There are a number of authentication schemes to choose from when using PROJECT in a box, depending on the size and complexity of the implementation. This article describes two patterns. Note that we always recommend Windows Authentication in a production environment.
In Simple authentication mode, a user supplies a PIAB-specific user and password. IIS is set to Anonymous Access and authentication is done by the PIAB server itself.
The user names and hashed passwords are stored in the PIAB database, and the client sends these credentials to the server over the network in plaintext. Security is improved by using HTTPS on the web server, which encrypts the traffic including credentials, and should always be used in a production environment.
In Windows Authentication mode, a user who is logged into Windows is automatically logged into PIAB using their Windows login name. This is 'Single Sign-On'.
The users names are stored in the PIAB database and must match up with Windows login names. The user needs to be logged on as a Windows domain user. The IIS Application hosting the PIAB web service (piabws) is set to use Windows Authentication. The PIAB client is also set to connect with Windows Authentication. In use, the PIAB client picks up the logged-in username, authenticates to IIS, and then authenicates the user name with the PIAB database. No passwords are sent.
|Scheme||Description||Typical Use||Pros and Cons|
|Simple||-User names and passwords stored in the PROJECT in a box database|
-Anonymous access in IIS
|Single-user installations e.g. on a laptop, or for an externally accessed PIAB where a VPN is not available.||-Simple to understand.
-Users have to remember their PROJECT in a box user names and passwords
|Windows Authentication||-Single sign-on|
-Windows authentication in IIS
-User names only stored in the PROJECT in a box database
-User names match Active Directory names
|Recommended as the default mode.||-Single sign-on
-Cheaper to administer for larger networks
-Requires Windows Sysadmin skills to understand and set up.
The steps are:
Set IIS to use to Use Anonymous Authentication:
Set the PIAB Server to use Anonymous Authentication:
Set the Windows Desktop App to use Anonymous Access
The steps are:
Set IIS to Use Windows Authentication:
Set the PIAB server to use IIS Authentication:
Set the Windows Desktop App to use IIS Authentication
Note that the options Use IIS Authentication to login to the PIAB server and Use Current Windows Credentials are enabled by default when you enable Integrated Windows Authentication. It is possible to bypass this in the special case of the PIAB Admin user, which is sometimes useful for maintenance purposes.
When you open PIAB home page in the browser, the user field in the login page will be greyed-out and contain your Windows login name, normally including the domain. There is no password field visible. In order to login, there must be a corresponding user within PIAB (without the domain name):
Similarly, the PIAB Windows Desktop App login form will show your Windows login, with the user name and password fields greyed out.