check list in conjunction with the sections in this document to complete the TeamMate Suite Configuration.
December 2010
1. Authentication type a. moved from web.config to application root\authentication\current.config b. specific to each application 2. Application Settings a. moved from web.config to TeamCentral\Settings.config for all applications b. single file to store application settings for all applications c. includes but not limited to LDAP configuration Portal Settings Connection File (dbconnect.tmc) location Attachment Exclusion list Report Settings Note: Configuration files from prior versions CANNOT be used.
December 2010
Load Balancing
The TeamMate Web applications support load balancing. For more information see Appendix C: Load Balancing.
Authentication
The authentication models available include Forms, Windows, and LDAP. The authentication settings were relocated from the web.config file to the current.config file found in the Authentication folder in the root for the application. Example: \TeamCentral\Authentication\settings.config Each application can use different forms of authentication although it is recommended to use the same type of authentication for all applications.
Types of Authentication
Forms
Forms Authentication is the default authentication model set when the installation is complete. With this model, the entire authentication process occurs within the application. When the web application is accessed, a default form is presented to the user to enter the login credentials in the form of a username and password. After the credentials are validated against the TeamMate global database the user is allowed to proceed only if the user has a valid role for the web application. The application when installed defaults to forms authentication so no additional configuration is needed to use forms authentication.
Windows (Integrated)
Windows Authentication will authenticate a user based on the standard windows login. When the user accesses the Web Application the logged in windows account information is passed to the application for validation against the TeamMate global database. This process is automatic and does not require a user to enter any information into a form on the web page. If the user's windows account information (ex: Domain\loginname) matches a login name in the database for this application then the user is allowed to continue into the web application (site). Note: Passwords are ignored for the Windows Authentication Model.
LDAP
Lightweight Directory Access Protocol (LDAP) authentication is similar to the Forms authentication method where the user must enter the username and password. Where LDAP differs is the authentication process. Once the user enters the login credentials the information is passed from the web application to the LDAP server for validation. After the user is validated against LDAP the login credentials then are validated against the TeamMate global database. Then the credentials are validated against the TeamMate global database the user is allowed to proceed only if the user has a valid role for the web application.
December 2010
1. Open the desired configuration file (forms.config, windows.config, ldap.config) up with a text editor (Notepad) 2. Select File Save As 3. Save the file as current.config overwriting the existing file 4. Ensure the NTFS permissions are propagated to the file 5. IIS must be reset for the changes to take effect (Run IISRESET from the command line)
December 2010
Database Connection
The connection to the TeamMate Global Database can be found in the settings.config file in the root of the TeamCentral directory. This file by default is located in \Program Files \ TeamMate \ Connect \ dbconnect.tmc. If installing to a non-default location this setting must be modified to point to the new tmc file location. 1. Open the Settings.config file with a text editor (Notepad) 2. Modify the following line to point to the connection file location <add key="TmcPath" value="C:\Program Files\TeamMate\Connect\dbconnect.tmc" /> 3. Save the file 4. IIS must be reset for the changes to take effect (Run IISRESET from the command line)
December 2010
December 2010
Application Configurations
As noted above all settings specific to the web applications are now located in the Settings.config configuration file located in the TeamCentral application directory (\wwwroot\TeamCentral\Settings.config).
TeamCentral
No customizable settings exist at this time.
TeamRisk
No customizable settings exist at this time.
TeamSchedule
No customizable settings exist at this time.
TEC
No customizable settings exist at this time.
Portal
The Portal contains a link to each application. These links (Icons) can be hidden from view by changing the value to false in the settings file for the desired application. Each application also has a link back to the portal homepage. This can be modified with the ShowPortalLink setting. The links to each of the main applications (TEC, TeamSchedule, and TeamRisk) can also be pointed to a different URL. These can reside on a different server.
Unattended Console
The settings for the unattended console are located in the TeamMate.UnattendedConsole.exe.config file. This file is installed to C:\Program Files \ TeamMate \bin by default. See Appendix B Using the Unattended Console for details.
TeamMate Services
See Services Configuration for setting up services.
December 2010
IIS Configuration
When using the TeamMate Services with IIS the web.config file must be modified to point to the TMC location. This file is located in the directory root for TeamMateServices (\wwwroot\TeamMateServices\web.config). Once the configuration is complete, reset IIS to implement the changes. See the Service Configuration Options section for details and additional configuration options.
Port
By default the service is set to listen on Port 6000. This can be modified but will need to be changed for all base addresses in the application configuration file. The example below shows the base address for the Integration Services. <add baseAddress="http://localhost:6000/IntegrationService"/> Once the configuration file is changed restart the service for the changes to take effect. Be sure to change the service.config file created to point to the new port number.
