You are viewing limited content. For full access, please sign in.

Question

Question

Laserfiche Directory Server - Identity Providers

Version 9 Licensing Installation and Upgrades Directory Server
Updated January 6, 2017
asked on December 10, 2014

Hi,

We upgraded from LF 9.0.2 to LF 9.2 this past weekend and as part of this, we had upgraded from Licensne Manager 8.3.1 to the new Laserfiche Directory Server(LFDS). Once done we successfully managed to import the existing License Database and was able to work from there.

We where able to setup 2 Organisation to segregate our License pool and assign rights accordingly for which people had access to add new Users per Organisation. 

Today we had the first instance of creating a new user on the LFDS. What I found a bit strange is the Identity Providers step required for adding a user. We had setup a specific Identity provider with a specified account that has access to that Active Directory server, but when the Admin user tried to find the User, it would prompt him for an Account Name and password to be used. If you then enter the same details, it takes it and the User details is returned. Without closing the Browser, you can then search for another user, and it would find him/her without prompting for the Windows Account detail again.

Yet, if you close the browser and then go to add a user again, once again the user is prompted for the Windows Account details.

I went through the help file, but there was not to much info on this as it still indicated Beta Documentation.

What I would like to confirm is, when setting up the provider and specifying the Account details to use, for searching against AD, surely it should not ask the user again when they choose that specific provider? we do not want to make the Account details know to every admin that need to administer licenses, and therefor it if is going to ask for the credentials every time it can cause a security risk for us. 

Is there something we are doing wrong? or something we are potentially missing in the config side?

We are moving into a structure where the entire Group will be allocating licenses form the central LFDS so we would expect, seeing as this will work with different identity providers, that we could setup and save the accounts to be used for each and then grant the relevant rights for which users can add in which Organisation unit and identity provider. 

0 0

Answer

SELECTED ANSWER
replied on December 11, 2014 Show version history

You only need to create an identity provider for domains other than the one the LFDS server is currently on. The current domain is automatically added as the default ID provider.

The credentials specified when the ID provider is created are used by the server when it runs the synchronization rules for active directory users. As a security measure, these credentials are not used when an administrator registers users. In other words, just because the server has rights to look for users in a given active directory, it doesn't mean that anybody with rights to register users should also be able to.

When you try to register a user, the admin console tries to open up the ID provider with the credentials of the currently logged in user. If those don't work, then the user is prompted to enter different credentials. For example, say you have LFDS on DomainA and you also have an ID provider for DomainB. You log into LFDS as your DomainA user when you access the site. When you try to browse for users in the ID provider for DomainB, LFDS will try first your credentials from DomainA. If that can log you into DomainB, you get the list of users. If they don't, you get the prompt for different credentials.

Once LFDS logs you into that ID provider, the credentials are cached for a short period of time for convenience. That is why you can add more users. Once you close the browser or the cached data expires, you will be prompted to log in again.

When registering users, you don't need to log in as a domain admin or even as the same user you specified in the ID provider. You just need to log in as a user with rights to see the existing users in the domain specified in the ID provider.

2 0

Replies

replied on January 13, 2015

Thanks for the feedback Miruna.

0 0
replied on January 14, 2015

Hi Miruna,

We have confirmed with our IT that the relevant administrators that are tasked with Registering new users on the LFDS, have sufficient rights to view AD users. What we found now is that they go through the steps of registering the User, when they get to the point where they type in the name to search against AD, a block is returned saying Access Denied and that a Specified Windows Account can be used. they they are presented with a block to enter a User Name and Password. If they retype their own details in there (Windows User Name and Password), then it allows them to find the relevant user to be added and continue with the registration processes. 

Based on the info you provided, it should have recognized them in the initial instance is it not? Why would it prompt them then to re-capture the details?

0 0
replied on January 21, 2015

The error in this case is not that access was denied to the logged in user, but that the credentials for the logged in user could not be automatically passed along for authentication.

This is occurring because of how LFDS authenticates users (using the Negotiate protocol). If you are access LFDS from a machine where LFDS is not installed, in order to automatically pass your windows credentials, Kerberos must be configured. This is because of the "two hop" problem, similar to setting up Web Access to use automatic windows authentication. When Kerberos is not configured, LFDS falls back to a different protocol (NTLM) and prompts you to enter your credentials manually.

1 0
replied on January 22, 2015

Thank you for the info Brianna. will see if we can get it configured and re-test.

0 0
replied on October 8, 2015

What happens if the password changes for the user that was used to install DS? Having an issue trying to Synchronize? Users are not coming over showing up after a Synchronization. However the customer indicated that the password for the account we used to install DS has changed. Based on what I read above the Synchronize uses the account we used when installing DS? Odd thing is I do not see any Synchronize specific errors in the log?

0 0
View 1 previous reply
replied on October 8, 2015

The user installing LFDS does not matter. Synchronization uses the username and password specified in the identity provider's configuration. If that password changes, it needs to be updated (through the Settings page).

0 0
replied on October 30, 2015

However I can not change the user name and password for the default Identity Provider that is created as part of the DS installation?

0 0
replied on October 30, 2015 Show version history

That Identity Provider will authentication as the user the LFDS service is running as. Network Service (the default) is likely to be able to authenticate as necessary. If you have chosen to run the service as a specific Windows user, make sure they have the necessary rights to query AD.

Unless you specifically changed the service to run as the same user that installed LFDS, the installing user is not relevant.

If you want to customize the settings of an Identity Provider further, you will need to add your own.

0 0
replied on January 6, 2017 Show version history

Which DC will the Default Identity Provider use? 

Can I view which one it is using in a config file?

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...