07-16-2018 11:48 AM
Can you explain the communication and verification process between the workstation, OnBase and AD to authenticate the user?
07-17-2018 10:43 AM
07-17-2018 11:06 AM
07-17-2018 02:17 PM
Since there is interest in both the Thick Client and Core Products (such as Unity or Application Enabler) I can elaborate on both. They both follow a similar process, however the application that is actually communicating with AD will differ between the Thick Client and Core Products. For the Thick Client, the actual client application on the users workstation will be the one reaching out to AD, for core products that will be the Application Server reaching out to AD. The reason this is important is because the user running the Application Server AppPool will need the ability to reach out to AD and query other users user groups. Therefore the 'Read Group Membership' rights will need to be granted to that account within AD. For the Thick Client since the user running the application will always be able to query their own groups, there is no need for any additional permissions in that case.
Basically the process happens as follows for the Thick Client:
1.) The Client application will reach out to AD and ensure that the user's credentials are valid.
2.) The User Groups are then requested from AD
3.) The Client then requests the list of OnBase User Groups from the OnBase database/the mappings configured for User Groups within OnBase to User Groups within AD.
4.) These two lists are then compared by the Client. If the user has successful mappings the user will be logged into OnBase. If there are no successful mappings then the user will not be logged into OnBase.
For core-based products the process is as follows:
1.) The client workstation will pass the users credentials to the Application Server via IIS protocols.
2.) The AppServer will take the user credentials validate the user against AD.
3.) If the user is valid, the AppServer will request the list of the users user groups from AD.
4.) Then the AppServer will reach out to the OnBase Database and request the list of OnBase User Groups and or mappings between OnBase and AD User Groups.
5.) The AppServer will then compare these two lists and if there is a successful mapping the user will be logged into OnBase. If there is not a successful mapping the user will not be logged into OnBase.
07-17-2018 02:55 PM
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.