This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using AD Enhanced with Multiple Domains OnBase v18

Nat_Mara
Star Collaborator
Star Collaborator

‎04-27-2023 04:30 PM

We are currently on version 18.0.1.48, and are using AD Basic athentication.  WE have 2 domains, and most users have an AD account in our production domain,  but not in our preproduction domain.  As such, users who want to log in via the CORE have to type their passwords when launching Unity.  Because we are planning on upgrading to 22.1, and Basic is no longer supported, and becuase that authentication works better across multiple domains as well.

 

The question I have is how to set it up.  the MRG talks about setitng up the domain(s).  Since most users do not have an AD account in the preproduction domain I was only going to add the Production domain.  When we tried without using Alternate Binding Credentials it worked when we put in an admin account, but if I read the MRG, it says the best practice is to deselect that and use the default account to obtain the security context.  Our preproduction application server is  using an MSA that is a part of the preproduction domain but not the production domain as the identity in the Application pools.  Since that is a preprod server the accounts are all preprod.

 

What are teh best practices for setting up an account if that is what we choose to do?  I had seen another question, where someone asked to explain AD inetegration, and it stated that hte user running the Application server AppPool will need the "Read Group Membership" rights.  Are there any other things that account needs to handle this?

 

regards,

Nat

Labels:
0 Kudos
1 REPLY 1

AdamShaneHyland
Employee
Employee

‎04-30-2023 02:45 PM

Hi @Nat Mara ,

 

You could setup both PROD and PREPROD domains within the environment.  You could further use the Alternate Binding Credentials option which will use the configured domain account when binding to AD objects (users, user groups, etc).  When you configure Alternate Binding Credentials, OnBase will use that account instead of the Identity account (or Impersonation account depending on configuration) for the Core (e.g. Application Server).  For the Thick Client, the user context is always the logged in user and will be used unless you configure Alternate Binding Credentials for the domain.

 

If you are getting prompted for credentials, that could be because the Core is configured for Interactive Authentication (Config | Utils | Directory Service Authentication), or you can Fail over to Interactive option is enabled which will prompt for credentials when OnBase fails autologin.

 

More so to your question, the configuration of the second domain depends on if you want to allow user account from the second domain to login to the respective environment.  If you want to allow that, then you configure the second domain.  If you don't, then do not add it.

 

Hope this helps.

 

Best wishes.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC