At my workplace we have two Laserfiche servers. On the first one, a server that was recently rebuilt from a clone, I have Web Access configured. All of the repositories on the first server are accessible from Web Access and can be logged into via the "Use Auto Login/Use Windows Authentication" buttons.
The repositories on the second server, where web access is not installed, are visible from Web Access but are inaccessible via the "Use Auto Login/Use Windows Authentication" button combo. Typing the domain\username and password allows for access however.
Weeks ago I had issues with licenses because of restoring the first server, which happens to also be the LFDS server. Could this be a license issue? I thought I updated everything.
Does anyone know how to solve this authentication issue?
For reference, I attempted to set up SPNs for each server and set the appropriate delegations, however one of my Laserfiche servers is named the same thing as my Laserfiche service account. Could this be causing issues?
Additionally, Windows Auth is enabled under IIS Manager on each server.
Why does Web Access' Windows Auth work on the rebuilt server1 and not on server2?
Question
Question
Windows Authentication Headache
Replies
When Web Access and the Laserfiche server are running on the same machine, Windows authentication will work with no special configuration. When the web browser, Web Access, and Laserfiche are on three separate machines (i.e. when authentication has to cross "two hops"), this is the scenario that requires additional configuration.
Having the machine name the same as an account name can complicate matters. I believe you can indicate the machine account by appending a $ at the end, but I've never encountered this in practice. You'll also have to trust the Web Access machine for delegation. If you haven't read the whitepaper on configuring Kerberos I would definitely recommend it.
My scenario is exactly as you describe. Everything on different hosts. I did set up the delegation stuff in addition to the SPNs and read through the Kerberos article. I'm still having issues with my second server and Windows Authentication though.
Is there any sort of log I can look at that might give me an idea of what's missing?
Troubleshooting Kerberos failures can be tricky. From the Laserfiche side, we just pass values from one machine to another and we don't get any information from Windows beyond the Access Denied error. This article has a good overview of how to figure out what is going wrong. You can also turn on error logging for Kerberos.