You are viewing limited content. For full access, please sign in.

Question

Question

Should WebAccess/Mobile be able to work with domain credentials from an IIS server that is not a member of the domain?

Web Client Version 9 Administration
Updated July 16, 2015
asked on November 21, 2013

A customer has WebAccess and Mobile installed on their server that is located in a DMZ.

The server is not a member of their Domain.

 

Can they use the Prompt for Windows Credentials to log into their repository via WebAccess or LFMobile?

 

We cannot seem to get it to work.

(LF Authentication works just fine with "ADMIN" account)

1 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on November 21, 2013

No, this shouldn't work.  In the case where the user types in their domain credentials, Web Access uses those credentials to temporarily change the thread identity while it authenticates to the Laserfiche server.  If the Web Access server is not on the domain, the attempt to use the identity fails.

 

I think the way to combine domain credentials with a server in the DMZ would be to just have an HTTP proxy in the DMZ that sends requests to a Web Access server inside the network.  Since you are sending your password, you'll want to enable SSL for the site.

6 0
replied on July 16, 2015

I'm not exactly clear on how to accomplish this as I'm not a networking guy, and the companies IT guy isn't real clear either.  Is there documentation of how to actually do what you're saying is the way to accomplish this?

0 0
replied on July 16, 2015

Since this is more infrastructure setup, it's outside the scope of what we cover in our documentation.  There are any number of products you can use for this: https://en.wikipedia.org/wiki/Proxy_server#Web_proxy_servers.  If the experience of setting IIS up as a load balancer is an indication, it should not be too difficult to configure it as a proxy.  I've also heard good things about Nginx.  Of course you also have to set up port forwarding at the firewall.

0 0
replied on July 16, 2015

I understand it's outside the Scope of Laserfiche...I guess I was hoping another VAR would chime it with experience.  The customer used the Installation Guide for WebAccess, but it's medical facility so it has to be outside the Domain...now we're stuck.

0 0

Replies

replied on December 3, 2013

There is another option, though I don't have any experience actually setting it up.  Sometimes there are enough machines in the DMZ to justify setting up a separate domain there.  It is possible to configure a trust relationship between the DMZ domain and the internal domain, so that internal credentials are recognized in the DMZ but not vice versa.  In this case, the impersonation I described can succeed and Web Access can authenticate as that user.  In this case, there shouldn't be any Web Access-specific configuration required.

 

If you don't already have such a domain in the DMZ, the solution in the other answer is the way to go, but I wanted to mention this for completeness.

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...