3_2:kb0000110

KB0000110 Using Active Directory Authentication

Authentication Schemes

There are a number of authentication schemes to choose from when using PROJECT in a box, depending on the size and complexity of the implementation. This article describes two patterns, one with and one without Active Directory integration.

'Simple' - No Active Directory

In 'Simple' authentication mode, a user must supply a PIAB-specific user and password.

The user names and passwords are stored in the PIAB database, and the client sends these credentials to the server over the network in plaintext. Security can be improved by using HTTPS on the web server, which encrypts the traffic including credentials.

'Advanced' - Using Active Directory

In 'Advanced' authentication mode, a user who is logged into Windows is automatically logged into PIAB using their Windows login name. This is 'Single Sign-On'.

The users names are stored in the PIAB database and must match up with Active Directory login names. The user needs to be logged on as a Windows domain user. The IIS Virtual Directory or Website hosting the PIAB web service (piabws) is set to use 'Integrated Windows Authentication'. The PIAB client is also set to connect with 'Integrated Windows Authentication'. In use, the PIAB client picks up the logged-in username, authenticates to IIS, and then authenicates the user name with the PIAB database. No passwords are sent.

Summary of the Two Main Authentication Schemes

Scheme Description Typical Use Pros and Cons
Simple-User names and passwords stored in the PROJECT in a box database
-Anonymous access in IIS
Single-user installations e.g. Personal Edition on a laptop, or small implementations on a LAN with a handful of users to maintain. -Simple to understand.
-Users have to remember their PROJECT in a box user names and passwords
Advanced-Single sign-on
-Windows authentication in IIS
-User names only stored in the PROJECT in a box database
-User names sync with Active Directory using LDAP
On a larger Windows domain with many users.-Single sign-on
-Better security
-Cheaper to administer for larger networks
-Requires Windows Sysadmin skills to understand and set up.

How To Setup 'Simple' Authentication

On the Server:

  1. Open the IIS Management Console
  2. Select the 'piabws' website or virtual directory, and right-click for properties
  3. Select the 'Directory Security Tab'
  4. In 'Anonymous Access and Authentication Control', click 'Edit'
  5. Enable 'Anonymous Access' and disable the other authentication mechanisms
  6. Click 'OK'

For Enterprise Hub:

  1. Run the 'PROJECT in a box Server' program (on the server).
  2. Select the 'Hub' tab
  3. Disable 'Use IIS Authentication'

On the Client:

  1. Run the PIAB Client
  2. Click 'Options'
  3. In the 'Authentication to Webserver' section, select 'Anonymous Access'
  4. Click 'OK' and login with your PIAB user and password

How To Setup 'Advanced' (Active Directory) Authentication

On the Server:

  1. Open the IIS Management Console
  2. Select the 'piabws' website or virtual directory, and right-click for properties
  3. Select the 'Directory Security Tab'
  4. In 'Anonymous Access and Authentication Control', click 'Edit'
  5. Disable 'Anonymous Access'
  6. Enable 'Integrated Windows Authentication'
  7. Click 'OK'

For Enterprise Hub:

  1. Run the 'PROJECT in a box Server' program (on the server).
  2. Select the 'Hub' tab
  3. Enable 'Use IIS Authentication'

On the Client:

  1. Run the PIAB Client
  2. Click 'Options'
  3. In the 'Authentication to Webserver' section, select 'Integarated Windows Access'
  4. Ensure 'Use Current Windows Credentials' is selected.
  5. Ensure 'Use IIS Authentication to login to the PIAB Server
  6. Click 'OK'
  7. Login - your Windows user name should be shown, and the password field disabled.
3_2/kb0000110.txt · Last modified: 2017/06/22 13:13 (external edit)

Page Tools