We are trying to get users to be able to authenticate by typing in their domain credentials to a Web Client instance hosted in the DMZ. The DMZ server is not in the domain.

We are using a test account that is able to sign into the repository with its domain\username and password credentials from within the domain, both in the desktop client and the web client. The user can also sign into the internal Web Access server with their domain\username and password. We have tried setting the DMZ Web Access instance to authenticate with "Prompt for Laserfiche Credentials" and with "Prompt for Windows Domain Credentials". Laserfiche and Windows accounts are both allowed.

The following ports are open: 80, 443, 5048, 5049, 5051, 8085, 8161, 8168, 8188, 8268, 8732, 8736.

The firewall is rejecting packets from port 88 (Kerberos) and port 636 (LDAP). Neither of these ports are listed in the Default Network Ports whitepaper.

We should not need Kerberos to log in by typing the domain\username and password, only for SSO, according to page 4 of this whitepaper:

https://support.laserfiche.com/resources/3899/configuring-kerberos-for-laserfiche-10-web-products-in-a-windows-server-2016-and-iis-10-environment

I'm sure there is a simple setting or configuration that I'm overlooking but I couldn't find much information on how Web Access authenticates with LF Server from soup to nuts.