10
December 2010
Startup Options
It is recommended that the windows services have the Start Up option set to Automatic.
11
December 2010
the file share. When using IIS the domain account must have the same privileges on the NTFS folder structure that the original account had. Normally this is the Network Services account. These permissions can be set at the root of the TeamMateServices directory and propagated down.
3. For each service node listed below make the following changes Services o o o o TeamMate.Services.Utilities.UtilitiesService TeamMate.Services.Transport.TransportService TeamMate.Services.Replication.ReplicationService TeamMate.Services.Integration.IntegrationService
The example below demonstrates changing the Utilities service to support 2 host headers where teammate1 is the first header and teammate2 is an additional host header. For each header 2 additional endpoint nodes must be added. Note: The address for the first node must be changed to a fully qualified name. Before:
<service name="TeamMate.Services.Utilities.UtilitiesService" behaviorConfiguration="behaviorDefault"> <host> <baseAddresses> <add baseAddress="Utilities.svc" /> </baseAddresses> </host> <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" /> <endpoint contract="TeamMate.Services.Utilities.IUtilitiesService" binding="wsHttpBinding" bindingConfiguration="MtomSecurityNone" /> </service>
12
December 2010
<service name="TeamMate.Services.Utilities.UtilitiesService" behaviorConfiguration="behaviorDefault"> <host> <baseAddresses> <add baseAddress="Utilities.svc" /> </baseAddresses> </host> <endpoint address="http://teammate1/TeamMateServices/Utilities.svc/mex" contract="IMetadataExchange" binding="mexHttpBinding" /> <endpoint address="http://teammate2/TeamMateServices/Utilities.svc/mex" contract="IMetadataExchange" binding="mexHttpBinding" /> <endpoint address="http://teammate1/TeamMateServices/Utilities.svc" contract="TeamMate.Services.Utilities.IUtilitiesService" binding="wsHttpBinding" bindingConfiguration="MtomSecurityNone" /> <endpoint address="http://teammate2/TeamMateServices/Utilities.svc" contract="TeamMate.Services.Utilities.IUtilitiesService" binding="wsHttpBinding" bindingConfiguration="MtomSecurityNone" /> </service>
7. Enter the URL for the service location and click Next
URL for service IIS http://ServerNameOrIPAddress//TeamMateServices Windows http://ServerNameOrIPAddress:6000
13
CCH TeamMate Suite Configuration Guide 9. Click Test to confirm the configuration is working 10. Click Save to save the configuration to the file 11. Click Cancel to exit or Next to create another entry
December 2010
Centralized Model
EWP connects to the centralized (global) database directly and EWP projects are stored inside the database. The connection is made via the connection file (dbconnect.tmc).
Distributed Model
EWP connects to local independent Access Databases that are stored on a file system (local hard drive or file share) for working with EWP Projects. To get and receive data from the other applications a get / send approach is used via services and/or a connection file which connects to a centralized database (see above).
Service Configuration
The service configuration should be setup using the instructions found here Services Configuration. Once the service.config file has been created then copy it to the following folder for the user \Documents\TeamMate\connect. To change the location of the service configuration this will need to be done via the registry. Change the path for the following registry key and restart the application. HKEY_LOCAL_MACHINE\SOFTWARE\CCH\TeamMate\ServiceConfigPath If the key does not exist then create it. 1. Open Registry Editor 2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\CCH\TeamMate 3. Right click and select New String Value 4. Enter the path to the Folder containing the service configuration file. Do not put the full path to the file. Example:
14
December 2010
I Once the service configuration file is in place then EWP needs to be configured for the connection to the database.
15
December 2010
1. Launch EWP 2. In the TeamMate Explorer window right click on one of the existing tabs and select Insert Location Tab 3. Give the Tab a Location Name (ex My Database) 4. Under Database Location select Distributed (File Share or Off-Line Replica) 5. Choose a folder location on the file system 6. Change the Service Location to the location from the service.config file. (Note: there can be multiple locations) 7. Click OK to save the new tab 8. When opening the tab in EWP a list of projects will appear. If the directory is empty then no projects will show in the list
16
December 2010
Other Configuration
TeamMate Registration File (tmreg.ini)
The tmreg.ini file is used to set EWP preferences at the client level. For more information on using this see the following section. Appendix F: EWP Registration File (tmreg.ini)
Applications
Setup Administrative User
Once the client configuration has been completed then the process of using the software can begin. The initial login for a new database will be with the TMChampion account. This user can only access TeamAdmin. Use the following instructions to setup an additional administrative account to access other applications in the suite. 1. Launch TeamAdmin 2. In the Open Database Form select Manage 3. Browse for the connection file if not already populated (default location is \Documents\TeamMate\Connect\dbconnect.tmc) 4. Select the connection file and click OK 5. Choose a connection from the Open Database menu 6. Login with tmchampion as the username and champion as the password 7. Change the password when prompted 8. Under User Management select create new user 9. Create a new user following the prompts in the wizard
17
December 2010
10. On the application roles screen give the user administrative access to all application 11. Save the user At this point the user should be able to login to any application.
