Problem
A new feature introduced in Veritas eDiscovery Platform (eDP) V8.3 Cumulative Hotfix 2 supports Integrated Windows Authentication (IWA) Single Sign-On (SSO) for Legal Hold authentication.
When eDP is configured for IWA SSO, the logged-in Windows credentials of the custodian are used for authentication, and the custodian is subsequently directed to the Legal Hold Confirmation page without the need to enter login credentials. To use the SSO option, Lightweight Directory Access Protocol (LDAP) must be configured and enabled against the Active Directory domain from which Windows users will be authenticating. The custodians must be present in the Active Directory.
Note: Once the SSO login is enabled, custodians do not get an option to log in by providing their credentials explicitly.
For IWA, Kerberos authentication is preferred over NT Lan Manager (NTLM) authentication and is selected by default. Users also have an option to use Kerberos first and then if it fails, use NTLM for authentication.
NTLM and Kerberos are Integrated Windows Authentication protocols. Microsoft implements Kerberos as the default authentication protocol for the Windows OS. Kerberos is considered a better authentication option than NTLM as it provides advantages over NTLM such as faster and mutual authentication, delegation support, improved performance, and interoperability.
To configure Integrated Windows Authentication (IWA) Single Sign-On (SSO) for Legal Hold authentication:
Note: Before you perform the following steps, you must clear your browser cache.- Log onto the eDP web interface as a system administrator.
- From the System view, click Settings, and then click the Legal Hold Authentication tab.
- Enable LDAP authentication for legal hold notices. Refer to the Legal Hold User guide for details.
- Enable Single Sign-On: Select the Enable Integrated Windows Authentication (IWA) with LDAP check box.
- Select the authentication preference:
- Use Kerberos only: To use only the Kerberos authentication.
- Use Kerberos first; if it fails, use NTLM: To use the default Kerberos authentication first, and if it fails, NTLM will be used for authentication.
- Test the LDAP connectivity: Enter credentials of a valid LDAP user who is part of the User Base provided and then click Test Connection.
- Click Save.
For Active Directory configurations: set the Service Principal Name (SPN) for the Legal Hold confirmation server. A domain administrator should run the following setspn command for the Legal Hold confirmation server from any system in the domain.
customer-domain is the fully-qualified domain name. Example, corp.local
user-running-esa is the user account running the application service on the Legal Hold confirmation server. Example: esaAdmin
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.