You are viewing limited content. For full access, please sign in.



Feature Request: Separate Web Client & Web Client Configuration into Separate IIS Applications

posted on May 18, 2021

Currently, if you enable SSO (LFDSSTS) for the Web Client. then reaching the Web Client Configuration page also redirects you to the LFDSSTS page. LFDS does not control who does/doesn't have access to Web Client Configuration, but you have to have SOME credentials that exist in LFDS to get past this page (testing confirmed that ANY credentials in LFDS will work; licensed/unlicensed, etc.).


This, among other reasons, prompts this request... why not separate Web Client & Web Client Configuration into separate IIS Applications? If that were the case, applying SSO to the Web Client wouldn't also apply it to Web Client Configuration.


This approach would be the same one that's currently taken for Forms, for example. Forms and FormsConfig are separate IIS Applications; though they run under the same App Pool (FormsAppPool), but the result is, when you turn on LFDSSTS Authentication for Forms, it doesn't apply to reaching the FormsConfig page (you don't redirect to LFDSSTS when trying to hit the FormsConfig page).

This is also the approach taken with LFDS and LFDSSTS; they are separate IIS Applications.

However, currently, the Web Client Configuration page is just a subdirectory of the Web Client application:

  • Web Client:   /Laserfiche
  • Web Client Configuration:   /Laserfiche/Configuration/Configuration.aspx

Why not separate them:

  • Web Client:   /Laserfiche
  • Web Client Configuration:   /LaserficheConfig

(or "/LFConfig", or "/WAConfig", or something similar)

They could both still run under the "WebAccessAppPool", but they would be separate IIS Applications, running in separate application domains.


I'm creating this as a Feature Request for future releases of Laserfiche Web Client.

5 0
replied on May 18, 2021

Can you clarify what you see as the benefit? Just that your SSO settings wouldn't apply to both?

0 0
replied on May 20, 2021


That is the first major impact I see at this time. Being that access to the Configuration page isn't controlled by LFDS at all, it doesn't make sense to challenge-for, and be required to enter, those credentials, even when the actual Web Client (repository access) is utilizing SSO.

Also, I believe that Web Client may the ONLY remaining Laserfiche web application that has a single IIS Application that contains both the client application and configuration page (Forms, WebLink, & Audit Trail all have separate IIS Applications for their respective config/designer pages).

From a pure web server administration perspective, these two pages (Client & Configuration) have two completely different functions and different access control methodologies. As such, it would make sense to run them under separate applications in IIS with their own application domain space, respectively. 

I suppose it really begs the question... what is the benefit of keeping them together under the same IIS Application?

3 0
replied on May 21, 2021

To be pedantic, any work to change the structure of the application is effort not available for other improvements in the software. So one benefit to keeping them under a single application is that maintaining the status quo lets us work on other items. Which isn't to say that the change you are proposing doesn't have benefits, it's just to emphasize that nothing is free and we need to weigh the costs of a change against benefits.

All that said, I do appreciate your real-world experience with the system that we sometimes lack. Getting back to the concrete benefits, I read you as saying that you never want to use SSO to access the configuration page and always want to use Windows authentication. Or is there more you mean by "different access control methodologies"? If that could be done within a single IIS application, do you see other reasons for separate applications?

0 0
replied on February 8, 2023

Now. I have problem like this. Because I testing to use SSO with LF web client. I enable service and config LDFDSTS site. I can access login repository by web client with SSO feature(redirect LDFDSTS site). But I can't access web client configuration page with SSO. How to fix it? or reinstall web client right?


0 0
replied on February 8, 2023 Show version history

Brian, I understand what you're saying with taking away from being able to develop other features. But I agree with Dustin that this should be updated, if for no other reason than to be consistent between the various Laserfiche web products. Having to remember the special intricacies of how something works when configuring a product vs another product hurts the brain and makes it seem like the different development teams don't communicate. I have brought this concept up in the past about how you configure services in Forms vs. Web Client vs. WebLink vs Mobile. Some require you to enter https:// and others do it for you. It is a small thing, but administrators notice these types of things and wonder "Why?". While training Laserfiche clients on these things, that question has come up multiple times.

2 0
replied on February 8, 2023

I totally agree with Blake Smith and Dustin Foster. The company I work for has recently started a partnership. My technical team and programmers are also suspicious of this paradox. Including this question from the customer.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.