LDAP Authentication

<< Click to Display Table of Contents >>

EQuIS 7  >>  Enterprise > Installation and Configuration > Configuration > Additional Authentication Options >

LDAP Authentication

When EQuIS Enterprise is installed, it uses Application Level Security (ALS), meaning EQuIS authenticates user accounts in the ST_USER table. For some organizations, it makes more sense to use Windows Active Directory (or any LDAP provider) to manage user authentication.

 

EQuIS Enterprise may be configured to use LDAP authentication with these considerations:

 

Folder Permissions

 

IIS relies on file and folder Access Control List entries to determine if an individual user has permissions to view that page. EarthSoft recommends creating a Domain Group to manage access to EQuIS Enterprise. Alter the folder security for the .\Enterprise7 folder, and add an ACL entry for this new Domain Group. Grant the group Read Execute, List folder contents, and Read permissions.

 

IIS Settings

 

Windows Authentication is an IIS component that will identify a user by their Windows domain account when visiting an IIS website. Windows Authentication is not installed by default starting with Windows Server 2008 R2 (aka IIS 7.5). Go through Add Role Services for the "Web Service" role to add Windows Authentication as an available feature. Previous versions of IIS will automatically install Windows Authentication as an available feature.

 

Warning: The authentication settings for the EQuIS Enterprise virtual directory (e.g. Default Website/equis) must be changed such that Windows Authentication is the only authentication enabled!

 

Disable Anonymous authentication and Forms authentication, and enable Windows Authentication. To support both internal users (using LDAP) and external users (using EQuIS Enterprise application-level security), the user can create two separate instances of the virtual/physical directory with different authentication modes.

 

Browser Settings

 

Depending on your browser configuration, your browser may work with Windows Authentication without any additional configuration. However, in some cases, additional configuration may be necessary. The following links may be useful in troubleshooting Windows Authentication with various browsers.

 

Google Chrome

http://dev.chromium.org/developers/design-documents/http-authentication

http://ben-tech.blogspot.com/2011/09/chrome-and-ntlm-authentication.html

https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

Mozilla Firefox

https://thycotic.force.com/support/s/article/Configuring-Firefox-for-Integrated-Windows-Authentication

http://blog.satyr.nl/post/fixing_the_localhost_authentication_problem_in_firefox/

Microsoft Edge

https://stackoverflow.com/questions/30334289/cant-open-localhost-in-microsoft-edge-project-spartan-in-windows-10-preview

https://msdn.microsoft.com/en-us/library/windows/apps/hh780593.aspx?f=255&MSPPError=-2147217396

 

Web.config Settings

 

In order to use Windows Authentication, modify your .\Enterprise7\web.config file. Open web.config in an XML editor and around  line 19 change "none" to "Windows" as seen below:

Change from:
 

     <authentication mode="None" />
 
to
 
     <authentication mode="Windows" />

 

Database Settings

 

When a user tries to access the EQuIS Enterprise virtual directory using LDAP, EQuIS will compare their LDAP user name (i.e. "DOMAIN\user") to the valid users in the ST_USER table. If there is no matching record in the ST_USER table (e.g. user_name = 'DOMAIN\user'), they will not be able to use the application (it will appear as if they are not logged in). They first need to be added as a user, and then activated and assigned roles (including the Enterprise License Role), and permissions. The error log will contain a note that mentions who tried to log in and was denied. A similar notification is also sent to the administrator for the User Validate service. It is strongly recommended that the person implementing LDAP authentication add their own domain account and assign it to the Admin role before starting this procedure.

 

EQuIS Professional

 

LDAP authentication may be used for EQuIS Professional in conjunction with EQuIS Enterprise and ALS.