Versions Compared

Old Version 2

changes.mady.by.user admin

Saved on

compared with

New Version Current

changes.mady.by.user admin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleAuthentication Recommendations

In Aptify 6.0, the default authentication method when Aptify is installed is Anonymous Authentication with SSL, but you can choose other authentication methods. See Choosing an Authentication Method for more details.

 


In Aptify 56.5.10, when deploying the Aptify site as an internal site, the site can be configured to use either Basic or Integrated Security (Windows Authentication). In this case, the website can be configured to use Integrated Security in this mode because the client will have access to the domain controller. (Note that using Integrated Security requires the domain controller to be accessible to the client browser.) Keep in mind the following when decided which authentication method to choose in an Aptify 5.5.1 implementation:

  • When using Windows Authentication, constrained delegation must be configured from the web server to the database server, but it can be limited to the Kerberos protocol only. See Aptify Site and Network Delegation for information on configuring constrained delegation.
  • When using Basic Authentication, the site must be secured with SSL to protect login credentials.

In Aptify 5,5,1, when deploying the Aptify site as an internal site, the site can be configured to use Anonymous Authentication (the default method or Basic or Windows Authentication if your organization requires authentication through IIS, for example when using single sign‐on). In this case, the website can be configured to use Integrated Security in this mode because the interface will have access to the domain controller. (Note that using Integrated Security requires the domain controller to be accessible to the web browser.) Keep in mind the following when decided which authentication method to choose:

  • When using the default Anonymous Authentication, the site must be secured with SSL to protect login credentials.
  • When using Windows Authentication, the constrained delegation must be configured from the web server to the database server, but it can be limited to the Kerberos protocol only. See Aptify Site and Network Delegation for information on configuring constrained delegation.
  • When using Basic Authentication, the site must be secured with SSL to protect login credentials.

...

When using Windows Authentication, Aptify uses impersonation to pass a user's login credentials from the web server to the database server. When the web server and database server reside on different computers on the network, a network administrator needs to enable delegation to allow the web server to pass the impersonated credentials to the database server.

Note
titleNote for Aptify 56.5.2 0 Implementations

 In Aptify 5.5.2 and later6.0, when using Basic or Anonymous Authentication, setting up network delegation may not be required.

Note
titleNote

Active Directory must be replicated after delegation is configured to propagate the changes to all domain controllers. 

 

Delegation is configured by a network administrator using the Active Directory Users and Computers interface, which is available as an Administrative Tool on the domain controller. Note that Aptify requires that you configure constrained delegation, which is available for Windows 2003 domains and higher.

Note

The Aptify web interface does not currently support the authentication of users from multiple domains from a single website. If your environment supports users in multiple domains, contact Aptify Technical Support for assistance.

...

When deploying the Aptify site on the local Intranet, the Kerberos protocol is used for authentication. When deploying the Aptify site on the public Internet, any protocol may be used, including Kerberos. In order to use Kerberos authentication securely, services on both the database server and the web server must be mapped to service principal name (SPN) in Active Directory. This ensures that the accounts that run these services can be uniquely identified for mutual authentication with Kerberos. By default, when installing Microsoft SQL Server 2008 (and higher) is installed, the account that is specified to run the database service is mapped to an SPN automatically. However, when IIS 7 is installed on the web server, the account that is used to run the HTTP service is not automatically mapped to a an SPN. Therefore, prior to configuring delegation, an account that has the proper permissions to run the HTTP service on the web server must be mapped to a SPN in Active Directory. See Configuring Service Principal Names for the Web Server for more details.

...

Note
titleNote

Refer to Microsoft's documentation for more information on configuring delegation on your network. For an introduction to the delegation in Windows Server environments, see the "How to Configure the Server to be Trusted for Delegation" article at:
http://technet.microsoft.com/en-us/library/ee675779.aspx

Also, for information on using constrained delegation with ASP.NET applications, such as Aptify, see "How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0" at: http://msdn2.microsoft.com/en-us/library/ms998355.aspx 

...

Note
titleIMPORTANT

Check with your Network Administrator if you have any questions about how your network is designed. Failure to do so may results result in improperly configured SPN mappings. 

...

In order to use Kerberos authentication securely, services on both the database server and the web server must be mapped to a an SPN in Active Directory. This mapping is taken care of by default on the database server. However, by default, when installing IIS, the HTTP service is not mapped to a an SPN.

Follow the steps to use the SETSPN utility to create the necessary SPNs for the Aptify web server (these steps are based on a Windows Server 2008 system):

  1. Log in to the domain controller using a domain administrator account.
    • You can run the SETSPN from any Windows computer that supports the utility. However, note that the account that is currently logged into the location computer must be a domain administrator.
       
  2. Launch a Command Prompt window.
  3. Run the following command, replacing WebServerName with the domain name of your web server.

    SETSPN -L [WebServerName] 
     
  4. Displayed is a list of registered SPNs for the web server. Verify whether or not there is a registered SPN for the HTTP service with the port that you are using for your AWA site. If there is a an HTTP service entry, it should look similar to below. Note that there may be more than one entry if the web server's NetBIOS name and fully qualified domain name (FQDN) are not the same:
    • HTTP/[WebServerName.your.domain][:NonDefaultPort]
    • If the HTTP services uses the default port 80, the port preceded by a colon will not be displayed. Only non-default ports are appended to the SPN.
       