Database Connections
The steps for opening a database are the same for all client applications (except EWP which was described previously). After launching the application: 1. In the Open Database Form select Manage 2. Browse for the connection file if not already populated (default location is \Documents\TeamMate\Connect\dbconnect.tmc) 3. Select the connection file and click OK 4. Choose a connection from the Open Database menu
Considerations
18
December 2010
Temporary File Locations (Temp Files) the temp files location should be set to a location on the Citrix server. Most often the C:\ drive in a Citrix session is pointing back to the clients local machine. If the temporary files directory for EWP is pointing to this location then performance will be reduced significantly. Bit Depth the bit depth can be reduced to assist in performance over slower connections. Note this does reduce the overall quality of the interface. Publish the individual applications in lieu of the launch pad. This will reduce memory usage across multiple users and help control application usage.
Resetting Profiles
When using terminal servers the option to reset user profiles is popular. While this locks down the environment and ensures that the user has the same settings each time they enter the application this can cause other issues. Some of the settings for the applications are profile based, which when reset at each logoff, force the user to make certain changes every time they log in. This can also reset any fixes that may be applied by the user. The recommendation here would be to have a default base profile and have users inherit from this profile every time they log in to the session. This would allow changes made to the base profile to be propagated to the users the next time they log in.
Security
Security for terminal servers lies with the end user. The connection between the client and the terminal server should be encrypted if using on a Wide Area Network (WAN).
Other Considerations
Windows Presentation Foundation (WPF) any inconsistencies with EWP and the Risks and Controls viewer can be addressed by modifying the hardware acceleration settings for the session. This is a known limitation with WPF and terminal service sessions / virtualization.
19
December 2010
Prerequisites Met Client Software Installed Server Software Installed (optional) Tools Installed Database(s) setup and configured (includes EWP Projects and Templates) Local Administrative Access to Web Server and Client Machines
Determine Options (Critical) WorkPaper Storage Location (Inside / Outside Database) Determine Configuration Option
Centralized Configuration (EWP Projects in Global Database - Using all applications) - Recommended Web Server 1 2 3 4 5 Setup Authentication Set Database Connection(s) (connection file location) Modify IIS Configuration (Application pools) Configure Web Settings (Settings.config) Configure TeamMateServices Client 1 2 3 4 5 Set Database Connection(s) (connection file location) Set Service Configuration (service configuration file) Configure EWP \ Tabs Setup Unattended Console SMTP Settings (TeamAdmin) Set up Launch Pad links
20
December 2010
Centralized Configuration (EWP Projects in Global Database - no web applications - Using Windows Services) Services 1 Configure TeamMate Services as a Windows Service Client 1 2 3 4 Set Database Connection(s) (connection file location) Set Service Configuration (service configuration file) Configure EWP \ Tabs Setup Unattended Console SMTP Settings (TeamAdmin)
Decentralized Configuration (EWP Stand Alone Projects and Centralized Database for Other Applications Including Web Applications) Web Server 1 2 3 4 5 Setup Authentication Set Database Connection(s) (connection file location) Modify IIS Configuration (Application pools) Configure Web Settings (Settings.config) Configure TeamMateServices Client 1 2 3 4 5 Set Database Connection(s) (connection file location) Set Service Configuration (service configuration file) Configure EWP \ Tabs (Tabs pointing to file share / local disk) Setup Unattended Console SMTP Settings (TeamAdmin) Set up Launch Pad links
Decentralized Configuration (EWP Stand Alone Projects and Centralized Database for Other Applications Excluding Web Applications - Using Windows Services) Services 1 Configure TeamMate Services as a Windows Service Client
21
CCH TeamMate Suite Configuration Guide 1 2 Set Database Connection(s) (connection file location) Configure EWP \ Tabs (Tabs pointing to file share / local disk)
December 2010
Decentralized Configuration (EWP Stand Alone Projects and Centralized Database for Other Applications Excluding Web Applications - No Services) Client 1 2 Set Database Connection(s) (connection file location) Configure EWP \ Tabs (Tabs pointing to file share / local disk)
Decentralized Configuration (EWP Stand Along Projects only - no centralized database or other applications used) Client 1 Set Database Connection(s) (connection file location) Note: A local database (access) will be required for storing templates to create projects from 2 Configure EWP \ Tabs (Tabs pointing to file share / local disk)
22
December 2010
23
December 2010
24
December 2010
Configuration Options
The proceeding tables provide information for configuring the scheduled tasks to be used with the UAC. The following command line switches are used in conjunction with the scheduled task. Command Line Switch /TemplateID:<int> /ExecuteAll[+|-] /TmcPath:<string> Short form /t:<Template ID> /all /tmc:<TMC file path> /p:<Plugin ID> /c:<Connection Title> Description Email Template Identifier, this parameter supports multiple values. Execute All Plugins. Default value: File path for Tmc config file. Default value:C:\Program Files\TeamMate\Connect\dbconnect.tmc.. Plugin Identifier. Default value: 0 Tmc Connection Title. Default value: teammate. Help
/PluginID:<int> /ConnectionTitle:<string> /?
