You are viewing limited content. For full access, please sign in.

Question

Question

SSO Weblink 8 IIS 7.5

WebLink Laserfiche
Updated February 27, 2014
asked on February 26, 2014 Show version history

Is there a similar guide to this one for WebLink 8 ?

 

Setting Up Kerberos for WebLink 7

https://support.laserfiche.com/GetFileRepositoryEntry.aspx?id=605

 

I have also found one for Webaccess

 

Laserfiche Web Access 8 and Kerberos Configuration in a Windows Server 2008 and IIS 7
Environment

 

My setup:

 

Weblink 8.2.2

Windows Server 2008 R2

LFS installed on separate server

LFS has a domain service account

WebLink application pool identity is Network Service

 

I have done the following:

 

- Configured Web server computer account for delegation

- Created SPNs for the LFS service account

- Configured WebLink virtual directory to use Automatic Windows Auth

 

Not sure if I should be using Kernel-mode authentication or not in IIS (Doesn't allow to select Negotiate:Kerberos with kernel-mode turned on)

 

IIS accepts the credentials and WebLink returns a Permission Denied 

 

If you have any hint at what I should be looking at it would be appreciated

 

0 0

Answer

SELECTED ANSWER
replied on February 27, 2014

Hi, 

 

My VAR pointed me at KB1012580 and it solved my problem. For some reason the browser did not recognized the site as intranet and wasn't passing the credentials.

 

Note that the only account I have applied Kerberos delegation to was the weblink server's computer account as instructed by the guides, any reason why the LFS service account and LFS computer account would need delegation?

 

Thanks,

JS

0 0

Replies

replied on February 26, 2014

Confirm that the HTTP and LaserficheServer SPNs for your Laserfiche Server computer have been registered against the service account. Note that you need to use the server name as well as its fqdn. Also make sure that there are no duplicate SPNs registered.

0 0
replied on February 27, 2014

Hi, 

 

There are no duplicate SPNs for laserfiche.

 

I have created the SPNs for the Service Account as follows

 

setspn -L {Service_Account}
Registered ServicePrincipalNames for CN={Service_Account},OU=Service Accounts{removed}
        LaserficheServer/LASERFICHE.{domain.tld}
        LaserficheServer/LASERFICHE
        HTTP/LASERFICHE.{domain.tld}
        HTTP/LASERFICHE

 

Thanks,

JS

0 0
replied on February 27, 2014

Please also make sure that the service account has been trusted for Kerberos delegation in AD. Do the same for the Laserfiche Server computer as well. You mentioned that the web server computer is already trusted for Kerberos delegation. Once that's been, reboot the Laserfiche Server computer and the web server and see if there's still an issue.

0 0
SELECTED ANSWER
replied on February 27, 2014

Hi, 

 

My VAR pointed me at KB1012580 and it solved my problem. For some reason the browser did not recognized the site as intranet and wasn't passing the credentials.

 

Note that the only account I have applied Kerberos delegation to was the weblink server's computer account as instructed by the guides, any reason why the LFS service account and LFS computer account would need delegation?

 

Thanks,

JS

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...