Is Kerberos constrained delegation supported for LF server/LF Windows Client?

asked on January 18, 2018 • Show version history

Hi there,

Referring to https://answers.laserfiche.com/questions/83498/Kerberos-constrained-delegation

There is an answer which can prove that Laserfiche Server and Web Access 9.2 are compatible with Kerberos constrained delegation. Speaking of server/LF Windows Client, it it supported?

If so, how can it be configured?

We have problem to attach repository from LF Wins Client. Our Customer require configuration of Kerberos constrained delegation between Netscaler service account and laserfiche server account.

The end-user (LF Wins Client installed) connections go to Netscaler which does pre-authentication and acts as a reverse proxy to the Laserfiche server.

Is this possible to do this?

Any help you can provide would be appreciated

0 0

replied on January 18, 2018 • Show version history

I'm not aware of anyone who has deployed Laserfiche like this, and as far as I know we don't test it in-house. When you attach the repository, you enter the Laserfiche server host name, right? The client should do a reverse dns lookup on the IP address it gets in order to construct the SPN. When it does this, will it get the lfs hostname or your reverse proxy hostname? It sounds like you need it to use your proxy's SPN.

It seems to me that a web application like Web Access would be more compatible with a setup like this.

1 0

View 2 previous replies

replied on January 18, 2018 • Show version history

Hi McKeever, Thanks for you information but we still need to know how to set configuration for Kerberos for LF Desktop Client. We successful with LF Web Access for configuration.

0 0

replied on January 22, 2018 • Show version history

Hi Brian,

Thank you for your feedback, we use Netscaler service account (SPN https://laserfiche.xxx.org) which is as publish name of laserfiche server to specify on LF Windows Client attach function.

But it doesn't work.

The error message looks like, it is the right server name but the app could not connect to the Laserfiche server.

Do we have to configure anything on anywhere more?

And fortunately, we can connect to Laserfiche web client using the same name.

0 0

replied on January 22, 2018

Does the connection fail if you enter the name of the repository? And does the Web Access connection to LFS also go through your Netscaler device? They use the same protocol, so I would expect one to work if the other does.

0 0

replied on January 22, 2018

Hi Brain,

It still doesn't work even I enter by the name of repository. But we can connect LFS using the same name https://laserfiche.xxx.org on web access through the same Netscaler.

That why I don't understand that it doesn't get work on LF Windows client.

We would like to open a case for this, shall we?

0 0

replied on January 23, 2018

That error is not an authentication error, it's more of a network connection error, and I don't think your Kerberos settings are the immediate impediment. Maybe there's more information in your Netscaler logs or you can see more with a network capture. Do you know if the request gets as far as Netscaler?

When you go to https://laserfiche.xxx.org, is the Netscaler device between the browser and the Web Access server, or between the Web Access server and the LFS server? If the former, then it's too different from the Windows client situation to really count as a success to compare/contrast against. Do you know what I mean? It's good that it works, but it's not relevant from a troubleshooting perspective.

I'm not sure Laserfiche support can really help you. It's the introduction of the Netscaler device that is causing the difficulty, which means that your problems are with either Netscaler or the network configuration it requires. In general we know that the Windows client is compatible with a reverse proxy.

0 0

Question

Question

Is Kerberos constrained delegation supported for LF server/LF Windows Client?

Replies

Sign in to reply to this post.