You are viewing limited content. For full access, please sign in.

Question

Question

Connect Full Laserfiche Client not on Domain to Externally Exposed Laserfiche Server

Laserfiche
Updated November 6, 2017
asked on October 25, 2017

We have a Laserfiche Rio Server (10.2.1) that is hosted, has an external IP, has an SSL cert, and has port 443 opened.  The goal is to have users who are on the domain locally, on the domain at remote sites, and not on the domain be able to connect to the server directly via the external IP as their AD accounts using the full Laserfiche Client (10.2.1). 

  • The computers that are on the domain locally are able to connect without issue. 
  • The computers who are at the remote sites but on the domain are able to connect by choosing Password Authentication and then typing their full AD account (domain\account) and password. 
  • The computers that are not on the domain are:
    • Not able to connect using Password Authentication and then typing their full AD account (domain\account) and password.  They get an error saying Invalid account or password.
    • Able to connect using Password Authentication and then typing their AD account in LDAP format (account@domain.com) and password but do not inherit any of their AD group security.

 

I need to find a way to get those AD users whose computers are not on the domain to be able to connect using their AD account (entered in either AD or LDAP format) and inherit their associated AD group permissions.  I know I could switch these users over to LF accounts/groups and get it to work or attempt rebuilding with LDAP authentication instead of AD but we need it to work as is.  Has anyone been able to get AD authentication with AD group inheritance to work for Laserfiche clients who are not on the domain with the Laserfiche server?

0 0

Answer

SELECTED ANSWER
replied on November 3, 2017

A case was opened for this issue and things are resolved now. The proper configuration steps were implemented and now users can log in using LDAP and Windows group inheritance works as expected.

  1. In LFDS, register a new LDAP identity provider
  2. Add a new LDAP user in LFDS
  3. In the Laserfiche Administration Console, grant the user access to the repository (under the Windows Accounts node)
  4. Have users log in using username@LDAP IdP name
3 0

Replies

replied on October 31, 2017

I was hoping that someone had found a solution or that Laserfiche would be able to advise on the configuration that would allow this.  We've now attempted to install their VPN client and connect but are encountering the same issues.  It appears that since the PC is not on the same domain, there is no way to get the full client to work.  Has anyone been able to get the full client to work when not on the domain with Laserfiche (on a local workgroup) but connected to the domain via a VPN client?

0 0
View 3 previous replies
replied on October 31, 2017

I think the LDAP method is the right direction - you configure your LDAP server profile to point to your domain controller, then each user is given an LDAP account that is associated with their domain account. The upside is that the account authentication happens in the LF server so the user's machine does not need to be on the domain. There are a couple downsides:

  1. the LDAP account known to Laserfiche is a different account than their domain account (different SIDs), which causes the issue of the user not inheriting their domain account's groups. To remedy this, you can use LF groups that are linked to domain accounts through LDAP. For example, domain\group1 and group1@domain are both members of the group1 group in the LF repository, and the group1 group is what is assigned in the LF entry/field/etc security.
    1. Note: in LF Rio you can configure LFDS to use LDAP authentication with a "use real SID" option that removes this limitation.
  2. The login credentials are sent over the network, so you should have SSL configured required (as it appears you do already).

 

See this help page for more information on configuring LDAP in Laserfiche.

2 0
replied on November 1, 2017

I agree that LDAP is probably the best answer but still no luck.  

In LFDS I:

  1. Added LDAP & checked the use real SID option
  2. Removed the license for the AD test account
  3. Added LDAP test account manually and granted it a license

In the Admin Console I:

  1. Added LDAP (same settings as those for LFDS)
  2. Added the same test account as trusted with all Feature Rights

In the client I:

  1. Added the test account with View permissions to the top folder & immediate documents

 

While on the network I was able to connect successfully with the LDAP account by:

  • Doing a Run As a Different User on the client and then logging onto the repository with the via Windows Authentication
  • It saw all folders/documents that its AD account is associated with.

While not on the network it failed to login with the LDAP account when:

  • Choosing Password Authentication and entering the LDAP credentials
  • Gave an "Permission denied. Access denied. [9013]" error

 

While not on the network I cannot do the Run As option and received the same results when using Password Authentication.  It appears that via Password Authentication it is unable to verify it has a license in LFDS.  Unfortunately the LDAP accounts do not have the column "Named User" like we have in Windows Account so we can see if it is pulling a license at the repository level and since it is Rio it can't be directly allocated there.

In looking at the error logs on the LF server:

  • When I connect successfully using the Run As a Different User it connects and logs say: Logon Type=2, Impersonation Level=Impersonation, Process Name=C:\Windows\System32\svchost.exe, Logon Process=seclogo, and Authentication Package=Negotiate.
  • When I try the Password Authentication and it fails to connect the logs say:  Logon Type=3, Impersonation Level=Identification, Process Name=C:\Program Files\Laserfiche\Directory Server\LFDS.exe, Logon Process=C, and Authentication Package=Kerberos.

 

Any suggestions on what to try next?

0 0
replied on November 2, 2017

When you log in with the LDAP credentials method, make sure you use the format username@ldapprofile, for example if your ldap account in lfadmin is "test user" and the ldap profile is named "mydomain" it would be test user@mydomain. If that doesn't work, please open a support case so we can troubleshoot the issue.

0 0
replied on November 3, 2017

We did try that.  I'll open the case.  I do appreciate the assistance.

0 0
SELECTED ANSWER
replied on November 3, 2017

A case was opened for this issue and things are resolved now. The proper configuration steps were implemented and now users can log in using LDAP and Windows group inheritance works as expected.

  1. In LFDS, register a new LDAP identity provider
  2. Add a new LDAP user in LFDS
  3. In the Laserfiche Administration Console, grant the user access to the repository (under the Windows Accounts node)
  4. Have users log in using username@LDAP IdP name
3 0
replied on November 6, 2017

I appreciate the assistance on this.  We had hoped to find an answer that used their Windows credentials since their accounts are on the domain instead of having to setup a separate ldap configuration to manage but this will function as a work-around.  Thanks again.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...