  5. If a registered SPN is not listed for HTTP service, you need to map a an SPN for both the web server's NetBIOS and fully qualified names (per Microsoft best practices). The web server will be used as the account to run the HTTP service. If a an SPN for the HTTP is displayed, go to the next step.

    • Add a an SPN for NETBIOS name of the web server using the following command. Replace :[NonDefaultPort] with a blank value (if using default port 80) or the port you are using for your AWA site. Replace [DOMAIN/WebServerName] with the NETBIOS name of the web server (this will be the account used to run the HTTP service).

      SETSPN -A HTTP/[WebServerName][:NonDefaultPort] [DOMAIN/WebServerName or Domain User]

      • By default, the AWA site is installed under the Default website directory and uses the default port 80 (unless changed by an a website administrator). In this case, you do not have to specify the port. You can simply add the SPN as SETSPN -A HTTP/[WebServerName] [DOMAIN\WebServerName or DomainAdmin]
      • Note that even if you specify port 80, when displaying the list of SPNs, port 80 will not be appended to the SPN for the HTTP service.
         
    • Add a an SPN for fully qualified domain name (FQDN) of the web server using the following command. Replace :[NonDefaultPort] with a blank value (if using the default port 80) or the port you are using for your AWA site. Replace [DOMAIN/WebServerName] with the fully qualified name of the web server (this will be the account used to run the HTTP service).

      SETSPN -A HTTP/[WebServerFullyQualifiedName][:NonDefaultPort] [DOMAIN/WebServerName]
       
      • By default, the AWA site is installed under the Default website directory and uses the default port 80 (unless changed by an a website administrator). In this case, you do not have to specify the port. You can simply add the SPN as SETSPN -A HTTP/[WebServerName] [DOMAIN\WebServerName or DomainAdmin].
      • Note that even if you specify port 80, when displaying the list of SPNs, port 80 will not be appended to the SPN for the HTTP service.
         
  6. If a registered SPN does exist for the HTTP service; you have two options. You can update the existing SPN or remove and re-add a new SPN specifying the name of the web server as the account. Aptify recommends removing and then re-adding the SPN to ensure that duplicate SPNs are not created.

    To remove the existing SPN (or SPNs if the NetBIOS name and fully qualified name are not the same and have be been specified separately) use the following command(s):

    SETSPN - D HTTP/[WebServerNetBIOSName][:NonDefaultPort] [DOMAIN/WebServerName or Domain Admin User]

    SETSPN -D HTTP/[WebServerFullyQualifiedName][:NonDefaultPort] [DOMAIN/WebServerName or Domain Admin User]

    • Note that if the port of the existing SPN is the default port 80. The port will not be appended to the SPN.
       
    To add (or re-add) a an SPN for NETBIOS name of the web server use the following command. Replace :[NonDefaultPort] with a blank value (if using default port 80) or the port you are using for your AWA site. Replace [DOMAIN/WebServerName] with the NETBIOS name of the web server (this will be the account used to run the HTTP service).

    SETSPN -A HTTP/[WebServerNetBIOSName][:NonDefaultPort] [DOMAIN/WebServerName]

    • By default, the AWA site is installed under the Default website directory and uses the default port 80 (unless changed by an a website administrator). In this case, you do not have to specify the port. You can simply add the SPN as SETSPN -A HTTP/[WebServerName] [DOMAIN\WebServerName or DomainAdmin].
    • Note that even if you specify port 80, when displaying the list of SPNs, port 80 will not be appended to the SPN for the HTTP service.
       
    To add (or re-add) a an SPN for fully qualified name of the web server use the following command. Replace :[NonDefaultPort] with a blank value (if using the default port 80) or the port you are using for your AWA site. Replace [DOMAIN/WebServerName] with the fully qualified name of the web server (this will be the account used to run the HTTP service).

    SETSPN -A HTTP/[WebServerFullyQualifiedName][:NonDefaultPort] [DOMAIN/WebServerName or Domain Admin User]

    • By default, the AWA site is installed under the Default website directory and uses the default port 80 (unless changed by an a website administrator). In this case, you do not have to specify the port. You can simply add the SPN as SETSPN -A HTTP/[WebServerName] [DOMAIN\WebServerName or DomainAdmin].
    • Note that even if you specify port 80, when displaying the list of SPNs, port 80 will not be appended to the SPN for the HTTP service.
       
  7. After the appropriate SPNs have been added or modified, run the following command again to verify the HTTP services were added correctly to the registered list of SPNs for the web server. Replace WebServerName with the domain name of your web server.

    SETSPN -L [WebServerName]

     

    Note
    titleNote

    For more information about how to implement Kerberos authentication in a double-hop environment, see the resource below. Note that this webcast is for Windows 2003 Server, however, the principals are the same for Windows 2008 and Windows 7.

     http://support.microsoft.com/servicedesks/webcasts/seminar/shared/asp/view.asp?url=/servicedesks/webcasts/en/wc102704/manifest.xml  

...