You are viewing limited content. For full access, please sign in.

Question

Question

Download Error from Web Client with ASP.Net Impersonation, Kerberos and Load Balancer

Version 10 Web Client Administration
Updated March 18, 2022
asked on March 18, 2022 Show version history

Hi everyone,

A customer, with a very complex network and set of security policies, has configured a two-hop Kerberos environment in a single domain. It *sounds* very standard but they are having a problem I’ve not encountered before.

  1. People are auto-logging into Web Client.
  2. People are unable to export/download documents.

 

We have found two ways to resolve this issue:

  1. Either we give the users Windows account, or <Everyone> explicit rights to C:\ProgramData\Laserfiche\WebAccess\Temp\export on the Web Client server
  2. Or we disabled ASP.Net Impersonation on the list of Authentication options for the /Laserfiche web application. This authentication option was enabled as per the Kerberos instructions.

 

Option 1 would require heavy review and approval by the Info Security team. Option 2 seems to work without any issues and people are being automatically logged in. Are there are options available to us? Can you foresee any issues with ASP.Net Impersonation disabled?

Any advice or experience you could share would be great!

-Ben

0 0

Answer

SELECTED ANSWER
replied on March 18, 2022

You should disable impersonation. Someone probably turned it on at some point while trying to get things to work, but it defaults to off and we don't recommend turning it on for the exact reasons you have discovered.

0 0
replied on March 18, 2022

Thanks Brian :)

Glad to hear we'll be OK with it disabled.

I presume the documentation included the setting for a reason (an edge case perhaps?) Perhaps a warning that it's not always required could be added?

https://support.laserfiche.com/resources/3899/configuring-kerberos-for-laserfiche-10-web-products-in-a-windows-server-2016-and-iis-10-environment

 

1 0
replied on March 18, 2022

I think that's a mistake in the documentation. Thanks for pointing it out.

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...