Windows Authentication
Windows Authentication uses Windows Active Directory to authenticate and authorize users into the Infiniti platform. User credentials are automatically retrieved based on who the user has logged onto the machine as they are not prompted for a username or password.
Windows authentication automatically retrieves profile information such as their name and email address and also subscribes (and unsubscribes) to groups automatically authorizing access to particular forms and where appropriate administrative features.
End users must belong to the same domain as the Infiniti web server, or to a trusted domain.
Appropriate AD groups need to be added to Infiniti before users hit the site so that users can be authorized as needed by the business. For example
- Give the 'Domain_Admins' group Global Administrator privileges
- Give the 'Internal_HR' group access to the onboarding and exit forms.
How to Enable Windows Authentication
By default Infiniti Installations use Forms Authentication as the licensing and an administrator group must be configured before windows Authentication can be configured.
Step 1 - Identify and configure and Active Directory Infiniti administrator group.
When the first user (usually a server administrator) attempts access, Infiniti needs to assign them permissions so they can access appropriate functions. If this step is not completed users will not be able to actually do anything post authentication. Use the article below to configure an external group.
Step 2 Modify Produce and Manage web.Config Files
- From the Infiniti Web server open the Produce web.config file (usually similar to c:\inetpub\wwwroot\Infiniti\Produce\web.config)
- Find the 'authentication' element
- Modify the mode attribute to 'Windows' as in the example below:**
...
<authentication mode="Windows" />
<membership>
<providers>
<clear />
</providers>
</membership>
...
- Save changes
- Repeat for Manage's web.config file.
Tip: Start with Produce
It is possible to isolate windows authentication to the Produce application only to test configuration settings. Thus, if any configuration needs modifying in manage it is possible to make changes under forms authenticaiton.
Step 3 Configure IIS
- From the web server IIS, expand the connections tree until the Manage Application appears.
- Double-click the Authentication Icon.
- Ensure Windows Authentication is the only item enabled.
Step 4 - Optional appSettings.json setting configuration
The following optional settings can be configured to suit the environment where necessary.
- From the Infiniti Web server open the Manage web.config file (usually similar to c:\inetpub\wwwroot\Infiniti\Manage\appSettings.json)
- Add and configure and Authentication object as per the table and example below
Setting | Description | Example Setting |
---|---|---|
NestedGroups | Controls whether the groups, the user is a member of, are checked to see if they are a member of any other group. This can be slow on some domains so when this option is off only the groups, the user is directly a member of, will be checked against Infiniti groups. The default is 'true'. | True/False |
ADPath | This is setting overrides the default directory search path of "LDAP://mydomainname". The domain name used comes from the user's Windows credentials (Eg: companyName\user123). This might not be the correct or quickest place to perform AD queries, so use this setting to specify an alternate path. | LDAP://intelledox.local |
KeepDomain | When set to True, accounts will be created in the format "domain\username." This attribute enables Multi-Domain support when usernames are not unique between domains. Default is false. | True/False |
Logging | A logging mode where verbose logging information is written to the Infinti database useful for troubleshooting. Default is false. | True/False |
{
"AppSettings": {
"PortalURL": "",
"ProduceURL": "http://server/Produce/"
},
"ConnectionStrings": {
"DefaultConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=InfinitiDev;Data Source=server123",
"DboConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=InfinitiDev;Data Source=server123"
},
"Extensions": [
"Intelledox.Extension.DatasourceBuiltin.OleDbDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.SqlServerDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.CsvDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.OdbcDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.RSSDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.WebserviceDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.XmlDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.InfinitiDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.JsonDatasource, Intelledox.Extension.DatasourceBuiltin",
"Intelledox.Extension.DatasourceBuiltin.RestDatasource, Intelledox.Extension.DatasourceBuiltin"
],
"Authentication": {
"Settings": {
"CookiePrefix": "",
"Timeout": "30"
},
"Windows": {
"KeepDomain": "False",
"Logging": "False",
"NestedGroups": "True",
"ADPath": "LDAP://intelledox.local"
}
}
}
Step 5 Test
User Groups
A user's group memberships can be retrieved via a net user command.
net user yourUser /domain
net user johnd /domain
- Ensure you are logged in as a user that is a member of the AD group created in step 1
- Close all browsers to ensure any existing Infiniti Sessions are removed.
- Open a new browser and navigate to Infiniti Manage or Produce.
- You should be logged into Mange or Produce Home respectively.
User Profile Mapping
From V11, users will be able to setup user profile mapping in Manage >> Settings >> User Profile Mapping for Windows authenticated environments.
