Windows Authentication - Configuration

Applies to Infiniti v8.7.1 or later
 

By default, installations initially configure Forms Authentication. In order to change this to Windows Authentication which will allow the use of Active Directory users and groups, the following changes need to be made in the web.config files located in both the Manage and Produce installation folders.

Note: A windows group needs to be added in Manage with the correct spelling and the External Group box has to be checked before users can log in.

How to enable Windows Authentication

Comment out the Forms Authentication Configuration Section

Enclose the Forms Authentication section in "<!-- and -->" tags as per the example below:
<!--<authentication mode="Forms">
    <forms name="idoxAuth" path="/" loginUrl="WebLogin.aspx" protection="All" timeout="30" enableCrossAppRedirects="true" />
</authentication>
<membership defaultProvider="FormsMembershipProvider">-->
 

Uncomment the Windows Authentication Configuration Section

Remove any existing "<!-- and -->" tags around the Windows Authentication section. If the elements are not present, add them as follows:
<authentication mode="Windows" />
<membership defaultProvider="WindowsMembershipProvider">

The final result should look like this:

<!--<authentication mode="Forms">
  <forms name="idoxAuth" path="/" loginUrl="WebLogin.aspx" protection="All" timeout="30" enableCrossAppRedirects="true" />
</authentication>
<membership defaultProvider="FormsMembershipProvider">-->

<authentication mode="Windows" />
<membership defaultProvider="WindowsMembershipProvider">
  <providers>
    [...]
  </providers>
</membership>

The Forms authentication elements are preserved to facilitate later reversal of the change, if it should become necessary.

 

Check the Windows MembershipProvider settings

Example:
<add name="WindowsMembershipProvider" type="Intelledox.MembershipSecurity.WindowsMembershipProvider" keepdomain="false" logging="false" nestedgroups="true" adpath="LDAP://AlphaBeta" />
  1. "Logging" - True/False, the membership provider will write to the eventlog table when certain events occur. These events are:
    • Auth start,
    • No groups found,
    • User and Group match,
    • User search,
    • Group search.
    • Note: This option should only be enabled for troubleshooting as log files can grow extremely large. The default values for this is 'false'.
  2. "NestedGroups" - True/False, controls whether the groups, the user is a member of, are checked to see if they are a member of any other group. This can be slow on some domains so when this option is off only the groups, the user is directly a member of, will be checked against Infiniti groups. Default is 'true'.
  3. "ADPath" - This is setting overrides the default directory search path of "LDAP://mydomainname". The domain name used comes from the user's Windows credentials (Eg: AlphaBeta\Citizenj). This might not be the quickest place to perform AD queries however.
    • The config value can be set to use an alternative path. Default is 'blank' (uses dynamic name).
  4. "keepDomain" - True/False, set to False by default, when set to True, accounts will be created in the format "domain\username." This attribute enables (Trusted) Multi-Domain support, and is required when usernames are not unique between domains. 
 

IIS Settings Configuration

Open IIS and locate the Infiniti Instance;
In the right hand panel, Select "Authentication";
Ensure only Windows Authentication is enabled as per the diagram below:

Manage Configuration

Add one or more External Groups to Manage, with name(s) exactly matching an Active Directory group of which the desired user(s) are a member. Users who reach Infiniti without being a member of an Active Directory group that has also been set up as an External Group in Manage, will be prompted for credentials.
To create an External Group for an Active Directory group:
  • In Manage, navigate to the Groups page
  • Add a new group
  • Enter the group name as an exact match of the corresponding Active Directory group
  • Check the "External Group" box underneath the name field
  • Save the changes
Note: that you can't manually add a user to an External Group, as membership of the group is controlled by the Membership Provider (in this case, the Windows Authentication provider). Any user reaching Manage/Produce, who is a member of a configured External Group, will be allowed access to Infiniti as a member of that group.
 

Refresh Infiniti

Open the browser, clear cache, launch the Infiniti Produce instance.
 

Related Articles

Keywords

authentication, Windows Authentication, Active Directory, AD usergroup