adTempus

Web Console Installation

System Requirements

This version of the Web Console is for adTempus 4 or later. It will not work with earlier versions of adTempus.

The adTempus Web Console can be installed on any computer running Microsoft Internet Information Services (IIS) version 7 or later, with Microsoft .NET version 4.5 or later.

IIS does not need to be running on the same computer as the adTempus service: you can install the Web Console on a single Web server, and users can the connect to any number of adTempus servers running on other computers.

Download

Download the Web Console here.

IIS Installation

If IIS is not installed/enabled on the server, install it as described in these instructions.

If you do not have version 4.5 or later of the Microsoft.NET Framework, download and install the framework.

If this is a new installation of IIS, confirm that you can load the site's default page in a Web browser.

Firewall Configuration

Ensure that the Windows Firewall (or any other firewall/security software installed on the server) is configured to allow incoming HTTP (port 80) and HTTPS (port 443) traffic.

Active Directory Configuration

To support automatic (Windows integrated) logon (the user is automatically authenticated by adTempus, without needing to supply Windows or adTempus login credentials), the Web server must be trusted for delegation in Active Directory. A Service Principal Name (SPN) may also be required.

Delegation Configuration

On the domain controller, edit the computer account for the computer that serves as the Web server and set it to be trusted for delegation as described in this Microsoft reference article.

After this change is made, it may be necessary to restart the Web server computer for the change to take effect.

Service Principal Name

On the Web server, open a command prompt using Run as Administrator and execute the following command:

setspn -s HOST/computername.domainname computername

where computername is the name of the computer (e.g., "server1") and domainname is the Active Directory domain name (e.g., "corpnet.example.com").

Web Console Installation

Notes:

  • These instructions assume that you will install the adTempus Web Console as an application within the default IIS site. That is, if the server is named "server1", the adTempus Web Console will be available at http://server1/adtempus/. You could also choose to make the Web Console the main application for the site, if IIS is not being used to host other applications.
  • For simplicity, these instructions put the adTempus Web Console files in a folder within the default Web application, but you may choose to place the files elsewhere if you wish and create a new Web Application that points to the folder.

1. Locate the root folder for the default IIS, which is generally "c:\inetpub\wwwroot" and create a new folder named "adTempus" beneath it.

2. Download the Web Console and extract all of the files from ZIP into the folder you created in step 1 (e.g., "c:\inetpub\wwwroot\adTempus"), preserving the directory structure.

3. Start the Internet Information Services (IIS) Manager, expand the node for the server, and select the Application Pools node.

4. In the Actions panel, select Add Application Pool....

5. In the Add Application Pool window, use the following settings:

  • Name: adTempus
  • .NET Framework Version: .NET Framework v4.0.30319
  • Managed Pipeline Mode: Integrated

Click OK to save the Application Pool.

6. Expand the Default Web Site node. The "adTempus" folder should be listed there.

7. Right-click the adTempus folder and select Convert to Application.

8. In the Add Application window, click Select... next to the Application Pool and select the "adTempus" Application Pool.

9. Click OK to save the Application settings.

10. With the "adTempus" application selected in the tree, double-click Authentication in the IIS section.

  • Select "Anonymous Authentication" and then click Disable in the Actions panel.
  • Select "Windows Authentication" and then click Enable in the Actions panel.

These settings mean that when a user connects to the Web application they will be required to supply Windows credentials. This is necessary to support adTempus authentication based on Windows identity.

11. Open a Web browser and navigate to "http://servername/adtempus", where "servername" is the name of the computer where you are running the Web server. You should see the adTempus login page. If not, see the Troubleshooting section below.

Web Console Configuration

By default the Web Console supports only automatic (integrated Windows) authentication when connecting to adTempus: The Web browser sends the Windows identity information to the Web Console, which connects to adTempus under that identity.

If your adTempus server has logins that use adTempus security (explicit user ID and password), you need to configure the Web Console to support this. Support is not enabled by default unless you have installed an SSL certificate for the Web server, as explicit security requires sending credentials over the network.

To enable explicit login, install an SSL certificate for the server as described here. If your server and users are all in the same Windows domain, you should be able to obtain a certificate from the domain's certificate authority. Once you do this, the explicit login option will appear automatically.

Browser Configuration

In order for the Web Console to properly impersonate the client and connect to the adTempus server under the correct identity, the browser must support authentication using Kerberos. Internet Explorer supports this by default, but other browsers may require special configuration. If the browser is not configured for Kerberos authentication, the user will see this message on the Login page:

Note: Automatic (Windows integrated) login is not supported for your browser configuration.

If the server has an SSL certificate, the user will be allowed to enter Windows login credentials or adTempus credentials to connect to the adTempus server.

Firefox Configuration

When using Firefox with Kerberos, users will need to complete the following configuration, and will need to connect to the server using a fully-qualified name. For example, if the server is "server1" and your domain is "corpnet.example.com", they will need to connect to "http://server1.corpnet.example.com/adtempus", not just "http://server1/adtempus".

To enable Kerberos authentication in Firefox:

  1. In the Firefox address bar, navigate to about:config to go to the configuration page.
  2. In the Filter box, enter negotiate to filter the options.
  3. Double-click the network.negotiate-auth.trusted-uris value.
  4. Enter the name of the domain that the server is in. From the example above, that is ".corpnet.example.com".
  5. Repeat steps 3 and 4 for the network.negotiate-auth.delegation-uris value, using the same domain.

Google Chrome

When using Chromoe with Kerberos, users will need to complete the following configuration, and will need to connect to the server using a fully-qualified name. For example, if the server is "server1" and your domain is "corpnet.example.com", they will need to connect to "http://server1.corpnet.example.com/adtempus", not just "http://server1/adtempus".

To enable Kerberos authentication in Chrome:

  1. Run the Registry Editor.
  2. Go to "HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome" (you may need to create the "Google\Chrome" portion of the path).
  3. Create a new String value named "AuthNegotiateDelegateWhitelist" and set it to the domain that the server is in: "*.corpnet.example.com".
  4. Restart Chrome.

Web Console Usage

After login, the main Console page is displayed. You may open additional browser tabs/sessions to connect to more than one adTempus server at the same time.

When using automatic Windows authentication, you can bypass the login page by bookmarking the Console page for a server. For example, if you are connected to adTempus "adtserver1", the URL is "http://server1.corpnet.example.com/adtempus/console.aspx?server=adtserver1".

The current version of the Web Console allows users to execute and monitor jobs but does not support editing jobs.

The layout and functionality of the Web Console are similar to that of the desktop Console. Right-click pop-up menus expose the available actions for items in the various panels.

Troubleshooting

If the application displays a "Runtime Error" message when you connect to it using a browser on a different computer, run a browser on the server itself and use that to connect to the application. The Web server will display more detailed error messages when the browser is running locally.

Runtime error: "The 'targetFramework' attribute currently references a version that is later than the installed version of the .NET Framework."

This indicates that you did not install version 4.5 of the .NET Framework as described in IIS Installation above.

Automatic authentication not available

Common causes:

  1. IIS Authentication is not configured correctly (step 10 in the installation instructions).
  2. Delegation or SPN is not configured correctly as discussed in Active Directory Configuration above.
  3. The user is using a browser other than Internet Explorer, and Kerberos delegation has not been configured for the browser as described in Web Browser Configuration above. Try connecting using Internet Explorer and confirm that works correctly.