The following table lists the available email plug-ins (PluginID) and associated plug-in IDs. Plugin ID 0 1 4 10 11 12 Description (Type of plugin) Run all plugins Email Queue Resender TeamRisk TeamMate Tec TeamCentral TeamSchedule Command Line Example TeamMate.UnattendedConsole.exe /p:0 TeamMate.UnattendedConsole.exe /p:1 TeamMate.UnattendedConsole.exe /p:4 TeamMate.UnattendedConsole.exe /p:10 TeamMate.UnattendedConsole.exe /p:11 TeamMate.UnattendedConsole.exe /p:12
25
December 2010
The following table lists the available email templates (Template IDs) and the associated application.
Template ID Description Application
3 4 5 6 7 8 9 10 11 12 13 14 15 17 18 19 20 21 23 24
Timesheet Overdue Risk Assessment Invitation Risk Assessment Submission Risk Assessment Completion Time sheet Rejected Expense Sheet Rejected Status Update Reminder Status Update Submission Implementation Reminder Implementation Action Submission New User Account Created (Team Central) Password Reset Notification Comment Notification Recommendation Implementation Ready for Approval Recommendation Implementation Rejected Recommendation Reopened Status Update Overdue Recommendation Implementation Overdue Status Update submission with a date revision Assignments Changed
TeamMate Tec Team Risk Team Risk Team Risk TeamMate Tec TeamMate Tec TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamCentral TeamSchedule
An example of Command Line Statement placed in the Run Section of the Scheduled Task is below. This line runs all plugins (/p:0) and uses the connection title sql1 from the tmc file.
"C:\Program Files\TeamMate\bin\TeamMate.UnattendedConsole.exe" /p:0 /c:sql1
If the connection title has a space in the name then place the title in quotes as shown below.
"C:\Program Files\TeamMate\bin\TeamMate.UnattendedConsole.exe" /p:0 /c:my sql1
26
December 2010
Persistent
If a persistence based load balancing system is used the session state will be stored locally to each server as the user is directed back to the same server for the life of the session. In this scenario the application will need to be installed to each of the servers in the farm. All servers should be setup identically to avoid confusion to the users and ensure the applications function as expected. This includes database (DBconnect.tmc) and application(web.config) configuration files.
Non-Persistent
If a non-persistence load balancing system is used then the session state must be stored on a state server. A state server can be another physical server or a SQL Database. This setup requires additional configuration in addition to a persistence setup. The settings for the session state are located in the web.config file for each application. Open the web.config file and find the following section. Note there will be more lines in this section than are shown here. Default Configuration <system.web> <sessionState mode="InProc" cookieless="false" timeout="30"/> </system.web> State Server Configuration An example of a state server configuration is shown below: <system.web> <sessionState mode="StateServer" stateConnectionString="tcpip=dataserver:42424" cookieless="false" timeout="30"/> </system.web> SQL Server Configuration An example of a SQL Server configuration is shown below: <system.web> <sessionState mode="SQLServer" sqlConnectionString="datasource=127.0.0.1;user id=<username>;password=<password>" cookieless="false" timeout="30"/> </system.web>
27
December 2010
Client
To setup windows authentication for the client applications refer to the TeamAdmin user manual. Once the policy is set to use Windows Authentication all of the client applications will utilize this setting.
