Tech News

Windows Authentication and secured features in Triaster Server

Home

Windows Authentication is a method of authentication used in Internet Information Services (IIS), Microsoft’s web server software. In the context of this article, its application is more specific than the usual general securing of files when used with NTFS permissions.

Automatic authentication

There are Administration and Approval features that are available only to those users with appropriate permissions set in Triaster Server. The Administration and Approvals webpages have required an explicit log-on to access such features. In the most recent versions of Triaster Server, there is the option of using Windows Authentication, where the user is identified from the web request, that user’s default e-mail address sought from Active Directory, and used to identify the user as recorded in Triaster Server. If the user has the necessary permissions, the secured webpage is opened without a challenge for credentials.

Requirements and implementation

General

  • A user has to have a default e-mail address recorded in Active Directory (but not necessarily a mailbox).
  • A user has to be recorded as a user in Triaster Server.
  • Triaster Server has to be able to interrogate Active Directory and reference a user’s e-mail address.

In Internet Explorer

These configurations apply to those who view and use Process Library websites through Internet Explorer.

tech-1

1. Integrated Windows Authentication needs to be enabled

tech-2

2. Automatic logon needs to be enabled
3. The Triaster websites should be associated with the Local Intranet zone


Triaster Services / Publication User

For installation, configuration and support purposes, the Triaster Services user (aka Publication user) should be recognised as a user with full permissions on secured functionality.

  • Added as a user in Triaster Server with full permissions.
  • A domain user, recorded in Active Directory, with a default e-mail address (but a mailbox isn’t necessary).

This needs to be done before switching to Windows Authentication (described below). Otherwise, this functionality will be inaccessible to the Triaster Services user.

Triaster Server IIS authentication

In Internet Information Services (IIS), web applications associated with secured functionality have to be authenticated using Windows Authentication, with other authentication methods disabled. This is most easily achieved by running the Triaster Server postinstall executable with the appropriate arguments.

(Run ‘as administrator’.)


Triaster\TriasterServer2011\Services\
TriasterServerPostInstall.exe /a:”windows”

tech-3

When prompted, check the proposed configurations before proceeding.

Note

To revert to challenge authentication, the executable would be run with this argument:


Triaster\TriasterServer2011\Services\
TriasterServerPostInstall.exe /a:”forms”

Fully-qualified host name

If using a fully-qualified host name (perhaps using an alias), that host name needs to be excluded from the Windows loopback security check to allow access to these features when working directly on the server.

1. In the Registry, create a new Multi-String Value:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa\MSV1_0\
BackConnectionHostNames

2. Modify the Value, adding:


AliasOrHost.domain.com
(and press ENTER.)

Reference

‘DisableLoopbackCheck. Lets do it the right way’
http://tinyurl.com/jjaxks7

Summary

This article has described how users can be authenticated automatically without a challenge for credentials when accessing secured features of Triaster Server.

Register to receive product release notifications

SIGN UP FOR CONNECTOR

Sign up for Connector
Industry best practice and knowledge in our ‘best of breed’ newsletter.
Published bi-annually.

Signup here