You are viewing limited content. For full access, please sign in.

Question

Question

LFDS/LFDSSTS: Disable default Windows Authentication while using Laserfiche MFA?

asked on November 1, 2022

Hey,

Is it possible to only allow Laserfiche logins (with Laserfiche-MFA enabled) through the username and password fields (to stop users entering their Windows credentials) in LFDSSTS?

This way we can have 2 MFA methods to sign in for internal/external users: Laserfiche username and password + MFA, and Azure AD + MFA.

We have Azure AD configured for our internal users but we would like to explore options for external users. If it's not possible we will stick to allocating Azure AD accounts for these users. I'm aware that the Login.cshtml page can be modified a bit to limit authentication options. 

 

Thanks,

Dom

0 0

Answer

SELECTED ANSWER
replied on November 1, 2022 Show version history

Edit: I see that you already have the below hidden and are looking to prevent manual credential entry.

 

There is an option for "disable Windows Authentication" under each Windows Identity Provider in Laserfiche Directory server, right below the option for TLS which will prevent this type of login:

 

 

----

 

The LFDS STS configuration page has a checkbox to hide Windows Authentication

 

(Documentation is here)

1 0
replied on November 3, 2022 Show version history

Hi Brianna,

I did try to disable the identity provider but I received the following message when saving. I thought maybe it was due to it being tied to the Azure/SAML setup (it's listed under the Linked Identity Providers for our Azure Identity Provider). I created a second Active Directory Identity Provider and received the same message when trying to disable it.

Many thanks,

Dom

 

Edit.

For testing purposes (I know we shouldn't) we updated the Directory Server database directly (in our development environment) and we now get the expected behaviour. 

 

Edit. 

It's probably worth noting that if you disabled the Identity Provider that corresponds to the Windows Accounts that your Laserfiche Administrators are using, then they won't be able to sign into the Directory Server to configure/manage the system... You may need to configure a local Windows Account.

0 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.