You are viewing limited content. For full access, please sign in.

Question

Question

Weblink 9 and Full named user license in Rio

WebLink Licensing Directory Server
Updated September 14, 2016
asked on September 11, 2016

 I have a customer that has upgraded from LF 8.3 Standard to LF 10.1 Rio. As part of this, they also upgraded from Weblink 8 to Weblink 9. I am having trouble with the Weblink licensing
 The configuration should

  1. Allocate 50 Full named user licenses who should access the Laserfiche repository using the Desktop client, scan documents and perform other Full named user functions
  2. Allow the rest of the organization (of around 3000 employees) to access these documents through Weblink. The customer has Pilot Public Portal license with 25 concurrent connections


Configuration
 Licenses:

  • Managed by LF Directory Server 10. We are doing AD synchronization to assign full named users a group called Laserfiche Full Named Users
  • Laserfiche server 10 - There is just one Laserfiche server which is also licensed for the 25 Public Portal licenses.

 Weblink

  • Weblink 9 is installed on a separate server from the Laserfiche server and is configured to automatically log in using the accessing user's Account (Windows authentication). Windows authentication is through Kerberos

 Laserfiche Admin console

  •   There is a Laserfiche group called "All Domain users". Entry Access rights within the repository are assigned to this group - This is what most employees should see
  •   There is a windows group in the LF Admin console called Domain users. This group is a member of the LF group All Domain Users. This group is also marked Only allow read-only access to enable its members to gain access to Laserfiche through Weblink

Problem
  With the above configuration, Weblink can be accessed by everyone but the Full users cannot perform their tasks in Laserfiche as they are marked as "Read-only" when logging in to the client. Unchecking the Read-only option would allow the Full Named users to function but block Web link from everyone else.
  How do I configure this with a reasonable maintenance requirement.  It is reasonable to maintain an AD group of 50 users. Maintaining a group of 2950 is not.
 
*Additional info*
 I read a number of posts and this question https://answers.laserfiche.com/questions/54222/WebLink-Portal-Licensing-For-Entire-Organization resembles our problem the closest. However, the customer had this set up working before the upgrade. This is what has changed:

  • Went from LF 8.3 standard to LF 10.1 Rio
  • Weblink 8 to Weblink 9
  • From 1 server (using windows authentication / no kerberos) to 2 servers (Server 1 has Laserfiche. Server 2 has Web Access, Weblink and LFDS)
  • New AD group for Laserfiche Full users using AD synchronization in LF Directory Server)
  • The new server(s) were built new. So, there are changes to the Windows server OS, IIS, etc. However, I don't know if those are relevant to this problem

 
  I am certain that they were not maintaining a group for users who should have just Web link access. Would anything in the above (Weblink, LF standard vs Rio) have caused the configuration to not work anymore? Thanks.

0 0

Replies

replied on September 13, 2016

I wanted to give an update on this after consulting with support.

First, the connection between changes in licensing and Weblink. This particular change: "Went from LF 8.3 standard to LF 10.1 Rio" also impacts Weblink.

Before: With Laserfiche Standard: You can have users be part of two groups - A Windows Domain users that includes everyone for Weblink and a smaller Laserfiche Full Named Users group for users with Read/Write access. The system would give the user who is a member of both the groups the better license.

After:  With Laserfiche Rio (and likely Avante), there is a requirement to mark Weblink users as Read-only. However, marking the Domain users  group as Read-only will also prevent users of the Laserfiche Full Named Users group from using Laserfiche for Read/Write functions.

Second, the impact of Laserfiche Groups vs Windows Groups on Weblink Licensing. This is a peculiarity but between me and support, this was the only conclusion we could arrive at. When accessing Weblink using Windows authentication,  Weblink users will be able to access a particular entry (folder, document, etc.) only if the Entry Access rights have been assigned directly to the Windows User / Group. If Entry Access rights are assigned to a Laserfiche group that the member is part of, they will not be able to access the folder/document. Reasoning: Laserfiche groups is retained for legacy support. The best practice / recommendation is to assign rights directly to Windows Users / Groups. This also appears to have changed in the licensing or during the product upgrade.

