User Authentication

Project Server 2003 can authenticate users who have a Windows user account, a Project Server user account, or both. By default, authentication for Project Server 2003 is set to Mixed, which means that both Windows and Project Server authentication methods are allowed. Users who need to access information stored on servers running Windows SharePoint Services, Microsoft SQL Server™ 2000, or Analysis Service must use require Windows authentication.

You can use the User authentication page in Project Web Access to configure user authentication. The following figure shows the User authentication page.

Project Server Web Access: User Authentication

The User authentication page in Project Web Access.

You can choose one of the following authentication options:

  • Mixed    Allows both Windows authentication and Project Server authentication. However, a single authentication method must be specified for each user account. Some users can use Windows authentication while others can use Project Server authentication.
  • Windows authentication only    Permits only Windows authentication for all users. This allows for the highest level of security because all users must use their Windows user accounts to authenticate to the computer running Project Server 2003. If you select this method, all Project Server authentications will be handled transparently for all users who accept the Project Server End User Licensing Agreement (EULA) and download the Project Web Access Microsoft ActiveX controls (second-time access).
  • Project Server authentication only    Permits Project Server authentication only for all accounts. Project Web Access users must supply a user name and password each time they log on to Project Web Access.

It is recommended that you use Windows authentication only, as this type of authentication is generally more secure than Project Server authentication or mixed authentication.

If you change authentication methods after creating Windows authenticated user accounts, those Windows authenticated user accounts are immediately deactivated.

 Note   For more information about deactivated user accounts, see the topic Deactivating or Reactivating a User in Managing Users, in the Microsoft Office Project Server 2003 Administrator's Guide.

Windows SharePoint Services (Documents, Issues, and Risks) and Analysis Services (Portfolio Analyzer and Portfolio Modeler) require Windows authentication. If you select Mixed authentication, additional steps are required in order to allow Project Server users access to those features in Project Web Access.

 Note   The Project Web Access default administrator account is always a Project Server user account. Ensure that at least one user with administrative privileges uses the authentication method that you defined on the User authentication page in Project Web Access.

It is recommended that you configure Internet Information Services (IIS) to use Secure Sockets Layer (SSL) for increased security. If you do not configure IIS to use SSL, potentially sensitive data is sent in plain text between the clients and servers on your network. Examples of this include:

  • If you are using Project Server accounts, user names and passwords are sent from client to server in plain text.
  • All information exposed through the Project Data Service (PDS) is transmitted in plain text, including a SQL Server 2000 user name and password.
  • Project Web Access users can transmit potentially sensitive company data between client and server in plain text.

Recommendations for Determining User Authentication Methods

Consider the following general security guidelines when determining whether to choose Windows authentication only, Project Server authentication only, or Mixed authentication:

  • If all users accessing the computer running Project Server 2003 already have (or can have) a Windows domain account, use only Windows authentication.
  • If users cannot have a Windows domain account, use Project Server authentication.
  • If some users need to access the computer running Project Server 2003 from the Internet but do not have a Windows account, use Mixed authentication, and consider setting up unique sets of roles, permissions, and categories to separate internal access users from external access users.
  • Determine whether project managers are allowed to create resources when they publish projects and assignments to the Project Server database. If project managers are allowed to create their own resources, they should use Windows authentication for all resources that have a Windows user account. This information can be entered in the Windows User Account field in Project Professional.

When a Windows user account is specified for a resource and a workgroup message is sent to that resource, the Windows user account is used to create the account for that resource in the Project Server database. If a Windows user account has not been specified, then the name of the resource is used to create a Project Server account for the new user.

  • If your organization is using Windows SharePoint Services, you should support Windows authentication for users who need to access the Documents, Risks, and Issues features.

Because Project Web Access runs in Microsoft Internet Explorer, the Project Server URL must include the correct capitalization when users log on to Project Web Access by using Project Server authentication (username/password). If your organization is using Project Server authentication, be sure that users are aware that the Project Server URL is case sensitive when they are entering the URL for the computer running Project Server 2003. The default case setting for the Project Server URL is the following:

  • http://SERVERNAME/ProjectServer

Alternatively, the URL might include one of the following case settings:

  • http://servername/ProjectServer
  • http://servername/projectserver

If the URL is not entered exactly as it is defined during Project Server Setup or by the Project Server administrator in Project Web Access, some Project Web Access and Windows SharePoint Services functionality will not be available. Users might experience the following problems:

 Note   The following also applies to Project Professional 2003 or Microsoft Project Professional 2002 users who are using Project Server authentication.