Web Server
Use the instructions found in How to change authentication to switch to windows authentication. Once this is done an additional step must be taken to improve performance of the application. 1. Open IIS Manager 2. Go to each of the applications (TeamCentral, TeamRisk, TeamSchedule, TEC, and TeamMateServices) and select properties 3. Turn off anonymous access to the application and subdirectories 4. Setup NTFS permissions for the user on the folders a. Refer to the Installation Guide for NTFS permission requirements b. Create or use an existing Security Group (domain or local) c. Add the group to each of the NTFS folders and set the required permissions d. Add any users who will be accessing the websites 5. Reset IIS
28
December 2010
NOTE: All configuration settings are optional beyond the LDAP path (server configuration setting) described in the following section. Additional configuration settings are provided to adapt to the various LDAP environments in which the applications may be deployed and to provide the highest degree of flexibility. Finally, some optimal configuration settings may be dependent on the usage of another setting; however, these dependencies are documented in the sample LDAP configuration file deployed with the applications and the following section. Known User Approach The known user approach requires working with the LDAP administrator(s) to establish a known user that the applications will use for its initial connection to the LDAP repository. This account will be placed in the Settings.config file. An authentication session will consist of the application connecting to the LDAP store as this known user, retrieving the distinguished name of the user being authenticated based on their simple account name entered at the login screen and then attempting to bind with the LDAP retrieved fully distinguished name of the user and the associated password, also entered by the user at the login screen. This approach will only allow the session to occur with the known user which is beneficial for security and tracing of LDAP activity to the applications. The "known user approach" consists of three steps and the following transactional details and configuration options.
Step 1
Binding to the LDAP server as a pre-configured known application user The purpose of this step is to only allow known users to initially access the system as well as to allow tracing of TeamCentral activity. Note: The key parameters for this bind are the LDAP_PATH which specifies the target LDAP server and optional BASE_DN, which is appended to the LDAP_PATH to specify a specific object in the LDAP hierarchy to perform the bind. In addition, the APPLICATION_USERNAME and APPLICATION_PASSWORD are the known user credentials used for this bind and are used to identify this application. These known user credentials are supplied by the LDAP administrators. The presence of the application username and password are the determining factors for whether known user approach is used. Lastly, the final parameter key that may be used for this portion of the approaches transaction is the type of authentication mode used for the bind, key of AUTHENTICATIONTYPE. Typically this is either SECURE (a value of 1) for Microsoft AD environments or NONE (a value of 0) for all others. There are exceptions for these authentication mode values and these are addressed below. Note that if the active directory is targeted, the APPLICATION_USERNAME must be preceded by the associated domain name (domain\username). Member Name Anonymous Description No authentication is performed. The providers may attempt to bind a client as an anonymous user to the targeted object. The WinNT provider does not support this flag. Active Directory establishes a connection between the client and the targeted object, but does not perform any authentication. Setting this flag amounts to requesting an unsecured binding, which means "Everyone" as the security context. Enables Active Directory Services Interface (ADSI) to delegate the user's security context, which is necessary for moving objects across domains. Value 16
Delegation
256
29
CCH TeamMate Suite Configuration Guide Encryption FastBind Forces ADSI to use encryption for data that is being exchanged over the network.
December 2010 2 32
ADSI does not attempt to query the Active Directory objectClass property and thus only exposes the base interfaces supported by all ADSI objects instead of the full object support. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI does not verify if any of the request objects actually exist on the server. For more information, see "Fast Binding Options for Batch Write/Modify Operations" in the Active Directory Programmer's Guide. Equates to a null reference (Nothing in Visual Basic). For a WinNT provider, ADSI tries to connect to a primary domain controller (PDC) or a backup domain controller (BDC). For Active Directory, this flag indicates that a writable server is not required for a serverless binding. Encrypts data using Kerberos. The Secure flag must also be set to use sealing. Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory requires the Certificate Server be installed to support Secure Sockets Layer (SSL) encryption. If the ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for serverless paths. Specifying a server name without also specifying this flag results in unnecessary network traffic. Verifies data integrity to ensure that the data received is the same as the data sent. The Secure flag must also be set to use signing.
None ReadonlyServer
0 4
Sealing Secure
128 1
SecureSocketsLayer
ServerBind
512
Signing
64
Step 2
30
December 2010
Performing a filter search using the users supplied username at the login page and configurable attribute name to retrieve the users distinguished name. The purpose of this step is to allow a user to enter a simple account name and for the system to retrieve the association fully distinguished name for actual user authentication. This frees the user of the burden of remembering and keying in the complex and length and distinguished name. As an option, configurations allow for supplying a domain for all users (domain@useraccount) or in the absence of this domain name, having the user supply their domain name in the event the users may span multiple domains which is typical for larger corporate environments. If the domain is specified, it will be added to the user supplied username (domain@username). Note: The key parameters applicable to this step are FILTER_ATTRIBUTE (i.e. uid) and DN_ATTRIBUTE (i.e. dn). As an example, a filter using the above parameters would perform a filter search of uid=<username_supplied_by_user> and return an attribute by the name of dn, which holds the distinguished name value. Optionally, SEARCH_SCOPE and REFERRAL_CHASING are available to provide greater flexibility and are described in detail below. Search scope options are: Base - Limits the search to the base object. The result contains at most one object (value="0"). OneLevel - Searches one level of the immediate children, excluding the base object (value="1"). Subtree - Searches the whole subtree, including all children and the base object itself. This is the default (value="2"). All - Chase referrals of either the subordinate or external type (value="0"). External - Chase external referrals. This is the default (value="1"). None - Never chase the referred-to server. Setting this option prevents a client from contacting other servers in a referral process (value="2"). Subordinate - Chase only subordinate referrals which are a subordinate naming context in a directory tree. The ADSI LDAP provider always turns off this flag for paged searches (value="3").
