You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Discrepancy with Forms Authentication in Enterprise environments

Forms
Updated September 1, 2019
posted on August 29, 2019

There is a common feature we use in Forms Configuration under User Authentication called Windows Domain.

Specifying a domain allows the users to sign in without having to enter the domain with their username.

It is available in both Avante and Rio environment normally. However we have one customer who has chosen the option Use Laserfiche Directory Server for Single-Sign On authentication.

After choosing this option, the Windows Domain feature disappeared. Now we can no longer use the feature.

Does anyone know if there is a way to bring it back? I don't know where to begin on looking for another feature like this.

0 0
replied on August 29, 2019

That feature only applies when you use repository authentication so the user doesn't have to type in the domain name. If Forms goes through LFDS for authentication, the domain the user might type in when they log in is irrelevant to Forms. LFDS does not currently support logging in as a domain user without typing the domain name.

0 0
View 2 previous replies
replied on August 29, 2019

Ok, got it. The average user gets the \ confused with the / so I like to keep this out of the login requirements. It is just so much easier to pre-populate the domain since it is always going to be the same.

This customer has no way to switch back to the original forms config because the licensing department said they can't use the new non-LDAP participant licensing if they do.

0 0
replied on August 30, 2019 Show version history

Chad,

Is there a reason they're not using automatic login? Unless they're accessing the site from outside of the network, they should be able to use automatic login for Windows accounts.

At the very least they should be able to click the "Windows Authentication" button in which case they wouldn't need to enter their credentials at all, assuming GPO isn't preventing the page from receiving the user identity.

One of the biggest motivations for configuring Single Sign-On is not having to enter credentials at all, otherwise it is really just Same Sign-On.

3 0
replied on August 30, 2019

It has been awhile since I tried the automatic sign in with a browser, it might help for people working in the office. I doubt it works for the app though, since their phone is not on the domain.

I don't think we are using Single-Sign On though, this is a feature so that you can login to forms automatically if your already logged into web client. We have not set that up yet.

I was informed that we can check the "User Single-Sign On" in the forms config without actually configuring it, just to get access to the new licensing model for participants.

0 0
replied on August 30, 2019 Show version history

Chad, if the customer is using LFDS auth, their users can enter credentials in UPN format (user@domain.com) instead of domain\user. As users' UPNs and email addresses are often the same, they generally find that format easier.

See: https://answers.laserfiche.com/questions/161996/Email-authentication#162507

As Jason suggested, automatic Windows Authentication is definitely best though. You can check the option in /LFDSSTS/configuration. If users' workstations are also configured to trust the WebSTS site (by having it in either the Local Intranet or Trusted Sites security zones), they'll seamlessly authenticate with no input. 

1 0
replied on September 1, 2019

Another issue I am running into is with a different environment where the DS server is on a separated internal server.

When you go to login to Forms from the outside, using the outside WAN connection which routes to the Forms server, it attempts to send traffic to the DS server over port 443, which would require 2 separate WAN addresses, each with their own routing rule. It should use a different port, so that you can share the same WAN address.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...