The identity provider will attempt to match the field name in Infiniti to the corresponding field in the Active Directory (AD). If the field does not exist in the AD the user property will remain empty.
Defined standard fields Username, First Name, Last Name and Email address are populated by default with the corresponding AD fields. These standard fields will be overwritten if a mapping field is defined.
Troubleshooting with logging:
The following is an example of an error log if the defined user mapping field is not present.
WINDOWS AUTHENTICATION VALIDATE START
Domain: 'Domain'
Username: 'UserA'
DomainUser: 'UserA'
directoryPath: 'LDAP://Server.local'
GROUP QUERY (GroupA)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupA))
Query: 14.96ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 13.9624ms
AD user and matching Infiniti groups found
User mapping field: Phone not found. Please ensure that the User mapping corresponds to an Active Directory existing field.
User mapping field: Fax not found. Please ensure that the User mapping corresponds to an Active Directory existing field.
User mapping field: displayname found.
Synchronising Users
Manual sync
To manually synchronise all users in the AD groups you have created, use the Manage -> Users -> Sync
button. This button will only appear if Windows Authentication is enabled.
Manual sync uses the Windows account of the user logged into Manage. This user must have permissions to read all the relevant AD groups to correctly sync all users.
Automating sync
The sync process can be automated to run once daily using the Scheduler.
To configure this, open the appsettings.json
file in in the Scheduler folder, find the Extensions
section of the file and add the following to the end of that section:
,
"Intelledox.Extension.IdentityBuiltin.WindowsIdentity, Intelledox.Extension.IdentityBuiltin"
Then you need to copy the Windows settings you created in Step 4 above into the Authentication section of the Scheduler appsettings.json
as well. You may need to create the Authentication section. It will look something like this:
,
"Intelledox.Extension.IdentityBuiltin.WindowsIdentity, Intelledox.Extension.IdentityBuiltin"
],
"Authentication": {
"Settings": {
"CookiePrefix": "",
"Timeout": "30"
},
"Windows": {
"KeepDomain": "False",
"Logging": "False",
"NestedGroups": "True",
"ADPath": "LDAP://myservername.local".
"ADName": "myservershortname"
}
}
Note that an additional attribute "ADName" has been added to the Windows section. You need to set this to the server short internal domain name. This is the left (domain) part of the domain\myusername
that users login to your Windows AD with.
Once configured the sync will run once daily at the first run of the Scheduler after midnight each day. You can also run this manually from the Scheduler by executing the scheduler from the console (if the process has not already run that day).
See here for more information about configuring and running the Scheduler.
Manual sync uses the Windows account that the Scheduler process if running under. This user must have permissions to read all the relevant AD groups to correctly sync all users.
Warning
The synchronisation process will not work for trusted domains and only for the main AD domain.
Logging and Troubleshooting
With the logging setting in step 4 above enabled. Logs can be retrieved from the Infiniti database using the following SQL query.
SELECT *
FROM EventLog
ORDER BY DateTime DESC
An example working log is provided below.
WINDOWS AUTHENTICATION VALIDATE START
Domain: 'INTELLEDOX'
Username: 'user123'
DomainUser: 'user123'
directoryPath: 'LDAP://intelledox.local'
USER PROFILE QUERY
Filter: (&(ObjectClass=person)(sAMAccountName=user123))
Query: 453.4937ms
GROUP QUERY (GroupX)
Filter: (&(ObjectClass=group)(sAMAccountName=Ix_GroupX))
Query: 31.2193ms
GROUP QUERY (GroupY)
Filter: (&(ObjectClass=group)(sAMAccountName=Email-GroupY))
Query: 0ms
GROUP QUERY (IxSupport)
Filter: (&(ObjectClass=group)(sAMAccountName=IxSupport))
Query: 15.6266ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 22.1467ms
AD user and matching Infiniti groups found
WINDOWS AUTHENTICATION VALIDATE START
Domain: 'INTELLEDOX'
Username: 'user123'
DomainUser: 'user123'
directoryPath: 'LDAP://intelledox.local'
USER PROFILE QUERY
Filter: (&(ObjectClass=person)(sAMAccountName=user123))
Query: 453.4937ms
GROUP QUERY (GroupX)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupX))
Query: 31.2193ms
GROUP QUERY (GroupY)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupY))
Query: 0ms
GROUP QUERY (ChangedName)
Filter: (&(ObjectClass=group)(sAMAccountName=ChangedName))
Query: 15.6266ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 12.0327ms
No matching Infiniti groups found
Updated about 1 year ago