Windows Authentication - Configuration

Applies to Infiniti v8.7.1 or later
 

By default, installations initially configure Forms Authentication. In order to change this to Windows Authentication which will allow the use of Active Directory users and groups, the following changes need to be made in the web.config files located in both the Manage and Produce installation folders.

 

How to enable Windows Authentication

Comment out the Forms Authentication Configuration Section

Enclose the Forms Authentication section in "<!-- and -->" tags as per the example below:
<!--<authentication mode="Forms">
    <forms name="idoxAuth" path="/" loginUrl="WebLogin.aspx" protection="All" timeout="30" enableCrossAppRedirects="true" />
</authentication>
<membership defaultProvider="FormsMembershipProvider">-->
 

Uncomment the Windows Authentication Configuration Section

Remove any existing "<!-- and -->" tags around the Windows Authentication section. If the elements are not present, add them as follows:
<authentication mode="Windows" />
<membership defaultProvider="WindowsMembershipProvider">

The final result should look like this:

<!--<authentication mode="Forms">
  <forms name="idoxAuth" path="/" loginUrl="WebLogin.aspx" protection="All" timeout="30" enableCrossAppRedirects="true" />
</authentication>
<membership defaultProvider="FormsMembershipProvider">-->

<authentication mode="Windows" />
<membership defaultProvider="WindowsMembershipProvider">
  <providers>
    [...]
  </providers>
</membership>

The Forms authentication elements are preserved to facilitate later reversal of the change, if it should become necessary.

 

Check the Windows MembershipProvider settings

Example:
<add name="WindowsMembershipProvider" type="Intelledox.MembershipSecurity.WindowsMembershipProvider" keepdomain="false" logging="false" nestedgroups="true" adpath="LDAP://AlphaBeta" />
  1. "Logging" - True/False, the membership provider will write to the eventlog table when certain events occur. These events are:
    • Auth start,
    • No groups found,
    • User and Group match,
    • User search,
    • Group search.
    • Note: This option should only be enabled for troubleshooting as log files can grow extremely large. The default values for this is 'false'.
  2. "NestedGroups" - True/False, controls whether the groups, the user is a member of, are checked to see if they are a member of any other group. This can be slow on some domains so when this option is off only the groups, the user is directly a member of, will be checked against Infiniti groups. Default is 'true'.
  3. "ADPath" - This is setting overrides the default directory search path of "LDAP://mydomainname". The domain name used comes from the user's Windows credentials (Eg: AlphaBeta\Citizenj). This might not be the quickest place to perform AD queries however.
    • The config value can be set to use an alternative path. Default is 'blank' (uses dynamic name).
  4. "keepDomain" - True/False, set to False by default, when set to True, accounts will be created in the format "domain\username." This attribute enables (Trusted) Multi-Domain support, and is required when usernames are not unique between domains. 
 

IIS Settings Configuration

Open IIS and locate the Infiniti Instance;
In the right hand panel, Select "Authentication";
Ensure only Windows Authentication is enabled as per the diagram below:
 

Refresh Infiniti

Open the browser, clear cache, launch the Infiniti Produce instance.
 

Related Articles

Keywords

authentication, Windows Authentication, Active Directory, AD usergroup