Introduction

Web client and Ad hoc contacts are contacts of the MassTransit server who use MassTransit Web (MTWeb) for transferring files. In addition, if the administrator of your MassTransit server has given permissions, the Web client contacts can view the log of the MassTransit server, send files to arbitrary email addresses or send a request for files to be sent to them, see reports, fill out job tickets, etc.

If configured, you can use a secure connection to the MassTransit server and assure privacy of the file transfers when transmitting files over the internet.

MassTransit 7 supports transfers of files and folders with Unicode characters for Web client and Ad hoc contacts when using MassTransit plug-in. Unicode is NOT supported when using HTTP transfer method.

To connect to the MassTransit server, you need to launch a supported web browser, open the MassTransit web site login page, and enter your login credentials that the administrator has provided to you. If you are an Ad hoc contact, you may not need to enter your login credentials if you have received an email with a passkey link which will automatically log you into the web site.

NOTE: In MassTransit 7.2 and later, users who log into MTWeb using a passkey link can set a permanent password for their account. For more information see the Changing Password section.

The supported web browsers which can be used to log in to the MassTransit web site are the following:

on Windows machines

• Internet Explorer 7 or higher
• Firefox 3 or higher
• Chrome 4.0 or higher (HTTP transfer only)

on Macintosh machines

• Safari 3 or higher
• Firefox 3 or higher
• Chrome 4.0 or higher (HTTP transfer only)

  INFO: MassTransit 7.2.1 adds support for Internet Explorer 9, Firefox 4, 64-bit Safari 5 and MassTransit 7.2.3 adds support for Safari 5.1.

Go to top

MassTransit requires web contacts to maintain passwords that meet certain complexity requirements. A weak password is one of the most common ways for a malicious attacker to compromise an account. This feature ensures that passwords are more difficult for automated systems to decrypt and for unauthorized users to guess.


  Password Guidelines

MassTransit’s Password Complexity feature requires that passwords meet the following guidelines. The password must meet the following requirements:

    1. At least 6 characters long.

    2. Contains one English character, number, and non-alphanumeric character. Supported characters are as follows:

 !\”#$%&’()*+,-./:;<=>?@[]^_{|}~

    3. Does not match or contain the contact name or the login name.

For example, if user Jane Doe (with login name jane) is changing her password, and Password Complexity is being enforced, the following password examples will not meet the requirements, and therefore cannot be used:

    password — Password does not contain a number or non-alphanumeric character.
    janedoe1! — Password contains both the Username and Login Name.
    12a$ — Password is less than 6 characters long.

Good examples of strong passwords are as follows:

    4pRte!ai@3 — not a dictionary word, has both cases of alpha, plus numeric, and non-alphanumeric characters
    0@u2to0mo9b!19le64 — A word “automobile” with numbers mixed throughout and random non-alphanumeric characters

NOTE: These passwords are no longer strong passwords and should not be used as they have been published.

When users change their passwords, the new password must meet the complexity requirements. They will be provided with an error message describing the requirements if the password they select is not complex enough.


  Configuring Password Complexity

Password Complexity is enabled by default. New web contacts, users changing existing passwords, or users with expired passwords will immediately be subjected to the new requirements upon installing MassTransit.

The Password Complexity can only be disabled globally, not per client. In order to disable it, you need to contact the Administrator of your MassTransit Server.


Go to top

Before transferring files with MTWeb, you need to have a user name and password for logging into the MassTransit web site. Depending on the authentication method that is used on the MassTransit server, you need:

• for MassTransit authentication – if you are a Web client contact, please contact the administrator of the MassTransit server to provide you with your MassTransit login credentials. If you are an Ad hoc contact, simply click the passkey link that was sent to your e-mail address by a Web client contact.
• for Active Directory authentication – if Active Directory authentication is configured on the MassTransit server and you have Active Directory login credentials, you can use them to log into the MassTransit web site.
• for Single Sign-On – the web browser can be configured to log you into the MassTransit server without asking for your Active Directory login credentials. To use Single Sign-On for authentication to the web site, it first needs to be configured on the MassTransit server by the administrator.
  
  
  Go to top
  
  
  
  Logging in with MassTransit Login Credentials

  ---

  
  To log into the MassTransit web server using MassTransit login credentials, follow these steps:

    1. Open a supported web browser.

    2. Open the login web page of the MassTransit server.

    3. Enter your MassTransit user name in the User Name field.

NOTE: If you are an Ad hoc contact that is trying to log in, simply click the passkey link in the email you received.

