User Tools

Site Tools


2_4:kb2410110

KB2410110 Using Active Directory Authentication

Authentication Schemes

There are a number of authentication schemes to choose from when using PROJECT in a box, depending on the size and complexity of the implementation. This article describes two patterns, one with and one without Active Directory integration.

'Simple' - No Active Directory

In 'Simple' authentication mode, a user must supply a PIAB-specific user and password.

The user names and passwords are stored in the PIAB database, and the client sends these credentials to the server over the network in plaintext. Security can be improved by using HTTPS on the web server, which encrypts the traffic including credentials.

'Advanced' - Using Active Directory

In 'Advanced' authentication mode, a user who is logged into Windows is automatically logged into PIAB using their Windows login name. This is 'Single Sign-On'.

The users names are stored in the PIAB database and must match up with Active Directory login names. The user needs to be logged on as a Windows domain user. The IIS Virtual Directory or Website hosting the PIAB web service (piabws) is set to use 'Integrated Windows Authentication'. The PIAB client is also set to connect with 'Integrated Windows Authentication'. In use, the PIAB client picks up the logged-in username, authenticates to IIS, and then authenicates the user name with the PIAB database. No passwords are sent.

Summary of the Two Main Authentication Schemes

Scheme Description Typical Use Pros and Cons
Simple-User names and passwords stored in the PROJECT in a box database
-Anonymous access in IIS
Single-user installations e.g. Personal Edition on a laptop, or small implementations on a LAN with a handful of users to maintain. -Simple to understand.
-Users have to remember their PROJECT in a box user names and passwords
Advanced-Single sign-on
-Windows authentication in IIS
-User names only stored in the PROJECT in a box database
-User names sync with Active Directory using LDAP
On a larger Windows domain with many users.-Single sign-on
-Better security
-Cheaper to administer for larger networks
-Requires Windows Sysadmin skills to understand and set up.

How To Setup 'Simple' Authentication

On the Server:

  1. Open the IIS Management Console
  2. Select the 'piabws' website or virtual directory, and right-click for properties
  3. Select the 'Directory Security Tab'
  4. In 'Anonymous Access and Authentication Control', click 'Edit'
  5. Enable 'Anonymous Access' and disable the other authentication mechanisms
  6. Click 'OK'

For Enterprise Hub:

  1. Run the 'PROJECT in a box Server' program (on the server).
  2. Select the 'Hub' tab
  3. Disable 'Use IIS Authentication'

On the Client:

  1. Run the PIAB Client
  2. Click 'Options'
  3. In the 'Authentication to Webserver' section, select 'Anonymous Access'
  4. Click 'OK' and login with your PIAB user and password

How To Setup 'Advanced' (Active Directory) Authentication

On the Server:

  1. Open the IIS Management Console
  2. Select the 'piabws' website or virtual directory, and right-click for properties
  3. Select the 'Directory Security Tab'
  4. In 'Anonymous Access and Authentication Control', click 'Edit'
  5. Disable 'Anonymous Access'
  6. Enable 'Integrated Windows Authentication'
  7. Click 'OK'

For Enterprise Hub:

  1. Run the 'PROJECT in a box Server' program (on the server).
  2. Select the 'Hub' tab
  3. Enable 'Use IIS Authentication'

On the Client:

  1. Run the PIAB Client
  2. Click 'Options'
  3. In the 'Authentication to Webserver' section, select 'Integarated Windows Access'
  4. Ensure 'Use Current Windows Credentials' is selected.
  5. Ensure 'Use IIS Authentication to login to the PIAB Server
  6. Click 'OK'
  7. Login - your Windows user name should be shown, and the password field disabled.

Using the Built in ADMIN account with Active Directory Authenticaton

The ADMIN account cannot be assigned to an alternative username. When PIAB server is configured to allow Windows Integrated Acesss it will use the currently loged in username to log into PIAB server. This means you will not normally able to log into PIAB server with 'Windows Authentication ' enabled.

If you need to use the ADMIN account with the PIAB Server configured Windows Authentication, it is possible to configure the client connection setting to allow the ADMIN username and password to be entered. The following assumes that the client connection options are already configured to allow 'Integrated Windows Access'

  • From the PIAB client select 'Connection Options'
  • Deselect 'Use IIS Authentication to Login to the PIAB Server

From the login screen you should now be able to enter the ADMIN username and password.

If you have a requirement to use the ADMIN account as an Extra 'Manager' account please contact support@projectinabox.org.uk for more information.

2_4/kb2410110.txt · Last modified: 2017/06/22 13:13 (external edit)