Windows Authentication
Windows Authentication uses Windows Active Directory to authenticate and authorize users into the Infiniti platform. User credentials are automatically retrieved based on who the user has logged onto the machine as they are not prompted for a username or password.
Windows authentication automatically retrieves profile information such as their name and email address and also subscribes (and unsubscribes) to groups automatically authorizing access to particular forms and where appropriate administrative features.
End users must belong to the same domain as the Infiniti web server, or to a trusted domain.
Appropriate AD groups need to be added to Infiniti before users hit the site so that users can be authorized as needed by the business. For example
- Give the 'Domain_Admins' group Global Administrator privileges
- Give the 'Internal_HR' group access to the onboarding and exit forms.
How to Enable Windows Authentication
By default Infiniti Installations use Forms Authentication as the licensing and an administrator group must be configured before windows Authentication can be configured.
Step 1 - Identify and configure and Active Directory Infiniti administrator group.
When the first user (usually a server administrator) attempts access, Infiniti needs to assign them permissions so they can access appropriate functions. If this step is not completed users will not be able to actually do anything post authentication. Use the article below to configure an external group.
Step 2 Modify Produce and Manage web.Config Files
- From the Infiniti Web server open the Produce web.config file (usually similar to c:\inetpub\wwwroot\Infiniti\Produce\web.config)
- Find the 'authentication' element
- Modify the mode attribute to 'Windows' as in the example below:**
...
<authentication mode="Windows" />
<membership>
<providers>
<clear />
</providers>
</membership>
...
- Save changes
- Repeat for Manage's web.config file.
Tip: Start with Produce
It is possible to isolate windows authentication to the Produce application only to test configuration settings. Thus, if any configuration needs modifying in manage it is possible to make changes under forms authenticaiton.
Step 3 Configure IIS
- From the web server IIS, expand the connections tree until the Manage Application appears.
- Double-click the Authentication Icon.
- Ensure Windows Authentication is the only item enabled.
Step 4 - Optional appSettings.json setting configuration
The following optional settings can be configured to suit the environment where necessary.
- From the Infiniti Web server open the Manage web.config file (usually similar to c:\inetpub\wwwroot\Infiniti\Manage\appSettings.json)
- Add and configure and Authentication object as per the table and example below
Setting | Description | Example Setting |
---|---|---|
NestedGroups | Controls whether the groups, the user is a member of, are checked to see if they are a member of any other group. This can be slow on some domains so when this option is off only the groups, the user is directly a member of, will be checked against Infiniti groups. The default is 'true'. | True/False |
ADPath | This is setting overrides the default directory search path of "LDAP://mydomainname". The domain name used comes from the user's Windows credentials (Eg: companyName\user123). This might not be the correct or quickest place to perform AD queries, so use this setting to specify an alternate path. | LDAP://intelledox.local |
KeepDomain | When set to True, accounts will be created in the format "domain\username." This attribute enables Multi-Domain support when usernames are not unique between domains. Default is false. | True/False |
Logging | A logging mode where verbose logging information is written to the Infinti database useful for troubleshooting. Default is false. | True/False |
{
"AppSettings": {
"PortalURL": "",
"ProduceURL": "http://server/Produce/"
},
"ConnectionStrings": {
"DefaultConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=InfinitiDev;Data Source=server123",
"DboConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=InfinitiDev;Data Source=server123"
},
"Extensions": [
"Intelledox.Extension.DatasourceBuiltin.OleDbDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.SqlServerDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.CsvDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.OdbcDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.RSSDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.WebserviceDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.XmlDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.InfinitiDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.JsonDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.RestDatasource, Intelledox.Extension.DatasourceBuiltin"
],
"Authentication": {
"Settings": {
"CookiePrefix": "",
"Timeout": "30"
},
"Windows": {
"KeepDomain": "False",
"Logging": "False",
"NestedGroups": "True",
"ADPath": "LDAP://intelledox.local",
}
}
}
Step 5 Test
User Groups
A user's group memberships can be retrieved via a net user command.
net user yourUser /domain
net user johnd /domain
- Ensure you are logged in as a user that is a member of the AD group created in step 1
- Close all browsers to ensure any existing Infiniti Sessions are removed.
- Open a new browser and navigate to Infiniti Manage or Produce.
- You should be logged into Mange or Produce Home respectively.
Logging and Troubleshooting
With the logging setting in step 4 above enabled. Logs can be retrieved from the Infiniti database using the following SQL query.
SELECT *
FROM EventLog
ORDER BY DateTime DESC
An example working log is provided below.
WINDOWS AUTHENTICATION VALIDATE START
Domain: 'INTELLEDOX'
Username: 'user123'
DomainUser: 'user123'
directoryPath: 'LDAP://intelledox.local'
USER PROFILE QUERY
Filter: (&(ObjectClass=person)(sAMAccountName=user123))
Query: 453.4937ms
GROUP QUERY (GroupX)
Filter: (&(ObjectClass=group)(sAMAccountName=Ix_GroupX))
Query: 31.2193ms
GROUP QUERY (GroupY)
Filter: (&(ObjectClass=group)(sAMAccountName=Email-GroupY))
Query: 0ms
GROUP QUERY (IxSupport)
Filter: (&(ObjectClass=group)(sAMAccountName=IxSupport))
Query: 15.6266ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 22.1467ms
AD user and matching Infiniti groups found
WINDOWS AUTHENTICATION VALIDATE START
Domain: 'INTELLEDOX'
Username: 'user123'
DomainUser: 'user123'
directoryPath: 'LDAP://intelledox.local'
USER PROFILE QUERY
Filter: (&(ObjectClass=person)(sAMAccountName=user123))
Query: 453.4937ms
GROUP QUERY (GroupX)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupX))
Query: 31.2193ms
GROUP QUERY (GroupY)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupY))
Query: 0ms
GROUP QUERY (ChangedName)
Filter: (&(ObjectClass=group)(sAMAccountName=ChangedName))
Query: 15.6266ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 12.0327ms
No matching Infiniti groups found
Updated about 1 year ago