Hi Hank,
The issue you're looking at is going to be true with interactions among any web applications where NT authentication is used, not just OnBase.
You're facing what are really two problems:
- Passing credentials from one web application to another is what's known as a "double hop." This is intentionally prevented, since it would be very easy to misuse.
- For example, if a user with greater access than the programmer authenticates to the web application, that user's credentials could then be used to gain access to resources from which the developer would otherwise be blocked.
- It is possible (with sufficiently open trusts) to configure a system in which you can enable a double hop between two specific applications, but the configuration to support this is generally in violation of recommended security standards.
- If the user does not authenticate to your application, then you have no credentials to pass in any event.
- In this scenario, it would not matter if you had opened the trusts sufficiently to allow a double-hop. Since your application does not see the user's credentials, it has nothing to pass along when it establishes an API connection to OnBase.
If you are simply launching a client session and not attempting to create an API session, then the client itself can accept the user's NT credentials, and there is no need for you to pas them along. So in that scenario, your VPN users should be able to access OnBase.
I hope that helps some. If not, please clarify how you intend to user the current user credentials, and I'm sure one of the geniuses on here will help some more.
Kind regards and happy coding,
Scott
