You are viewing limited content. For full access, please sign in.

Question

Security Assessment: Unsecure Kerberos Delegation

Forms Web Client WebLink Version 11 Security

Updated April 30

asked on April 28

Hello,

We have an internal Laserfiche web server that hosts Forms, Web Client, and WebLink, and it was recently discovered that the computer account for that server is set for unconstrained delegation. Please see this Laserfiche Answers post for reference.

Microsoft has an article outlining how to remediate the associated security risk, but I would need to know which services these applications may require delegation for. Is there updated documentation on this topic from Laserfiche? Everything I’ve seen recently on Laserfiche Answers suggests leaving the default setting, which is unconstrained delegation.

Thank you,

0 0

Replies

replied on April 28

For the web client and WebLink, they need to delegate their authentication to the Laserfiche server (lfs.exe) process. In general, we're encouraging admins to move to authenticating with LFDS partly to avoid the complexity of having to configure Kerberos.

0 0

replied on April 30

Seconding this. One of the big, unsung benefits of using Laserfiche Directory Server (LFDS) for centralized authentication in your system is that it eliminates the need to configure Kerberos delegation from Laserfiche web applications like Forms, Repo Web Client, and WebLink, to Laserfiche Repository Server (lfs.exe) when they're hosted on separate machines.

0 0

You are not allowed to follow up in this post.

Sign in to reply to this post.

Asked April 28
Updated April 30
60 views