    4. Enter your MassTransit password in the Password field.

    5. Click on the Login button to log into the server.

Now, you should be able to use MTWeb.


Go to top

NOTE: Only Web client contacts can log into the MassTransit web server using their Active Directory login credentials.

To log into the MassTransit web server using your Active Directory login credentials, follow these steps:

    1. Open a supported web browser.

    2. Open the login web page of the MassTransit server.

    3. Enter your Active Directory logon name in any of the following formats:
         - username;
         - username@domain.com;
         - DOMAIN\username.

    4. Enter your Active Directory password.

    5. Click on the Login button to log into the server.

Now, you should be able to use MTWeb.


Go to top

NOTE: Only Web client contacts can log into the MassTransit web server using their Active Directory login credentials.

Single Sign-On (SSO) is a feature that allows Active Directory users connected to an Active Directory-enabled MassTransit HP Server to authenticate to the MassTransit MTWeb interface without typing a username and password.

Due to security considerations, modern web browsers will not automatically provide authentication information to web sites unless they are part of your local intranet or explicitly defined within the browser’s configuration parameters. This ensures that authentication information is not sent to a malicious web site inadvertently, which could compromise organizational security.

These next sections will assist you in configuring various browsers to use the single sign-on feature with your SSO-enabled MassTransit HP MTWeb instance.

Before configuring your web browsers, make sure the following requirements are met:

• The client machine must be bound to Active Directory in order for this feature to function properly;
• The current logged-in user must have a valid Active Directory account, and this account must be associated with a contact within MassTransit;
• For Mac OS X, Kerberos must be properly configured and a valid ticket granting ticket (TGT) must be active for the logged-in user;
• If any of the following conditions is present on the client machine:
      - the client machine is not presently bound, or,
      - is accessing from a remote location where authentication to the Active Directory infrastructure is not possible, or,
      - if the connecting user has a valid MassTransit account that is not associated with Active Directory,
  then MTWeb users will be presented with a NTLM authentication dialog on Microsoft Windows and Mac OS X. Users in these circumstances can "fall back" to the legacy MTWeb login page by dismissing the dialog by clicking the Cancel button, or pressing Escape. Due to the way these NTLM authentication dialogs work, they will not accept login names for MassTransit contacts that are not associated with Active Directory. Instead you must use the "fall back" feature and login from the legacy MTWeb login page.

• NTLM Dialog:

Apple Safari on Mac OS X does not directly support this ability to "fall back" and therefore, in order to use the standard MTWeb login page, the user must append index.php to the MTWeb address, which then bypasses the single sign-on component.

For example, if you are connecting to http://masstransit.company.com, the user should append index.php to this address, and then click Go or press Enter in their web browser to connect to http://masstransit.company.com/index.php.


Go to top

Firefox allows you to define "trusted" sites using hostnames, IP addresses or combinations - including wildcards - that authentication data should be automatically passed to. These steps apply for Firefox versions 3 or later on both Microsoft Windows and Mac OS X.

    1. Launch Firefox.

    2. In the Address Bar, enter about:config and then press Enter. In the warning message that appears, click the I'll be careful, I promise! button. A very long list of configuration parameters for Firefox will be displayed.

    3. Using the Filter textbox, type network.negotate. Five (5) options will be returned.

    4. Double click on the network.negotiate-auth.trusted-uris option:
         a. In the resulting dialog, enter the hostname or IP address of the SSO-enabled MTWeb host. Acceptable inputs are as follows:
            - IP address (i.e. 10.10.20.80)
            - Hostname (i.e., masstransit.company.com)
            - Wildcards (i.e., .company.com or 10.10.20.*)
            - Separate multiple entries with a comma (i.e., masstransit1.company.com,10.10.20.80)

         b. Once entered, click OK.

    5. Restart Firefox.

Single sign-on configuration for Firefox is now complete. You may test the functionality by visiting your MTWeb installation when bound to Active Directory and authenticated as a user associated with a MassTransit contact. If working properly, Firefox will not prompt you to login. Instead, you will be automatically navigated to the MassTransit File Transfer page. Your Active Directory login, in the form of DOMAIN\USERNAME, will appear in the upper-left-hand corner of the MTWeb interface.


Go to top

Internet Explorer, by default, will automatically provide authentication credentials to sites defined as being part of the Local Intranet. Internet Explorer contains logic that automatically attempts to identify sites on the intranet network. However, due to network layouts and other factors, this may not always work reliably. Therefore, we need to instruct Internet Explorer to consider your MTWeb installation as part of the Local Intranet zone.