Step 3
Binding to the LDAP store using the users distinguished name and supplied password. This is the actual authentication of the user being authenticated with the LDAP system retrieved distinguished name and the password supplied by the user at the login page. Note: Once the distinguished name is gathered, it along with the corresponding password supplied by the user are used to bind to the LDAP store to perform the actual authentication test. The object bound to in LDAP is either the LDAP_PATH, or LDAP_PATH with the BASE_DN appended. The bound object is determined using configurable key parameters of USE_BASEDN_FOR_AUTHENTICATION_BIND to have the BASE_DN value appended to the LDAP_PATH or if both of these are 0 or omitted, the LDAP_PATH value will be used. USE_BASEDN_FOR_AUTHENTICATION_BIND takes precedence over USE_DN_FOR_AUTHENTICATION_BIND if both are set to 1 (enabled). The USE_DN_FOR_AUTHENTICATION_BIND is only applicable to the "direct approach" as documented below. The same authentication type used for the application user bind is in effect for this bind. If the bind is successful, then the user is authenticated.
31
December 2010
Direct Approach
This authentication approach is provided for backward compatibility with previous versions of TeamCentral and in the event such an approach is more suitable. Essentially, this step consists of step 3 of the "known user approach" described above with the exceptions that the username and password values the user supplies on the login form are used for the bind to the LDAP repository. Note: If LDAP_DOMAIN is specified, this domain is appended to the username for the authentication bind (domain@username). This would prevent users that all exist in the same AD domain from having to specify the domain in addition to their username at login. Domain names are only applicable for Microsoft AD environments.
General
Consult the LDAP configuration sample provided with the TeamCentral installation in the ConfigurationFiles directory for a sample configuration and corresponding annotations of the various configuration settings applicable to the LDAP authentication. All configuration settings are placed in the Settings.config file. The Settings.config file options sections for specifics regarding this file and its file system location(s). In the event that more than one LDAP system is to be used for TeamCentral LDAP authentication, this scenario is supported by supplying up to 10 different systems and associated configuration settings in the Settings.config file.
<add key="LDAP_PATH_1" value="LDAP://server:port/base_dn" /> <add key="LDAP_DOMAIN_1" value="domainname" /> <add key="LDAP_PATH_2" value="LDAP://server:port/base_dn" /> <add key="LDAP_DOMAIN_2" value="domainname" />
... etc., up to 10 sets of LDAP system settings. The same principle holds for all the LDAP configurations (i.e. BASE_DN_1) to allow complete flexibility across a collection of LDAP repositories. Note: The settings (i.e. LDAP_PATH_x) must be in sequence 1 through 10. If there are any gaps in the numbers, TeamCentral will stop checking at the gap. For instance if there is an LDAP_PATH_1, LDAP_PATH_2, and LDAP_PATH_5, TeamCentral will stop checking after LDAP_PATH_2. Post LDAP authentication Important: Once successful authentication is performed on the LDAP store, a second level of authentication is performed on the configured TeamMate database, for either the direct or known user approach. If in an AD environment is in use and users enter their domain and username on the login form, this value must exist in the TeamMate database in this form (domain/username) to pass the TeamMate database authentication test. If the account is inactive in the database or the system policy is to disallow client access and the database lists the authenticated user as a client (a.k.a. contact) then an appropriate message will be displayed on the login page informing the user of this situation and subsequently disallowing entry into the application.
32
December 2010
TmReg.ini is primarily used to customize the HKCU registry for file default locations (paths) and TeamMate Explorer path settings. The TmReg.ini must be in the \Bin directory with the TmReg.exe program. TmReg.ini can also be used to customize other registry string entries that are stored in HKCU. Recommend Process (steps detailed in following sections) 1. Setup one PCs TeamMate Preferences and TeamMate Explorer Tabs 2. Run tmreg.exe and create configuration file 3. Edit the tmreg.ini file with a text editor 4. Distribute the tmreg.ini file to your users. 5. Apply the configuration file
Create Manually
1. Create a new text file 2. Rename the file to tmreg.ini 3. Add desired settings 4. Save the file 5. Copy the file to the Program Files\TeamMate\bin folder
33
December 2010
In this example, it is likely that the paths would be set in the registry as:
34
December 2010
MasterPath=C:\Document and Settings\username\My Documents\TeamMate\data If the re-register flag is set or the user manually calls Load Configuration from tmreg.exe, the process occurs regardless of the version. This is the same as before.