  • XMLHTTP may fail silently when users access features and data provided to Project Web Access from a server running Windows SharePoint Services.
  • Users can attempt to create a new session in Internet Explorer from Project Web Access, but the new session attempt will fail.
  • When a user saves an issue or risk that has a linked task, the link task information might not be preserved.
  • Custom Active Server Pages (ASP) and/or custom menus in Project Web Access 2003 might not function as designed.
  • Project Server data that uses a customized extension of the Project Data Service (PDS) might not function as designed.
  • Content on the Project Web Access Home page that is placed in an IFRAME might not display properly.

If you are using Project Server authentication in your environment, ensure that the Project Server URL is identical in the following locations:

  • The intranet protocol and server name fields on the Enter Web server address information page in Project Server Setup. For more information about this field, see the topic Enter Web Server Address Information in Configuring the Front-End Components in Chapter 7, Install Project Server 2003, in the Microsoft Office Project Server 2003 Installation Guide.
  • The Server intranet address field on the Server configuration section of the Project Web Access Admin page. For more information about this field, see the topic Specifying the Intranet or Extranet Address for the Computer Running Project Server 2003 in Enabling Features, in Chapter 5, Configuring Project Server 2003, in the Microsoft Office Project Server 2003 Administrator's Guide.
  • The pds.wsdl file for users of the Project Data Service (PDS). For more information about reconfiguring the Project Server URL for the Project Data Service, see the topic Configuring Web Server Address Settings in Chapter 8, Post-Installation Tasks, in the Microsoft Office Project Server 2003 Installation Guide.

Setting Authentication Options

You can specify the authentication methods that users can use to log on to Project Web Access by selecting one of the following options:

  • Windows authentication (domain name\user name)
  • Project Server user accounts (user account and password)
  • Mixed (both Windows and Project Server authentication)

In addition, you can specify the length of Project Server user account passwords.

To specify the user authentication type

  1. On the Project Web Access Admin page, in the side pane under Actions, click Manage security.
  2. In the side pane, under Security options, click User authentication.
  3. On the User authentication page, under Specify how users should be authenticated by Project Server, select the method you want users to use when logging on to Project Web Access. Chose one of the following options:
    • Mixed    Users can be authenticated by means of Windows authentication by using the user account logon ID, or with Project Server authentication by using a logon ID and password entered by the user.
    • Windows Authentication only    Users can only use Windows authentication. All Project Server authentication accounts will be deactivated. Deactivated Windows authentication remains disabled.
    • Project Server authentication only    Users can only use Project Server authentication. All Windows authenticated user accounts will be deactivated. Deactivated Project Server user accounts remain disabled.
  4. Click Save Changes.

To disable user authentication settings

  1. Select the user authentication method that your organization wants to use (Mixed, Windows Authentication only, or Project Server authentication only) on the User authentication page that is available from the Admin page in Project Web Access.

Project Server: User Authentication Settings

  1. On the computer running Project Server 2003, open the Registry Editor.
  2. Create a DWORD Value at the following location in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\11.0\MS Project \WebClient Server\ProjectServer\Datasets\Applications

Name the DWORD Value DisableAuthEdit and assign it a value of 1.

Edit DWORD Value dialog box

This disables the all user authentication options in Project Web Access.

Project Server: User Authentication Settings

To set the Project Server password length

  1. On the Project Web Access Admin page, in the side pane under Actions, click Manage security.
  2. In the side pane, under Security options, click User authentication.
  3. On the User authentication page, under Password Length for Project Server Authentication, enter the minimum length for Project Server passwords in the Minimum length that users must set their passwords to text box.

Minimum Character Length for Password

Changing this setting does not affect existing passwords; it only affects password creation when users change their passwords or create new passwords.

  1. Click Save Changes.
 
 
Applies to:
Deployment Center 2003