You are viewing limited content. For full access, please sign in.

Question

Question

Authentication after Forms Timeout

Forms
Updated November 14, 2016
asked on November 14, 2016 Show version history

Hello,

We are running Forms 10.1 in a Rio system with Window authentication enabled, i.e. we authenticate exclusively through LFDS/STS. However, when Forms periodically times out, we encounter a browser authentication prompt that does not seem to accept any working credentials:

Pressing "Cancel" brings us back to the STS login, where we are able to get back into Forms again without issue.

Where is this prompt coming from, and how do we disable it?

 

Thank you,

Jesse

0 0

Answer

SELECTED ANSWER
replied on November 14, 2016

Hi Jesse,

From the screenshot that dialog is coming from the browser and is prompting directly for Windows credentials for pass-through authentication. However, if you have LFDS authentication set up, then Forms does not want these credentials directly; instead it requires a token from LFDSSTS derived from these credentials, so that's why trying to specify creds here will fail.

In IIS, can you check for the Forms application, in the Authentication feature, that Windows authentication is disabled? If LFDS authentication is configured for Forms, only Anonymous authentication should be enabled in IIS (in the web.config file, authentication mode should be "None"), and a custom process is used to enforce the LFDSSTS method.

This seems to be the most likely explanation for your behavior; when the session expires, the site thinks it should use Windows authentication directly, so prompts you. When cancelling out, it will "use" (very loosely speaking) the anonymous authentication to understand enough to kick you back to LFDSSTS signin, where you can provide credentials as normal.

Hope this helps!

0 0

Replies

replied on November 14, 2016 Show version history

Yes it seems as though Windows Authentication was enabled, although I'm not sure how that happened...

Can I assume Windows Authentication should be disabled for other sites, such as Laserfiche (Web Access), LFDS, LFDSSTS, all of which have this enabled for some reason?

Thank you for your help!

0 0
replied on November 14, 2016

Hi Jesse,

Web Access is trickier since unlike Forms, with Web Access you can configure signin so you do not have to exclusively choose between LFDSSTS and the normal LFS authentication to sign in. (The reason why Forms does require this choice is because of implementation of security within Forms...if it's something which could be changed, it won't happen anytime soon as it would require some serious overhaul; someone from the Forms team would be more appropriate to weigh in on this.)

With Web Access there is thus no hard-and-fast restriction to require disabling Windows authentication; on my own system, I have Windows authentication enabled in IIS with LFDS single sign-on configured, and at least so far I've not run into this incessant prompting after session timeout.

0 0
replied on November 14, 2016

Thank you for the information. I haven't had any issues with Web Access doing the same, so for now I'll leave it as it has been, but this is good to know about if I do start encountering problems.

 

Thanks again

0 0
replied on November 14, 2016

I also realized just now you had also asked about LFDS site. That site should have Windows authentication enabled, as using the current login is how you would configure security to the site. If for example you disable it and rely on anonymous authentication, then sessions of the LFDS site will treat the current access as that of the anonymous user, which likely hasn't had permissions set to view the site, resulting in effective lockout. (Unless you change the IIS authentication setting again.)

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...