07-13-2021 11:16 AM
Hyland FLOS configured our app server so that the Unity Client and Web Client can authenticate successfully. We are using AD - Enhanced authentication. However, all our custom applications that use the Unity API now fail to authenticate/connect. We are using CreateDomainAuthenticationProperties(). The solution I was given was to stand up a new app server with different authentication properties in IIS just for the API. I thought that the Unity API contained all the functionality that the Unity Client has. So why do I need a second app server? Before upgrading to EP3 we were using OnBase 17 and AD - Basic authentication. Thanks for your feedback/input!
07-14-2021 04:46 AM
07-14-2021 06:28 AM
Hi
The answer of if there MUST be multiple OnBase Application Servers is dependent on your environment and authentication needs. There are different configuration based on many factors which is why I can't give you a single answer without knowing what you are trying to setup. However, what I can say is that if the Application Server is used for non-interactive authentication from a front end web application, then an SPN must be configured on the server running the Application Server which will prevent having older versions (prior to 18.0.1.67) of the OnBase Application Server supporting authentication on the same server as a later version (post 18.0.1.67) OnBase Application Server supporting authentication. That is the ONLY absolute scenario which I can think of which is not supported (and this is a Microsoft implementation of Kerberos Authentication limitation).
07-14-2021 06:57 AM
I figured I would chime in here because I have a few questions about Disconnected Scanning and AutoLogin. I did some digging and from what I gathered in the MRGs is that Disconnected Scanning only supports AutoLogin if you utilize the OnBase IdP and configure it for AutoLogin in OnBase 18.
Based on that assumption (please let me know if I am wrong) would you need to configure the AppServer for Kerberos Authentication in IIS and set an SPN? From what I undertsand that would require setting the AppServer for "Optimized Windows Authentication" which would cause the OnBase IdP to fail.
I have not found clear documentation on what the working configuration for AutoLogin with Disconnected Scanning is in OnBase 18 post Kerberos authentication changes and would like to get some clarification.
Thanks!
07-14-2021 07:57 AM
Hey
With regards to Optimized Windows Authentication, this feature is confusing because enabling the settings both configures optimization for Windows Authentication AND it configures Kerberos Authentication. Kerberos Authentication is ONLY needed when there is a front end web app that needs to pass credentials from the authenticating user. With Disconnect Scanning (like the other remote apps), the user running Disconnect Scanning is directly authenticating against the Application Server and therefore Kerberos Delegation is not needed (and therefore no SPNs). However, Optimized Windows Authentication DOES configure page level authentication for the Application Server so there is less back and forth authentication traffic between the client workstation running the remote app and the server running the Application Server.
07-14-2021 08:02 AM
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.