You are viewing limited content. For full access, please sign in.

Question

Question

Laserfiche trustee accounts take precedence??

Laserfiche
Updated May 13, 2016
asked on June 2, 2015

One of our Rio customers has a Laserfiche Forms server hosted on their DMZ, and they need a way for their named users to log into that Forms server using a regular username and password, as opposed to their Windows account. There is no trust between the two domains, and it is not feasible to set it up. So we went ahead and configured Laserfiche trustees for them, but when we linked those to their Windows accounts, we got a message that said all authentication, attribute and audit settings on the Windows accounts would be ignored because, for whatever reason, the LF trustee takes precedence.

I find this quite vexing. I thought one of the selling points of Rio was to make user management very easy, and that was accomplished by leveraging Active Directory. So it seems to me that Laserfiche trustees should be treated as secondary in situations where a user has both. Can someone from Laserfiche explain the reasoning behind why that is not the case?

Ideally, the Windows accounts should be the primary authority (since we have AD synchronization set up at License Manager), and linking them to an LF trustee should simply provide the additional ability to log in using a username and password in situations where the AD server is not reachable (e.g. most scenarios involving a DMZ).

They have been using their Windows accounts for a while, and we don't have an easy way of copying authentication, attribute and audit settings from Windows accounts to LF trustee accounts. We also do not want to lose the benefit of AD synchronization, especially since this company has a lot of turnover.

We need a more elegant way of handling this scenario. Any assistance is appreciated.

1 0

Replies

replied on June 14, 2015

Sorry folks, but I need to bump this because the customer would really like a response.

0 0
replied on June 16, 2015

it seems to me that Laserfiche trustees should be treated as secondary in situations where a user has both

There isn't a situation where a user has both.  A user authenticates to Laserfiche using either Windows authentication or repository credentials.  If they enter correct credentials for a repository user, that's how their permissions (etc) get resolved.  If they use Windows authentication, then there are two possibilities, one of which is that the identity is mapped to a Laserfiche trustee.  Note that this mapping is one-way and that many Windows identities can be mapped to a single Laserfiche trustee.

If you need to use Windows authentication with a web application where the users are outside the domain, you can look at installing the app internally with a proxy in the DMZ.

0 0
replied on May 11, 2016

Ege, what did you end up doing? I'm in the same situation and after getting the Forms Portal all set up in the DMZ and everything working, I don't really want to break that. I want to do exactly as you stated, have them log in internally using windows authentication, and then externally through the Forms Portal URL in the DMZ with their username and password. Currious to know what you ended up doing. Thanks

0 0
replied on May 11, 2016

We ended up telling them Windows Authentication won't work in their scenario, and switched everyone to a Laserfiche user account.

Originally this was a concern since Laserfiche named licenses used to be repository-specific, but with Directory Server and version 10, that's no longer the case.

0 0
replied on May 12, 2016

What a pain this is going to be....

Thanks Ege, I appreicate your help. 

0 0
replied on May 12, 2016

Laserfiche, this simply isn't a solution for my client. What Ege had to do is not something my client wishes to proceed with, nor should Ege have been forced to do this based on this improper behaviour. We would essentially be going back in time to the point where we HAD to create Laserfiche users AND groups, with access rights on them. The whole point of AD authentication is to help our clients manage Laserfiche and their users more effectively, including access rights at AD group levels.

We can live with creating Laserfiche Users, but the pop up that said all authentication, attribute and audit settings on the Windows accounts would be ignored because the LF trustee takes precedence (as Ege mentioned above) should not be the case. To work around this we would have to create Laserfiche groups, and manage everything back in Admin console as if we're using product version 6 again. We've got the full repository already set with access rights using Windows Account groups. In AD, we have AD groups with AD users in them. None of this can be utilized when the AD user is linked to an LF account? Sorry, but this does not make much sense.

We are going to be implementing this scenario with a lot of Municipal clients in the near future. If this behaviour stays, I can see a lot of unhappy clients. There is no way they want to run all of Forms in the DMZ either.

Our client rolled out this HUGE project on Monday, it includes 4 forms and 18 workflows, all built around AD users and groups. They need a resolution soon, so I look forward to a response. 

 

Thank you

 

0 0
replied on May 12, 2016

Shaun,

It is extremely unlikely that Laserfiche will change this behavior. Account management and security are very complicated and there are a lot of very legitimate reasons why keeping them the way they are makes sense.

If your client wants to use their Windows accounts regardless of whether they are inside or outside the network, I think your best bet is to use a reverse proxy configuration as explained here. It's a bit of extra work (that we chose not to perform for our projects because our clients were OK with username/password authentication), but in the long run it's both more elegant and more secure.

If you aren't familiar with reverse proxies, I'd suggest using your VAR Kit to set up a test environment (either on your own network if your organization has one, or on an environment prepared for you by a managed IT services firm) and play with it. You say you'll have a lot of clients in the near future who will have a DMZ set up, so it would be a good time investment.

Just my humble opinion. wink

-Ege

0 0
replied on May 13, 2016

Thanks Ege, I'll take as many opinions/ideas as I can for this one. It's looking like the reverse proxy might be the best solution for this at this point. Will do some investigating. Thanks again, I appreicate it. 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...