    1. Launch Internet Explorer.

    2. From the Tools menu, click Internet Options.

    3. Click the Security tab. Then, click Local intranet.

    4. Click the Sites button.

    5. In the Local intranet dialog, click the Advanced button. In the resulting dialog, add the URLs for your SSO-enabled MTWeb installation. You should provide both the DNS hostname and the IP address for the server. Uncheck the Require server verification (https:) for all sites in this zone check box.

    6. Click Close.

    7. Verify that Internet Explorer's options have not deviated from the default by clicking Custom level… on the Security tab.

    8. Scroll to the bottom of the Settings list. Under User Authentication section, ensure that the radio button for Automatic logon only in Intranet zone is selected. Optionally, you can reset IE to the zone defaults, which are Medium-low.

    9. Click OK. Then click OK in Internet Options to apply your changes.

   10. Restart Internet Explorer.

Single sign-on configuration for Internet Explorer is now complete. You may test the functionality by visiting your MTWeb installation when bound to Active Directory and authenticated as a user associated with a MassTransit contact. If working properly, Internet Explorer will not prompt you to login. Instead, you will be automatically navigated to the MassTransit File Transfer page. Your Active Directory login, in the form of USERNAME, will appear in the upper-left-hand corner of the MTWeb interface.


Go to top

Safari supports single sign-on out of the box, and requires no configuration to use this feature. Safari relies on Mac OS X's support for the MIT Kerberos standard for authentication to connect to single sign-on-enabled services. Active Directory uses Kerberos version 5 for authentication by default.

The Mac OS X machine needs to be bound to the Active Directory domain to allow for single sign-on to be used. This feature works with the built-in Active Directory plug-in and optional third party software, such as ADmit Mac from Thursby Software.

When logging in with an Active Directory user account, Mac OS X will be assigned a Kerberos ticket that dictates the services the user is allowed to use. Safari uses this ticket to connect to the SSO-enabled MTWeb server.

You may test the functionality by visiting your MTWeb installation when bound to Active Directory and authenticated as a user associated with a MassTransit contact. If working properly, Safari will not prompt you to login. Instead, you will be automatically navigated to the MassTransit File Transfer page. Your Active Directory login, in the form of DOMAIN\USERNAME, will appear in the upper-left-hand corner of the MTWeb interface.


Go to top

Other browsers may work, but have not been tested and may not provide the higher levels of security when using SSO. It is recommended that you use the browsers mentioned in this document when accessing your SSO-enabled MTWeb instance.


Go to top

The Web client and/or Ad hoc contacts can use the MassTransit Web Assistant plug-in or the HTTP feature of MassTransit to transfer files.

Only the MassTransit plug-in can use the advanced communication protocols of MassTransit - TCP/IP, TCP/IP Secure, and UDT. They provide the ability to modify the transfer packets and buffer sizes in order to increase the transfer speed. In addition, the MassTransit Assistant plug-in allows transferring huge file volumes. In HTTP mode on the other hand, you can only transmit up to 2GB of files in a single transfer but your MTWeb users will be able to send and receive files without installing anything on their machines.

Ad hoc delivery works in both transfer modes plug-in and HTTP. They also provide secure file transfers when configured.

Using the MassTransit plug-in, you can drag and drop files for uploading, and Unicode support for the file names is implemented.

Below is a table where you can find detailed information about the differences between the two transfer methods.

NOTE: Please note that the maximum allowable file size you can transfer in a single file transfer in HTTP mode is 2GB. This maximum size can be set by the MassTransit Server administrator and may be less than 2GB. The MassTransit Assistant plug-in does not have such a limitation.

Go to top

For detailed information about how to send files with MassTransit Web, please refer to the Sending Files page of the Web Client User Guide.


Go to top

For detailed information about how to download files with MassTransit Web, please refer to the Downloading Files page of the Web Client User Guide.


Go to top

MassTransit 6.0.2 and later support transfers of files and folders with Unicode characters in TCP/IP, TCP/IP Secure, and UDT file transfers. By default, MassTransit will queue and transfer files and folders with high Unicode (>0xFF) successfully across the MassTransit protocol (TCP/IP, TCP/IP Secure, and UDT connections).

NOTE: Note that Unicode is not fully supported for web client HTTP transfers, hot folder transfers, FTP transfers, or with AppleScript. If you have Unicode support enabled and use Unicode filenames with these features, you may encounter file not found errors or munged filenames.

NOTE: Having Unicode support enabled on your server will still fail to transfer Unicode characters when connecting to legacy contacts or contacts with Unicode support disabled.