Solution:

In our particular case, our solution involves two steps:

  1. If everyone requires access to Public Portal and you wish to use Windows authentication, the only mechanism is to Use the anonymous access account mentioned in the documentation (https://www.laserfiche.com/support/webhelp/weblink/9.0/en-US/WLA/WLAdmin.htm#Automatically_Log_In.htm). The alternative would be to create (and maintain) an AD group for all users in the organization excluding the named users, which is impractical in a large organization.
      Question 1): Is there any way to configure Weblink / IIS to atleast require the accessing user to authenticate themselves when accessing Weblink using the above configuration (anonymous access account).
  2. We will also have to migrate the existing Entry Access from a Laserfiche Group to a Windows Group (This is because there are additional Laserfiche groups defined that give some users more access than the general authenticated users). These users also access content through Weblink.
    Question 2): Could someone help me with a means to automate that? Workflow out of the box cannot do this. I need help with creating an SDK script that browses through every entry and checking if there is explicit access granted to a Laserfiche Group . If there is, replace (or add) it with a Windows Group
1 0
View 3 previous replies
replied on September 13, 2016

The short answer to question 1 is no, if you use the anonymous access account, you can't also have WebLink users authenticate in. Setting up the public user uses that user's security and settings for everyone. 

I don't agree with this statement

When accessing Weblink using Windows authentication,  Weblink users will be able to access a particular entry (folder, document, etc.) only if the Entry Access rights have been assigned directly to the Windows User / Group. If Entry Access rights are assigned to a Laserfiche group that the member is part of, they will not be able to access the folder/document. Reasoning: Laserfiche groups is retained for legacy support. The best practice / recommendation is to assign rights directly to Windows Users / Groups. This also appears to have changed in the licensing or during the product upgrade.

You should be able to use Laserfiche group security to enforce security for all users in that group. It doesn't sound like you should need question 2 because LF group security should suffice. Make sure inheritance and scope is all set up correctly and that the rights aren't explicitly denied on the individual users or any other groups. Users only need to inherit a right from one group and as long as there are no other denies, that right should be granted. 

0 0
replied on September 13, 2016

It seems like a similar issue was discussed in 

https://answers.laserfiche.com/questions/52372/weblink-readonly-

Maybe you can find some more help there

0 0
replied on September 13, 2016

Thanks Jared. I wanted to validate there were no other way to do it for Question 1. .

On using Laserfiche groups for security, this is what we found:

Attempt 1 (Original configuration): AD group Domain Users is a member of the Laserfiche group  All Domain Users. Entry Access is assigned to the Laserfiche group.

Result: When attempting to access Weblink, non-named users get the message: "Log in failed because the number of sessions has reached the licensed limit or the user account has reached its session limit, or no named user license has been allocated to the user account""

Attempt 2: Add a Windows User account directly to the Laserfiche group - This works.

Attempt 3: Add an AD Group to a folder's Entry Access. This works.

Nothing else was changed between Attempts 1-3. Hence the conclusion and we were pointed to that direction by support. I will check the inheritance and Deny as well but I would think that if those weren't correct, it wouldn't  in all cases.

0 0
replied on September 13, 2016

I confirmed with another developer that if you associate a Windows group with a Laserfiche group, and you Windows authenticate as a member of that group, you should get an access token that includes both groups. Therefore if the read-only flag is set anywhere above this Full-Named Users group, they would be subjected to that read-only flag. 

0 0
replied on September 14, 2016

Hi Jared

 We tried this "associate a Windows group with a Laserfiche group" and "Windows authenticate as a member of that group" but it didn't work (same as previously).

Would this be dependent on how Weblink is configured in the Weblink Administrator's utility. Right now, the repository is configured to "Automatically sign in using the accessing user's account. Is it required to

1) uncheck Automatically log in, or

2) Use the anonymous access account

for any of the above (windows authenticating  by membership in a Laserfiche group) to work? I believe making either 1) or 2) will reconfigure IIS to use anonymous access, right?

 

0 0
replied on September 14, 2016

We are going through all the steps in the documentation to make sure we didn't miss anything. In the documentation on this page: https://www.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/#../Subsystems/WLAdmin/Content/Using_Windows_Authentication.htm%3FTocPath%3DWebLink%2520Administration%7CConfiguration%7CAuthentication%7CWindows%2520Authentication%7C_____0

WebLink installation assigns these permission for you, but in the case something does not work correctly, the appropriate Windows users need read and write access on the tempDirectory and cacheDirectory folders inside the WebLink installation folder. In addition, the users should have read access on the Config subfolder inside the Web Files folder of the WebLink installation folder.

We were not able to view folders named tempDirectory, cacheDirectory or Config in the locations described. Are the cacheDirectory and tempDirectory named literally? None of the default program locations were changed. So, Weblink is installed in "C:\Program Files\Laserfiche\WebLink". There is a config folder in C:\Program Files\Laserfiche\WebLink\ but none in C:\Program Files\Laserfiche\WebLink\Web Files as mentioned in the documentation. This is the same in my personal Weblink as well. The server is Windows 2012R2.

 

 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...