<< Click to Display Table of Contents >> Navigation: Enterprise > Configuration > Authentication Methods > LDAP Authentication for Enterprise |
•Internet Information Services (IIS) Settings
When EQuIS Enterprise is installed, it uses Application Level Security (ALS), meaning EQuIS authenticates user accounts in the ST_USER table. For some organizations, it makes more sense to use Windows Active Directory (or any Lightweight Directory Access Protocol [LDAP] provider) to manage user authentication.
EQuIS Enterprise may be configured to use LDAP authentication with the following considerations.
IIS relies on file and folder Access Control List entries to determine if an individual user has permissions to view that page. EarthSoft recommends creating a Domain Group to manage access to EQuIS Enterprise. Alter the folder security for the .\Enterprise7 folder, and add an ACL entry for this new Domain Group. Grant the group Read Execute, List folder contents, and Read permissions.
Windows Authentication is an IIS component that will identify a user by their Windows domain account when visiting an IIS website. Windows Authentication is not installed by default starting with Windows Server 2008 R2 (aka IIS 7.5). Go through Add Roles and Features for the "Web Service" role to add Windows Authentication as an available feature.
Warning: The authentication settings for the EQuIS Enterprise virtual directory (e.g. Default Website/equis) must be changed such that Windows Authentication is the only authentication enabled! |
Disable Anonymous authentication and Forms authentication, and enable Windows Authentication. To support both internal users (using LDAP) and external users (using EQuIS Enterprise application-level security), the user can create two separate instances of the virtual/physical directory with different authentication modes.
Depending on your browser configuration, your browser may work with Windows Authentication without any additional configuration. However, in some cases, additional configuration may be necessary. The following links may be useful in troubleshooting Windows Authentication with various browsers.
In order to use Windows Authentication, modify your .\Enterprise7\web.config file. Open web.config in an XML editor and around line 19 change "none" to "Windows" as seen below:
Change from: <authentication mode="None" /> |
When a user tries to access the EQuIS Enterprise virtual directory using LDAP, EQuIS will compare their LDAP user name (i.e. "DOMAIN\user") to the valid users in the ST_USER table. If there is no matching record in the ST_USER table (e.g. user_name = 'DOMAIN\user'), they will not be able to use the application (it will appear as if they are not logged in). They first need to be added as a user, and then activated and assigned roles (including the Enterprise License Role), and permissions. The error log will contain a note that mentions who tried to log in and was denied. A similar notification is also sent to the administrator for the User Validate service. It is strongly recommended that the person implementing LDAP authentication add their own domain account and assign it to the Admin role before starting this procedure.
LDAP authentication may be used for EQuIS Professional in conjunction with EQuIS Enterprise and ALS.
Copyright © 2023 EarthSoft, Inc • Modified: 04 Jul 2022