This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Application Server with Active Directory - Enhanced & Two Domains

Go to answer
Kelby_Adams
Confirmed Champ
Confirmed Champ

‎03-07-2017 09:57 AM

I have a client that is in the process of merging two domains into a final domain. Onbase is configured for Active Directory - Enhanced with all three domains configured with Alternate Binding Credentials, and Thick-Client with -AL works flawlessly.

We have an Application Server joined to the final domain and configured for Windows Authentication. Unity Client connects successfully using NT Authentication for the Domain to which the Application Server belongs to.

When we attempt to log into the /appserver/service.asmx page, we are prompted for login credentials and of course connecting via Unity Client from the two other domains.

I feel like I'm missing a setting in IIS to make this work properly due to the fact that the two non-working domains have trusts established with the "Final" domain, and the "Final" domain has trusts established independently to the two non-working domains.

Event Viewer keeps displaying bad username or password within the security logs, and it appears that my Application Server is trying to complete the Authentication instead of the Domain Controllers.

We have also enabled Impersonation using a user account that according to Active Directory has Account Operator rights in all three domains.

Any help would be greatly appreciated.

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
AdamShaneHyland
Employee
Employee

‎03-07-2017 10:41 AM

Hi Kelby,

As Eric mentioned, for the Unity Client to work with domain authentication you will need to configure the Application Server's virtual directory for Windows Authentication enabled and Anonymous Authentication disabled.  What this means is that any request to the virtual directory is going to require valid credentials (ie Windows Authentication enabled) in order to retrieve access to files in the virtual directory (ie service.asxm page).  If the user requesting access does not have permissions to the virtual directory then you will see a Windows dialog requesting a username and password.

From what you mentioned, you have two-way trusts between the "final" domain and the other two domains.  What is not apparent is if any users from outside of the "final" domain can access ANY resources within the "final" domain (ie file shares, etc).  Unfortunately, adding the impersonation account or Application Pool identity account to the "final" domains Account Operators group is most likely not going to help because the Account Operators group is a Build-In Active Directory group with a scope boundary of the domain which it exists.  This means that by adding the account to the Account Operators group, you are only granting it permissions within the "final" domain.  You would have to delegate the same permissions in the other domains as well which could be done by either using the Active Directory delegation feature or adding the account to the respective domain Account Operators group.  Typically I don't recommend adding the account running the Application Server to the Account Operators group as it grants a lot of permission which are unnecessary. You can read more about this in the Network Security white paper (link).

The other potential issue is with IE.  It is possible you might not have the correct Internet Security Zone configurations required for Windows Authentication.  Here are some posts which might help:

https://www.onbase.com/community/onbase_product_communities/security_and_network_security_product_pa...

https://www.onbase.com/community/onbase_product_communities/security_and_network_security_product_pa...

Take care

View answer in original post

0 Kudos
3 REPLIES 3

Go to answer
Not applicable

‎03-07-2017 10:05 AM

You didn't mention the applicable settings in the app server's web.config file?

0 Kudos

Go to answer
Eric_Beavers
Employee
Employee

‎03-07-2017 10:14 AM

Common settings I tend to forget include installing the Windows Authentication Role on my server and then enabling it in IIS (while disabling Anonymous)

Forgetting these usually results in being forced to log in box popping up after opening a client.

0 Kudos

Go to answer
AdamShaneHyland
Employee
Employee

‎03-07-2017 10:41 AM

Hi Kelby,

As Eric mentioned, for the Unity Client to work with domain authentication you will need to configure the Application Server's virtual directory for Windows Authentication enabled and Anonymous Authentication disabled.  What this means is that any request to the virtual directory is going to require valid credentials (ie Windows Authentication enabled) in order to retrieve access to files in the virtual directory (ie service.asxm page).  If the user requesting access does not have permissions to the virtual directory then you will see a Windows dialog requesting a username and password.

From what you mentioned, you have two-way trusts between the "final" domain and the other two domains.  What is not apparent is if any users from outside of the "final" domain can access ANY resources within the "final" domain (ie file shares, etc).  Unfortunately, adding the impersonation account or Application Pool identity account to the "final" domains Account Operators group is most likely not going to help because the Account Operators group is a Build-In Active Directory group with a scope boundary of the domain which it exists.  This means that by adding the account to the Account Operators group, you are only granting it permissions within the "final" domain.  You would have to delegate the same permissions in the other domains as well which could be done by either using the Active Directory delegation feature or adding the account to the respective domain Account Operators group.  Typically I don't recommend adding the account running the Application Server to the Account Operators group as it grants a lot of permission which are unnecessary. You can read more about this in the Network Security white paper (link).

The other potential issue is with IE.  It is possible you might not have the correct Internet Security Zone configurations required for Windows Authentication.  Here are some posts which might help:

https://www.onbase.com/community/onbase_product_communities/security_and_network_security_product_pa...

https://www.onbase.com/community/onbase_product_communities/security_and_network_security_product_pa...

Take care

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC