You are viewing limited content. For full access, please sign in.

Question

Question

What Exactly Does Enabling 'Alternate Service' Do on the STS?

Laserfiche Directory Server
Updated October 16, 2019
asked on October 8, 2019

I have read through various white papers and online help files and I have even configured various systems following the instructions in the 'Configuring Single Sign-On for Laserfiche Web Products' white paper for 'Configuration of Directory Server and the STS when both are on different computers and you want to use certificate authentication'. I can not find anywhere that specifically states what enabling the 'Alternate Service' does. The section above that in the same white paper talks about enabling integrated Widows Authentication using Kerberos, but there is not description for Certificate Authentication. I would like an official reply from Laserfiche if possible.

0 0

Answer

SELECTED ANSWER
replied on October 9, 2019

It will allow LFDS and STS on untrusted domains to communicate, which in turn will allow SSO to function and users to login using any account type.

Enabling alternate service will indeed remove the Windows authentication button because that button uses NTLM (which will not work across untrusted domains). However, AD users will still be able to sign in using the username/password fields on the login page.

0 0

Replies

replied on October 9, 2019

Turning on alternate service changes clientCredentialType from Windows to Certificate. This feature was developed for cases when LFDS and STS are on separate untrusted domains from one another. This will cause Windows authentication to fail, and certificate authentication must be used instead for the two to communicate.

0 0
View 2 previous replies
replied on October 9, 2019

So enabling Alternate Service enables the ability to use Windows Authentication (not integrated windows authentication) between two servers in untrusted domains? I believe I also read somewhere that enabling Alternate Service also removes the blue Windows Authentication button from the STS login page. Is that correct?

0 0
SELECTED ANSWER
replied on October 9, 2019

It will allow LFDS and STS on untrusted domains to communicate, which in turn will allow SSO to function and users to login using any account type.

Enabling alternate service will indeed remove the Windows authentication button because that button uses NTLM (which will not work across untrusted domains). However, AD users will still be able to sign in using the username/password fields on the login page.

0 0
replied on October 9, 2019

Again Chase, greatly appreciated!

0 0
replied on October 9, 2019

Of course, it's no problem!

0 0
replied on October 16, 2019 Show version history

I want to make one important clarification on Chase's earlier answer.

The Windows Authentication button on the STS login page invokes an IIS HTTP 401-Challenge response. By default, IIS uses an auth provider called "Negotiate" (Kerberos). It will preferentially use Kerberos, which is much more secure than NTLM, and only fall back on NTLM if Kerberos authentication is not possible.

I've worked with a number of customers who prohibit use of NTLM in their environments for security reasons, so please don't say "Laserfiche uses NTLM for Windows Authentication". Laserfiche leverages IIS/Windows Server's Integrated Windows Authentication modules, which use Kerberos by default.

For an excellent overview of the topic, please see:

TechNet: Windows Authentication HTTP Request Flow in IIS and 

Citrix: What is the difference between Negotiate and NTLM authentication? which provides nice graphics that step through the auth flows.

If you want to remove the NTLM fallback option, you can do so within IIS by removing it as an auth provider:

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...