Note: With Windows Vista TmReg.exe must be launched as an administrator
5. Save 6. Open the file and modify settings as needed (policy version, etc)
[AutoText] 1=<Initials>, <ShortDate> 2=<Initials>, <LongDate> 3=<FullName>, <ShortDate> 4=<FullName>, <LongDate> 5=<Time>
[DATABASE] NoUnc=<numeric>1
[Explorer Tabs] Master=C:\Documents and Settings\Teammate\My Documents\TeamMate\data|0||||| MSSQLServerDatabase=|1|C:\Documents and Settings\Teammate\My Documents\TeamMate\Connect\dbconnect.tmc|Latest_Sample_SqlServer||TS|0;0;0;~;0; OracleDatabase=|1|C:\Documents and Settings\Teammate\My Documents\TeamMate\Connect\dbconnect.tmc|Latest_Sample_Oracle||TS|0;0;0;~;0; Local=C:\Documents and Settings\Teammate\My Documents\TeamMate\repl|0|||||
35
December 2010
[Paths] ConnectPath=C:\Documents and Settings\Teammate\My Documents\TeamMate\Connect BasePath=c:\Program Files\TeamMate BinPath=c:\Program Files\TeamMate\bin LibPath=c:\Program Files\TeamMate\lib TemplatePath=c:\Program Files\TeamMate\Templates CustomTemplatePath=c:\Program Files\TeamMate\Templates\custom ReportPath=c:\Program Files\TeamMate\reports TransferPath=C:\Documents and Settings\Teammate\My Documents\TeamMate\transport MasterPath=C:\Documents and Settings\Teammate\My Documents\TeamMate\data ReplicaPath=C:\Documents and Settings\Teammate\My Documents\TeamMate\repl BackupPath=C:\Documents and Settings\Teammate\My Documents\TeamMate\backup ImportPath=C:\Documents and Settings\Teammate\My Documents\TeamMate\Import StorePath=C:\Documents and Settings\Teammate\My Documents\TeamMate\Connect HTTP_TEAMCENTRAL=http:\\MyWebSever\TeamCentral HTTP_TEAMSCHEDULE=http:\\MyWebSever\TeamSchedule HTTP_TEC=http:\\MyWebSever\Tec HTTP_TEAMRISK=http:\\MyWebSever\TeamRisk
[Fonts] TextField=-13,0,0,0,400,0,0,0,0,3,2,1,34,Arial
36
December 2010
[Help] GuidanceFile=H:\TeamMate\Help\xxx TeamMate Protocol.doc This sets the Local Guidance Location. [Fonts] TextField=-13,0,0,0,400,0,0,0,0,3,2,1,34,Arial This sets the default font in user populated windows. [AutoText] 1=Effective. 2=Adequate - Effectiveness Tests Performed. 3=Ineffective - No Substantive Tests Performed. 4=Ineffective - Substantive Tests Performed. 5=Inadequate - Substantive Tests Performed. 6=Adequate - No Effectiveness Tests Performed. 7=Inadequate - No Effectiveness Tests Performed. 8=<Initials>, <ShortDate> 9=<Initials>, <LongDate> 10=<FullName>, <ShortDate> 11=<FullName>, <LongDate>
37
CCH TeamMate Suite Configuration Guide 12=<Time> This sets the auto text that can be used in TeamMate fields. [MRU] RepositoryHTTPConnectionTitle=Latest_Blank_SqlServer
December 2010
This sets the default connection title to use when sending to TeamCentral. This has the effect of prepopulating this field in the send Wizard in the TeamMate Project File. Note this option is only used in a distributed model.
Note: The file above had additional fields added to it. When creating a file from the existing registry values the following sections are exported. Paths Explorer Tabs Preferences AutoText Colors Fonts Grouping Help
38
December 2010
See Configuration File Sections for more information surrounding the versioning process.
If the registry key is found then that value is used for conversion. If the registry key is not found then TeamMate will search the conversion.tml file for the following section.
[CONVERSION] RECOMMENDATION=1 RESPONSE=2 NO_PROMPT=1
The above indicates to TeamMate that the "recommendation" tab from the auditor was the first tab on the bottom of the TeamMate R7 form and that "response" from the client (contact) tab was the 2nd tab of the bottom of the form. To prevent the user from being prompted for this choice during the conversion process the "NO_PROMPT=1" option has been set. To allow the user to still be prompted, change "NO_PROMPT" to a value of "0". If the [CONVERSION] section is not in the conversion.tml file (or the file is not present) the user will be prompted with a dialog box as to how they want to have the conversion do the mapping. Their selections will then be stored in their Windows registry and will be the default for the next project converted.
