Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anchor
RTF39353338323a204865616469
RTF39353338323a204865616469
Authentication

 

Info
titleAuthentication Recommendations

In Aptify 5.5.1, Aptify recommends using Basic Authentication with SSL. This is the default setting when Aptify is installed.

In Aptify 5.5.2 and later, the default authentication method when Aptify is installed is Anonymous Authentication with SSL, but you can choose other authentication methods. See Choosing an Authentication Method for more details.

...

When using Windows Authentication, Aptify uses impersonation to pass a user's login credentials from the web server to the database server. When the web server and database server reside on different computers on the network, a network administrator needs to enable delegation to allow the web server to pass the impersonated credentials to the database server.

 

Note
titleNote for Aptify 5.5.2 Implementations

 In Aptify 5.5.2 and later, when using Basic or Anonymous Authentication, setting up network delegation may not be required.

...

Delegation is configured by a network administrator using the Active Directory Users and Computers interface, which is available as an Administrative Tool on the domain controller. Note that Aptify requires that you configure constrained delegation, which is available for Windows 2003 domains and higher.

Note

The Aptify web interface does not currently support the authentication of users from multiple domains from a single website. If your environment supports users in multiple domains, contact Aptify Technical Support for assistance.

 

When deploying the Aptify site on the local Intranet, the Kerberos protocol is used for authentication. When deploying the Aptify site on the public Internet, any protocol may be used, including Kerberos. In order to use Kerberos authentication securely, services on both the database server and the web server must be mapped to service principal name (SPN) in Active Directory. This ensures that the accounts that run these services can be uniquely identified for mutual authentication with Kerberos. By default, when installing Microsoft SQL Server 2008 (and higher) is installed, the account that is specified to run the database service is mapped to an SPN automatically. However, when IIS 7 is installed on the web server, the account that is used to run the HTTP service is not automatically mapped to a SPN. Therefore, prior to configuring delegation, an account that has the proper permissions to run the HTTP service on the web server must be mapped to a SPN in Active Directory. See Configuring Service Principal Names for the Web Server for more details.

...

Anchor
RTF35373736313a204865616469
RTF35373736313a204865616469
Configuring Service Principal Names for the Web Server

...

Note
titleIMPORTANT

Check with your Network Administrator if you have any questions about how your network is designed. Failure to do so may results in improperly configured SPN mappings. 

...

Anchor
RTF36383436343a204865616469
RTF36383436343a204865616469
Enabling Constrained Delegation

...

Note
titleNote

Active Directory must be replicated after delegation is configured to propagate the changes to all domain controllers.

...

  1. Log in to the domain controller using an administrator account.
  2. Open the Active Directory Users and Computers dialog from Start > Administrative Tools.
  3. Locate the web server in the list of network computers.
  4. Right-click the web server entry and select Properties from the pop-up menu to open its Properties dialog.
  5. Click the Delegation tab.

    Configure Constrained Delegation

  6. Select the Trust this computer for delegation to specified services only option to enable constrained delegation.
  7. Select the Use any authentication protocol sub-option.
  8. Click the Add... button to open the Add Services dialog.

    Add Services Dialog

  9. Click the Users or Computers... button and enter the database server (if running under the Local System account) or the custom domain account that is running SQL Server on the database server.
    • Whether your SQL server is running under Local System or a custom domain account depends on how your organization has installed SQL Server 2008 on your database server. See the Microsoft SQL Server 2008 Books Online for more information.
    • If your organization is using a custom domain account to run SQL Server, keep in mind that you need a service principal name. See "How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0" at http://msdn2.microsoft.com/en-us/library/ms998355.aspx for details.
  10. Select MSSQLSvc from the available service types for the database server or domain account.

    Select MSSQLSvc

  11. Click OK to close the Add Services dialog and return to the Properties dialog for the web server.

    Web Server with Constrained Delegation to Database Server
  12. Click Apply and OK to save your changes and close the Properties dialog.
  13. Close the Active Directory Users and Computers dialog.

...