There are four entities within Agresso Milestone 4 that require authentication when you connect to them.
- Desktop Client
- Web Client
- Web Services
- Agresso Management Console
The standard way to log into these is to use an Agresso username and password, but there is is also Single Sign On (SSO) which logs you straight in with no need to enter any credentials and finally Active Directory (AD) authentication which allows you to log in by using your Windows logon credentials.
It is possible to setup SSO or AD logon either via the Desktop Client (System Administration) or within the Agresso Management Console (AMC), both have the same screen.
Authentication methods are setup on a platform basis. So you could have SSO for Agresso Web users and AD logon or Agresso logon for the Agresso Desktop client.
Agresso Authentication gives the standard logon screen (also get this if no authenticators are selected)
Windows Password Authentication asks you for Windows logon details. Note that there is no longer a Client field, it has been changed to Domain. The username and password fields are now for your Windows Network (AD) username and password.
The last option of Windows Authentication gives you SSO where no logon details have to be entered.
For AD or SSO authentication to work you still need to create an ABW user, and to this user you need to link a Windows Logon in the format of DomainNameWindowsLogon, as well as providing the default company that you want them to log into. All of this is setup in the User master file.
A slight word of caution. If you plan on quickly testing this and setup a Windows Logon against your ABW account and then switch on Windows Password Authentication, you will be able to logon using your AD credentials, but everyone else on the system who is not mapped to their Windows account will be effectively locked out.
Although, it is possible to move over Agresso Authentication along with either of the other two options. This will allow you to still login using Agresso authentication if your ABW account is not linked to a Windows Domain User. This is useful for system users that sometimes may need to log on to the system as other users.
For SSO to the web there are a couple more things that need to be configured against the Web publication in the AMC which basically modifies IIS to allow Windows Authentication
SSO logon is particularly useful for organisations that may have large numbers of users that occasionally use Agresso such as Timesheet users as they have no requirement to remember their Agresso username or password.
AD authentication also has the above advantage but provides more security.
Please note that if you enable SSO for the Agresso web client and you are prompted for Windows username and password when you connect, check that on the Agresso Web server that Internet Explorer Enhanced Security Configuration is turned off. This is done in Server Manager. This setting is turned on by default on Windows Server.