39
December 2010
40
December 2010
The following table lists all available policies for use with the conversion.tml file.
ID 100 101 200 201 202 203 204 205 300 301 302 303 304 305 400 401 402 403 404 405 406 407 408 409 410 500 501 502 Policy Type Team Team Freeze Policies Freeze Policies Freeze Policies Freeze Policies Freeze Policies Freeze Policies Signoff Policies Signoff Policies Signoff Policies Signoff Policies Signoff Policies Signoff Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Finalization Policies Lock Policies Lock Policies Lock Policies Policy TM_Team_Include TM_Team_NoAdmin TM_Freeze_Terminology TM_Freeze_Categories TM_Freeze_Advanced TM_Freeze_Custom TM_Freeze_AutoBackup TM_Freeze_Profile TM_Signoff_ResetEdit TM_Signoff_NoDelete TM_Signoff_PrepareFirst TM_Signoff_ReviewDiff TM_Signoff_ResetPrepare TM_Signoff_BatchSignoff TM_Finalize_Restrict TM_Finalize_HaltEX TM_Finalize_HaltPS TM_Finalize_HaltWP TM_Finalize_HaltProcedure TM_Finalize_HaltProcedure_Prep TM_Finalize_RetainNote TM_Finalize_RetainHistory TM_Finalize_SendCentral TM_Finalize_ReplicaNoFinal TM_Finalize_NoUnfinalize TM_Lock_Global TM_Lock_Project TM_Lock_Reencrypt Description Include team members in library file Restrict adding of administrator in projects Freeze terminolog policies Freeze all categories Freeze all advanced properties Freeze all custom property names Freeze auto backup settings Restrict profile editing to Project Owner, Manager, or Lead Reset state when an item is edited by same member as last signoff Do not delete edits within signoff history upon signoff Restrict reviewer signoff until item has been prepared Restrict team members from being the last preparer and reviewer on an item Reset state to prepared when edited since review and item is prepared again Allow batch signoff of work papers Restrict finalization process only to Admin, Manager, and Lead Force HALT for exceptions not reviewed Force HALT for programs not reviewed Force HALT for work papers not reviewed Force HALT for procedures not reviewed Force HALT for procedures not reviewed or prepared Force retention of coaching notes Force retention of complete edit history Restrict send to TeamCentral until finalization complete (Distributed only) Restrict finalization if replicas are outstanding Restrict ability to un-finalize Prohibit changes to these policies by an administrator in the created projects (project lock) Prohibit changes to these policies in any subsequent library (global lock) Force re-encryption of created projects with a unique encryption key
41
December 2010
Description
Automatically calculate 'tracked' exception costs in Profile Summary Hide Profile Custom Properties Do not encrypt 3rd party documents
Automatically associate imported PDF documents with TeamImage Hide Profile Risks Use Windows Authentication rather than Basic Authentication for login Restrict Save as Library to the Admin, Manager and Lead Allow 360 Report Import by normal users (otherwise restricted to Admin, Manager and Lead)
Restrict adding of team members to those defined within a TeamMate Suite Database Restrict project creation to those planned to the TeamMate Suite Database Restrict Profile editing if created from TeamMate Suite Database Disable Profile actual costs editing when TeamMate TEC is used Recommendations are tracked in TeamCentral Restrict adding contacts to Administrators only Restrict procedure editing based on assignment (work program is not locked) Restrict work paper editing based on assignment Automatically assign added procedures Automatically assign added work papers Authorization model for assignments and editing is based on Project Ownership rather than Role Hierarchy Further restrict editing to assignee only
804 805
TM_Workflow_Authority_MgrLead TM_Workflow_Edit_Individual
42
December 2010
43
CCH TeamMate Suite Configuration Guide <TerminologyItems> <TerminologyItem Name="ProjectObjective"> <Value>Objective-ABCDXZX</Value> <Hidden>0</Hidden> </TerminologyItem> <TerminologyItem Name="ProjectBackground"> <Value>Background-ABCZZZZ</Value> <Hidden>0</Hidden> </TerminologyItem> </TerminologyItems> <Categories> <Category Type="ProjectGroups"> <Items> <Item> <Value>ProjectGroup1</Value> <SortOrder>1</SortOrder> </Item> <Item> <Value>ProjectGroup2</Value> <SortOrder>2</SortOrder> </Item> <Item> <Value>ProjectGroup3</Value> <SortOrder>3</SortOrder> </Item> </Items> </Category> </Categories> <Policies> <Policy ID="100">1</Policy> <Policy ID="700">0</Policy> <Policy ID="701">0</Policy> </Policies> <CustomFields /> </ProjectUpdate>
December 2010
44