There are a number of limitations to Unicode support:

• FTP and Hot Folder communication methods do not fully support Unicode characters. Most Unicode characters will be munged when transferred with these communication methods.
• Unicode is not supported for web client HTTP transfers. Both Windows and Mac web clients will present an error if a user attempts to transfer files or folders containing Unicode characters. This limitation will be removed in a future release.
• Unicode characters in folder names will be replaced with dashes in web client downloads. This limitation will be removed in a future release.
• Unicode is not fully supported in the MassTransit user interface or email notifications. Unicode characters may not be properly displayed in the MassTransit Log, Files window, and email notifications containing file lists.
• MassTransit’s AppleScript interface does not support retrieval of Unicode characters. If a script retrieves a Unicode file name or folder name via the AppleScript interface, the file name will not be correct. This may impact the success of purging and workflow scripts processing files and folders with Unicode characters in the names.
• Programmatic submission of files containing Unicode characters (via COM, AppleScript, or SOAP) is not supported at this time.
• Only Unicode characters up to 0xFFFF are supported.

Go to top

MassTransit helps you keep track of each event and file received and sent from the web by using a Web client contact with the appropriate privileges assigned. There are a couple of options for the Web client contacts to track MassTransit:

• Log viewer – the Log viewer allows you to track information from the Log window of the MassTransit Administrator application. The Log window keeps a record of each event as users contact others, move files, and process them in applications. To help you use the Log viewer to trouble-shoot, the Log viewer records the name of the user that launched MassTransit if permitted to. For contacts with Log viewing privileges, the MassTransit Web interface will have a “Log” tab.
• Reports – Reports is a feature which can be used through the MassTransit Web interface only. It allows Web client contacts to see reporting information based on privileges that are granted from the MassTransit Administrator. For contacts with reporting privileges, the MassTransit Web interface will have a “Reports” tab.

Detailed information about the each of the tracking options and how to use them is displayed on the Tracking MassTransit Online page.


Go to top

You can find information about the MassTransit server and web client versions you use, and some other useful information if you click on the Information button in your MassTransit web account.

Below is the list of all displayed parameters which appears after a click on the Information button:

• Server Information – information about the MassTransit server of the Web client / Ad hoc contact that is currently logged in;
  • MassTransit SOAP Interface Version – version number of the SOAP interface;
  • MTWeb Version – version number of MTWeb;
  • MTWeb Build Number – version number of the MTWeb build;
  • mtHostInfo – address and port number of the MassTransit host;
  • PHP Version – version number of PHP installed;
  • PHP OS;
  • Server Signature – web server signature;
  • Database Host – database host address;
  • Database User – database user used for accessing the MassTransit database;
  • Database Name – name of the MassTransit database;
  • Reporting Database Host – host address of the reporting database, if configured;
  • Reporting Database User – database user that accesses the reporting database, if configured;
  • Reporting Database Name – name of the reporting database, if configured;
• Client Information – information about the MassTransit web client which the Web client / Ad hoc contact uses to log into the MassTransit web site;
  • Platform – the currently used platform for accessing the MassTransit web site;
  • Browser – web browser that is currently used by the Web client / Ad hoc contact for accessing his web account;
  • User Agent;
  • MassTransit Plugin Installed – a flag that indicates whether the MassTransit plug-in is installed;
  • MassTransit Plugin Version – version number of the installed MassTransit Web Assistant plug-in, if installed.

Go to top

If you need information about your MassTransit web user account or help for how to use it, click on the Help link that appears in the user interface of the web account.

Clicking on the Help link refers the users to the Web Client User Guide home page.


Go to top

The MassTransit Server may require the Web client or Ad hoc contact to change their passwords at intervals. The Web client or Ad hoc contact is prompted to enter a new password when one is required or can change it from the My Account tab at any time.

NOTE: MassTransit Web clients will have the ability to change their passwords from the My Account tab only if the administrator has enabled the password change. Otherwise, the My Account tab will be disabled and you will need to contact the administrator of the MassTransit Server. Contacts using Active Directory to authenticate will never see the My Account tab.

NOTE: In MassTransit 7.2 and later users who log into MTWeb using a passkey link can set a permanent password for their account. They use the passkey to log into MTWeb and will not be forced to enter the current password in order to create a permanent one.

• For web client using permanent password to log in MTWeb.

    1. Go to the My Account tab.

    2. Type the current password and type the new password twice. Click Submit to change the password.

• For web client using passkey link to log in MTWeb.

    1. Go to the My Account tab.

    2. Type a new password twice. Click Submit to change the password.


Go to top

Click on the Logout button to log out of the MassTransit web site.

         


Go to top