How Do I Enable and Configure Windows Authentication?

MIP is capable of integrating Windows Authentication within the software thus eliminating the need to maintain separate user accounts by providing the ability to import Windows Active Directory based users and groups into the system.

Perform the following steps in the Administration module, to enable and configure Windows Authentication:

In order to use Windows Authentication, the MIP Fund Accounting server must reside in and be a member of a Windows Active Directory domain.
Open the MIP Fund Accounting system and login as the Admin user.
Select the Use Windows Authentication check box using Options>System Preferences. This will cause existing users in the MIP system to no longer be valid, with the exception of User "Admin."
With Windows Authentication enabled, all users and/or groups within the MIP system will have to be imported from Windows Active Directory.
- To import users with Windows Authentication enabled:
- To import groups with Windows Authentication enabled: If the group security model is preferred, create the desired security groups within the Windows Active Directory along with adding the users to the target groups. See Set Up Executive View Users.

Note that newly imported Windows Authentication user accounts and groups are treated as new accounts within MIP. Therefore, System and Organization menu rights will need to be assigned according to the job function and security level desired for each user group.

Establish proper system security for users using the Security>Set Up System Menus form.
Create new groups for the organization (if appropriate) using the Security>Maintain Groups form.
Establish proper organization security for users and groups using the Security>Set Up Organization Menus form.
The first time a user opens MIP, they will need to enter their network user name and password, and select an organization. Then they will no longer be required to enter this information when opening the MIP Fund Accounting system if granted system security rights.

The following exceptions will prompt the user to log on with their Windows network user name and password:

Opening a different organization (File>Open Organization)
Logging on as a different user (File>Open Organization)
Accessing Scheduler (Start>Programs>MIP>MIP>Scheduler)

All members of a certain group inherit the rights assigned to the group. Therefore, rights do not necessarily have to be assigned at the user level when groups are being used.
Importing Windows Authentication groups into MIP will also import all Windows users that are members of that group. This means once the group has been imported, the individual members of the group will be available in Security>Maintain Users.
Designated Executive View and Requisition user accounts will need to be assigned from Security>Maintain Users menu and enabled for each desired user account.
Additional menu rights can be assigned at the user level that go beyond rights inherited by the group as all permissions are additive within the system.
System menu rights are assigned at the user level and cannot be affected by group membership rights.
Windows group membership cannot be modified within the MIP Administration module. Membership changes within the group have to be made directly within the Windows Active Directory domain.
Deleting of user and group accounts within the MIP system does not remove these objects from the Windows Active Directory domain. The deleted user and group accounts are only removed from MIP.
Disabling Windows Authentication will disable all Windows user and group accounts and reactivate any MIP Fund Accounting created accounts. However, all NPS user accounts with the exception of the named ADMIN account will have the password set to A6i1a_MIP (capital A, number six, lower-case i, number one, lower-case a, underscore, all caps MIP).

To Set Up Executive View Users

This is only an option if the Executive View module is installed.

To setup the Windows Authentication Executive View Users, you will need to perform the following steps:

In order to use Windows Authentication, the MIP Fund Accounting server must reside in and be a member of a Windows Active Directory domain.
Create a group in the Windows Active Directory domain where the MIP Fund Accounting server resides and is a member.
In this group, add all the Executive View users.
Open the MIP Fund Accounting system and logon as the Admin user.
Select the Use Windows Authentication check box using Options>System Preferences. This will cause existing users in the MIP system to no longer be valid, with the exception of User "Admin."
With Windows Authentication enabled, the Executive View user group can be imported from Windows Active Directory.
Open the Security>Maintain Groups form and select Import Windows Authentication Groups . Use this button to import Windows Active Directory groups into the MIP system.
Once selected, the Select Groups form displays.
Type in the Windows Authentication groups, separated by a semicolon ,and click OK when finished. This will bring in all of the Windows Groups including the Executive View users.
Click Finish to complete the import process.
Click OK to return to the Maintain Groups form.
Give each user Executive View rights, by opening Security>Maintain Users. Select the Executive View User check box to indicate that a user only has executive view rights.
Set up system menu rights by opening Security>Set Up Organization Menus. Set up the rights for the Group.

Note: The key is not to setup an Executive View Group in the MIP system; but to import the Executive View users in a Windows Active Directory group.