In order to get Active Directory authentication or Single Sign-on (Windows Integrated Authentication) working, it is important that the directory id-field matches the user identity in the directory server. When using Active Directory authentication with IFS Middleware Server on IFS Applications 10, the default configuration is to use the Active Directory-attribute userPrincipalName (UPN in the table below) as described in the installation documentation. If an existing system configured for Active Directory authentication is about to be upgraded to IFS Applications 10 some action may be required as described in the checklist below.
Upgrading from an existing installation with Active Directory authentication may require transformation of user information and you must always investigate how users are currently configured to be able to decide whether action is needed or not. Action will most likely always be required uless the upgrade is from an IFS Applications 8-installation running on JBoss EAP application server.
Depending on previous application server and previous version of IFS Applications the format of the directory id will be specified in different formats. This also means that the transformation required will also be different. The formats are depicted in the table below.
| IFS Applications 7 and 7.5 | IFS Applications 8 | IFS Applications 9 | |
| IFS Middleware Server | N/A | sAMAccountName | sAMAccountName |
| JBoss EAP | DOMAIN\sAMAccountName | userPrincipalName (eMail Address) | N/A |
| Weblogic Server | sAMAccountName | sAMAccountName | N/A |
| Websphere Application Server | N/A | sAMAccountName | N/A |
Once you have established the current format of the Directory ID column, you need to transform the so that the values does not contain any prefix or suffix. The best way to transform the data is using Active Directory User Integration by mapping the IFS Attribute FndUser.DirectoryId to Active Directory Attribute &UserPrincipalName as described in this link.
If the Active Directory User Integration-component is not in use by the customer, a utility has been developed to aid in the process of updating the DirectoryID. Before using the utility, carefully study the documentation and the example described in this link.
Another approach would be to write a database script updating the WEB_USER-column (corresponding to directory id) in the FND_USER_TAB-table with the E-mail property assuming that all users have a valid email address defined and there are no duplicates. In general, there are no corresponding users in Active Directory for Special Users and Pre-defined Users in IFS Applications and therefore, they should be omitted. Note also that other columns must not be updated and that it is recommended to take a backup of the table before applying any script. An unsupported example of such a script could look like this.
 |
Test by accessing IFS Enterprise Explorer as a user who exists in Active Directory and has a matching Directory ID in IFS Applications. Type your User Principal Name (typically the same as email address) and Windows password in the login-dialog and verify that the application starts. |
 |
NA |