You are viewing limited content. For full access, please sign in.

Question

Question

Forms Portal access to Active Directory

Forms
Updated May 13, 2016
asked on March 9, 2016

Consider the following scenario:

  • Deployment:
    • Internal Forms server (primary forms server), on internal network, server within AD domain.
    • Public Forms Portal server, in DMZ, server not in the domain. 
  • Form/Business Process
    1. PUBLICLY accessible (anonymous submission via the Forms Portal server)
    2. After submission, an email is sent to a Forms user that is an AD user (has a named user license, synced from repository to Forms). 

 

Question...

When viewing the Forms Portal user list, it's unable to resolve domain user accounts SIDs to usernames because it doesn't have access to AD. 

My concern is when the business process reaches step 2, if it's performed by the Forms Routing Service on the Forms Portal server (where it was originally submitted from), then it won't be able to perform the AD lookup for the user's email address (since the Forms Portal server isn't in the domain). 

For Forms/Business processes submitted on the Internal Forms Server, everything will work fine.  But I'm concerned about what may happen with a Form submitted through the Public Forms Portal server requires some AD lookup somewhere in the business process... or is this somehow offloaded over to the Internal Forms Server (because it's been configured as the primary forms server). 

We haven't tested this specific scenario, but we're about to deploy this implementation and I'm trying to be prepared to ensure I understand this particular aspect/functionality.  

Thanks!

0 0

Replies

replied on March 10, 2016

Hi There,

For DMZ configuration, you should only have the internal Forms Routing Service running.  The DMZ forms server's Routing Service should be disabled, and it should have its endpoints point to the internal forms server's routing engine:

1. Disabled DMZ forms server's routing engine

2. Change DMZ form server's endpoints in C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config

  • From localhost to InternaFormsServerName (This is to tell DMZ Forms Server to use the Internal Forms Server’s Routing Service)
  • Change the endpoints for:
    • lfrouting
    • lfautotrigger
    • lfformexport

Answer ...

If configured as suggested above, when the business process reaches step 2, it will be performed by the routing service on the internal forms server, which will have the necessary rights to perform the AD lookup for user's email address. 

1 0
replied on May 11, 2016

Hi Ling, 

 

Further to this setup (which works great based on the article that was published), if my AD Named users are on the road and want to look at a task in Forms, since the Internal Forms and External Forms Portal (in DMZ) share the same database, can my AD users use the external URL but login with their AD credentials? I know I can login to that URL with a LF User, but since it's in the DMZ environment, how can I authenticate? 

 

This would allow them to complete the task on the road and not have to VPN into the network each and every time. 

 

0 0
replied on May 11, 2016

Looks like Ege wanted to do the same, as I thought of this solution while waiting for a response. I am faced with the same frustration as Ege. 

https://answers.laserfiche.com/questions/78230/Laserfiche-trustee-accounts-take-precedence

 

Please let me know that in a years time something has been done to allow this?

0 0
replied on May 12, 2016

Hi Shaun,

Assuming you have opened ports to Laserfiche Server which is hosted on the internal network as mentioned in the white paper, and the Laserfiche Server has the list of AD Named user who are authenticated into Forms, your AD Named users should be able to login to Forms using the external URL.

If you're having problems with the above setup, please open a support case.

Thanks.

0 0
replied on May 12, 2016

Hi Shaun,

When a user connects to forms we need to verify that the connected user is a named user.  If the user is a domain account we need to impersonate the user using your internal AD by opening a port or a replicated AD on the DMZ. After impersonating the user then Forms will log into a Laserfiche server with those credentials.   There is no requirement that a DMZ machine and internal machine point to the same Laserfiche server.  So you could have a replicated Laserfiche server on the DMZ that contains no files or you can open a port so the DMZ can talk to internal Laserfiche server. 

0 0
replied on May 13, 2016

Just a note for folks, there is a whitepaper on "Hosting Laserfiche Forms 10 In A Perimeter Network (DMZ)" located at

https://support.laserfiche.com/GetFileRepositoryEntry.aspx?id=3481&mode=download

 

... although you might want to subscribe to Whitepaper on Forms in DMZ config appears to be missing an item to see if the whitepaper is missing one item. 

0 0
replied on May 13, 2016

Thanks Damon, I kinda pushed for information and then that article came out. That helped me find the missing step I missed, but that doesn't explain anything about what I'm trying to do here. We would like to log into the Forms DMZ URL with Windows AD user accounts. 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...