The SDL Trados GroupShare components TM Server and MultiTerm Server allow you to integrate Active Directory users into Translation Memory Server and MultiTerm Server user management. The diagram below outlines the Single Sign On mechanisms:


 

Notes

• Unlike the 2009 SP2 version where you needed to specify an LDAP server in the TM Server user interface, the 2009 SP3 (and later) versions directly query the domain via the SDL Application Service, provided this service runs using a domain user account.
• Adding users to the TM/MultiTerm Server from the domain will not sync with the domain, so removing a user from the domain (for example if someone leaves the company) will not remove the user from TM/MultiTerm Server user management.
• It is not possible to add user groups to user management. All users need to be added individually.

Connectivity

• To use Windows authentication, the client application needs to communicate with the SDL Application Service using port 41000 (besides using port 80 for the rest of the communication). If this port is blocked by a firewall, Windows authentication will not work (SDL authentification only requires access to port 80).
• Windows authentication via the Studio or MultiTerm Client only works if you are currently connected to the domain. This is by design.

Security

• The user credentials will be transferred encrypted no matter if you use Windows or SDL authentication, so there is no security risk for authentication via HTTP.
• No passwords will be stored in the SDLSystem database for Windows authentication.
• When using SDL authentication, passwords are stored in the SDLSystem table, but the passwords are stored encrypted.
• Only the first request will transfer the password. Once the token is received, it is used to authenticate the user on the server.

Methodology

• As of the 2009 server product line, the products use generic Windows single sign-on methods using Microsoft WCF calls for Windows authentication with any restrictions that apply here (for instance, problems in a non-windows domain environment with for instance a SAMBA DC and an open LDAP server which does not work).