Skip past navigation linksSecure Global Desktop Administration Guide > Arrays, servers and load balancing > Secure Global Desktop Login properties (array-wide)

Secure Global Desktop Login properties (array-wide)

Use the attributes on the Array Manager Secure Global Desktop Login Properties panel to control how users log in to Secure Global Desktop. The attributes apply to all array members and take effect immediately.

Use the tarantella config command to list and edit these settings.

Attribute Command Line Description
Login Theme --login-theme theme_name
  • Choose the login theme to be used across the array.
  • The login theme determines the style and appearance of the page users see when logging in to Secure Global Desktop from a web browser.

Note This attribute is only used with the classic webtop. The browser-based webtop does not use login themes.

Use classic web server authentication --tarantella-config-components-webloginauthority 1 | 0
  • Check the box to enable web server authentication for the classic webtop.
Use third party authentication --login-thirdparty 1 | 0
  • Check the box to enable third party authentication for the browser-based webtop.
  • Allows you to give webtops to users who have been authenticated by an external mechanism, such as web server authentication.
Search ENS for matching person For the classic webtop:
--login-web-ens 1 | 0

For the browser-based webtop:
--tarantella-config-login-thirdparty-searchens 1 | 0

  • Check one or more boxes to select the search methods you want Secure Global Desktop to use to determine the identity and login profile of a user who has been authenticated by an external authentication method.
  • See web server/third party authentication for details.
  • If more than one box is checked, the search methods are used in the order shown above. However, neither web server authentication nor third party authentication support ambiguous users and so the first match found is used.
  • If the searches do not produce a match, the standard login page displays and the user must log in to Secure Global Desktop in the normal way.

Note On the command line, there are separate commands for the classic and browser-based webtops. If you use the command line, we recommend you enable/disable the options for both webtops.

Search LDAP and use closest ENS match For the classic webtop:
--login-web-ldap-ens 1 | 0

For the browser-based webtop:
--tarantella-config-ldap-thirdpartyldapcandidate-useens 1 | 0

Search LDAP and use LDAP profile For the classic webtop:
--login-web-ldap-profile 1 | 0

For the browser-based webtop:
--tarantella-config-ldap-thirdpartyldapcandidate-useprofile 1 | 0

Use default profile For the classic webtop:
--login-web-profile 1 | 0

For the browser-based webtop:
--tarantella-config-login-thirdparty-allownonens 1 | 0

Tokens are valid for --login-web-tokenvalidity int
  • The validity period of the web server authentication token in seconds. The number of seconds must be between 1 and 600. The default value is 180.
  • If web server authentication is enabled, when a user goes to the http://server.example.com/tarantella URL, the web server generates a token and this is accepted by the Secure Global Desktop server as proof of authentication. Each token is valid only once.
  • The token may need to be valid for a few minutes to allow client devices to download the Secure Global Desktop Java™ archive. If all users have the archive already installed, you can reduce the validity period to a few seconds.
  • Reducing the token validity period may result in failed logins on slow networks.
  • To ensure a token cannot be intercepted and used by a third party while still valid, use secure (HTTPS) web servers.

Note This attribute is only used for web server authentication with the classic webtop.

Web server username --login-web-user string
  • The username of the user that owns web server (httpd) processes.
  • The default is ttaserv as this is the user used by the Secure Global Desktop Web Server.
  • If you use your own web server, you must change this to the user you use for your web server, typically nobody.
  • This user is a trusted user for web authentication. We recommend you restrict access to this user and you restrict the processes that run as this user. It is more secure to have a user that is used to run the web server and nothing else.
  • All web servers used in the array must use the same username.
  • You must restart all array members for a change to this setting to take effect.

Note This attribute is only used for web server authentication with the classic webtop.

Anonymous user login authority --login-anon 1 | 0
  • Check one or more boxes to enable those login authorities.
  • The login authorities are listed in the order in which they are tried. If one login authority authenticates the user, no more login authorities are tried.
  • SecurID authentication is not supported on the Solaris Operating System on x86 platforms.
  • The authentication token login authority can only be used when the Secure Global Desktop Client is operating in integrated mode. The Native Client and Java™ technology clients do not support this login authority.
Authentication token login authority --login-atla 1 | 0
ENS login authority --login-ens 1 | 0
NT login authority --login-nt 1 | 0
LDAP login authority --login-ldap 1 | 0
Active Directory login authority --login-ad 1 | 0
UNIX group login authority --login-unix-group 1 | 0
UNIX user login authority --login-unix-user 1 | 0
SecurID login authority --login-securid 1 | 0
Windows NT Domain --login-nt-domain dom
URL --login-ldap-url url
  • The location of the LDAP directory/Active Directory server(s) used for the LDAP login authority, the Active Directory login authority, third party/web server authentication (the LDAP user identity mapping options) and Directory Services Integration.
  • For the LDAP login authority and third party/web server authentication, this is a semicolon-separated list of URLs. The URLs are used in the order they are listed. If the first LDAP directory server listed is unavailable, Secure Global Desktop tries the next one in the list. Each URL has the form ldap://server:port/searchroot where:
    • server is the DNS name of the LDAP directory server.
    • port is the TCP port on which the LDAP directory server listens for connections. You can omit this (and the preceding ":") to use the default port.
    • searchroot is the position in the LDAP directory structure from which the LDAP login authority should start searching for matching users, for example dc=indigo-insurance,dc=com.

    Note Use an ldaps:// URL if your LDAP directory server requires or allows SSL connections. Extra configuration is required for SSL connections, see Securing connections to LDAP directory servers for details.

  • For the Active Directory login authority, this is the URL of an Active Directory domain and takes the form ad://domain, for example ad://east.indigo-insurance.com. The URL must start ad:// and must not contain a searchroot. Only enter one domain.
Username/Password Use tarantella passcache new --ldap command.
  • The username and password of a user that has privileges to search an LDAP directory server/Active Directory server. This is not required for some LDAP directory servers.
  • For the LDAP login authority or third party/web server authentication, use a full username such as cn=Bill Orange,cn=Users,dc=indigo-insurance,dc=com.
  • For the Active Directory login authority, use a user principal name such as orange@indigo-insurance.com

Note For security reasons, the password is not displayed even if it has been previously set.

Use Certificates --login-ldap-pki-enabled 1 | 0
Base Domain --login-ad-base-domain dom
  • The domain the Active Directory login authority uses if users only supply a partial domain when they log in.
  • For example, if the root domain is set to "indigo-insurance.com" and a user logs in with the username "rouge@west", the Active Directory login authority tries to authenticate "rouge@west.indigo-insurance.com".
Default Domain --login-ad-default-domain dom
  • The domain the Active Directory login authority uses if users do not supply a domain when they log in.
  • For example, if the default domain is set to "east.indigo-insurance.com" and a user logs in with the username "rouge", the Active Directory login authority tries to authenticate "rouge@east.indigo-insurance.com".
Generate authentication tokens --login-autotoken 1 | 0
Related topics