Unified Logons - Unified Logins

I have been tasked with exploring the implementation of Unified Logons at my organization. So far, a search of the 'new' and 'improved' knowledge garden has turned up Doc OTI-01-0025 and a link to the manual. I am hoping that those of you who have installed Unified Logons would be willing to share your experiences and any tricks, traps or gotchas that you encountered. Also, if anyone knows of any other KG docs that cover this, would you please share the doc numbers with me? TIA.

I went down this same road as well. It will pretty much turn out to be a wild goose chase because you'll find next to nothing in the way of documentation nor, customers that have actually implemented unified logon. Punt.

I am working at two sites using unfied logon, and have set it up for at least two others. It works fine, the only gotcha is that the Windows IDs need to be 10 chars or less, I don't know the effect of spaces in user names. If a change is required it can be a fairly major piece of work, I usually get in early in the project and manage to define all this very early on.

Case sensitivity issues have all gone, which used to be a major problem with the Windows IDs having to be in uppercase. One major security flaw is that default user passwords are the same as the user ID, so somone not using Unified Logon can guess anyones password. I get round this by setting random passwords for users at creation time, the user never gets this password as they don't need it.

I know of a site in the US that are using it only on Terminal Servers by setting up the JDE.INI file in the way requested. I use a special logon script to control the JDE.INI file on Fat and WTS machines accordingly. I install the Service on all Terminal Servers, and set the server to be the local machine, this oversomes the issue of fault tolerance.

One final note, is that if you install the Unified logon service onto a Terminal Server for some reason it won't install from the console, only from a remote session.

Hope this helps.

Thanks, Paul, this is exactly the type of stuff I'm looking for. Would you expand on your comment about fault tolerance? Are you saying that it speeds the login process to install the Unified Logon service on each WTS? My initial thought was to put the service on the DS since my ES is an HP9000. I have 5 developers/CNC on Fat clients and about 200 regular users on WTS. Another 100 users access JDE on WTS about once or twice a month. 1 DS, 2 ES (1 for PD and 1 for PY and DV), 5 FAT clients and 16 WTS. How would you proceed with Unified Logons in a similar environment?

We are in the clear as far as NT UserID size. Also, our NT IDs have no spaces. So far, I've identified that about 5% of the JDE IDs don't match the NT IDs... I'm about 75% done with that comparrison.

pianosynth,
I have been successfully using Unified Logon for about a year now.
It has cut our help center calls by 1/2.
We have the service running on our Deployment server NT6.
We have 5 Citrix servers and about 150 Fat clients.
You MUST synchronize your domain names with OneWorld names!
It has been working great except for our test users on Citrix.
We turn off Unified logon in their INI files so they can go to PY for testing.
However, anytime I deploy an update package to Citrix it resets their INI back to the standard INI thus turning Unified Logon back on.
This is very much worth the trouble to implement.
Once done it requires virtually no maintenance.

Thanks, Bob. The Doc I have from the KG doesn't say anything about synchronizing JDE names with the NT Domain names. How do I accomplish this?

I finally got Unified Logons to work. Thanks to PaulDClark and Bob Duben for your very helpful comments.
PaulDClark, in an earlier reply you had mentioned having the Terminal Servers act as the Unified Logon validation machines. With multiple WTS, how do you accomplish this? Can you define more than one UnifiedLogonServer in the client INI? If so, what is the delimiter? A comma? Or do you have to maintain a seperate INI for each WTS which gets applied when a user attaches to that specific server?
Two gotchas to add - since we have and HP9000 as the ES, these services couldn't be installed on the ES. We had to install them on the DS but, for some reason, the default account to run the services didn't have access even though it was a local administrator. I had to define a different administrator account and password before the services would start. The other gotcha - Step 7 in the configuration directions seems to indicate that you must add each user name from the desired domain(s), but you can in fact manage all of this through domain groups... and domain groups with spaces embedded works just fine.

For clients using MS SQL Server, you can schedule a job to extract a user list from the Active Directory to populate OneWorld. The script below creates new user accounts and assigns them to a group that has no rights within OneWorld.

To enable the account, all you have to do is reassign the new account to a user group that has rights within the system.

INSERT INTO jde7334.sys7334.f0092 (ULUSER, ULOUTQ, ULLlVL, ULlSEV, ULLMSG, ULAN8, ULMTVL, ULCMDE, ULUGRP, ULFSTP)
SELECT distinct substring(samaccountname, 1, 10), 'QPRINT', '4', '00', '*NOLIST', 0.0, 'Y', 'Y', 'WBHQDOWN', 'Y'
FROM OPENQUERY( ADSI,
'SELECT samaccountname, distinguishedName
FROM ''LDAP://DC=wbhq,DC=com'' WHERE objectCategory = ''person''')
WHERE (distinguishedName like '%OU=User Accounts%' or distinguishedName like '%CN=Users%') and substring(samaccountname, 1, 10) not in (select ULUSER from jde7334.sys7334.f0092)

insert into jde7334.sys7334.f98owsec
select USERID, SCOWPWD, SCSECFRQ, SCSECLST, SCSECUSR, SCSECPWD, SCSECTPE, SCUGRP, SCSECF1, SCSECF2, SCSECF3, SCSECV1, SCSECV2, SCSECV3, SCSECV4, SCSRVBLOBA, SCATTEMPTS, SCEUSER, SCRETRY, SCMUSE, SCPID, SCJOBN, SCUPMJ, SCUPMT
from (select distinct substring(samaccountname, 1, 10) as USERID from OPENQUERY( ADSI,
'SELECT samaccountname, distinguishedName
FROM ''LDAP://DC=wbhq,DC=com'' WHERE objectCategory = ''person''')
WHERE (distinguishedName like '%OU=User Accounts%' or distinguishedName like '%CN=Users%')) as A
join (select * from jde7334.sys7334.f98owsec where scuser='TEMPLATE') as B
on 1=1
where USERID not in (select SCUSER from jde7334.sys7334.f98owsec)