Secure Global Desktop Administration Guide > Users and authentication > Enabling web server authentication for the browser-based webtop

Enabling web server authentication for the browser-based webtop

To enable web server authentication for the browser-based webtop:

On each array member, configure the web server to protect access to the /sgd URL.
In Array Manager, click Secure Global Desktop Login, Properties.
Check the box next to Use third party authentication.
Check one or more boxes in User identity mapping.
Configure the Tomcat component of the Secure Global Desktop Web Server to trust the web server authentication. On each array member, edit the /opt/tarantella/webserver/tomcat/version/conf/server.xml file. Add the following attribute to the connector element (<Connector>) for the Coyote/JK2 AJP 1.3 Connector:

tomcatAuthentication="false"

How you protect the /sgd URL depends on your web server, see your web server documentation for details. For the Secure Global Desktop Web Server, see the Apache documentation.
The boxes you select in User identity mapping are the search methods Secure Global Desktop uses to determine a web user's identity and login profile. For details on how the search methods work, see third party authentication.
If you select more than one search method, the methods are processed in the order they are shown. As web server authentication does not support ambiguous users users will get the webtop of the first match found.
If you are using the either of the LDAP User identity mapping search methods, you may also want to configure secure connections to the LDAP directory server.
If you are using the Secure Global Desktop Web Server, you can protect the /sgd URL in either the Apache or the Tomcat components. We recommend you use Apache.
By default, for security reasons, Secure Global Desktop Administrators can't log in to the browser-based webtop with web server authentication. The standard login page always displays for these users even if they have been authenticated by the web server. To change this behavior, run the following command:

tarantella config edit --tarantella-config-login-thirdparty-allowadmins 1

Example of how to configure the Secure Global Desktop Web Server

The following is an example of how you might configure the Secure Global Desktop Web Server for web server authentication:

Use the /opt/tarantella/webserver/apache/version/bin/htpasswd binary to create a web server password file.
Edit the /opt/tarantella/webserver/apache/version/conf/httpd.conf file and insert the following directory directives:
```
SetEnvIf Request_URI "\.(cab|jar|gif|der)$" sgd_noauth_ok
    
<LocationMatch /sgd>
   Order Allow,Deny
   Allow from env=sgd_noauth_ok
   AuthUserFile file-path
   AuthName auth-domain
   Authtype Basic
   Require  valid-user
   Satisfy  any
</LocationMatch>
```
where file-path is the full path to the web server password file

and auth-domain is the name of authorization realm that appears in the web browser's authentication dialog.
Restart the Secure Global Desktop Web Server (tarantella webserver restart) for the configuration changes to take effect.

This example uses a SetEnvIf directive as a workaround to the problem where some versions of Sun Java™ Plug-in fail to "remember" the user's credentials (see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4943729).
This example uses a LocationMatch directive rather than a Directory directive because the management of the /sgd URL is delegated to Tomcat in the standard httpd.conf file for the Secure Global Desktop Web Server. This also means you can't use an .htaccess file to protect the /sgd URL.

Related topics
Enabling web server authentication for the classic webtop Introducing web server authentication Users experience problems with web server authentication Login authorities Secure Global Desktop Login properties (array-wide) Configuring your own web server for use with Secure Global Desktop