5_1:kb0000110

KB0000110 Using Integrated Windows Authentication

Authentication Schemes

There are a number of authentication schemes to choose from when using PROJECT in a box, depending on the size and complexity of the implementation. This article describes two patterns. Note that we always recommend Windows Authentication in a production environment.

Simple: User and Password Supplied

In Simple authentication mode, a user supplies a PIAB-specific user and password. IIS is set to Anonymous Access and authentication is done by the PIAB server itself.

The user names and hashed passwords are stored in the PIAB database, and the client sends these credentials to the server over the network in plaintext. Security is improved by using HTTPS on the web server, which encrypts the traffic including credentials, and should always be used in a production environment.

Windows Authentication : Single Sign-on

In Windows Authentication mode, a user who is logged into Windows is automatically logged into PIAB using their Windows login name. This is 'Single Sign-On'.

The users names are stored in the PIAB database and must match up with Windows login names. The user needs to be logged on as a Windows domain user. The IIS Application hosting the PIAB web service (piabws) is set to use Windows Authentication. The PIAB client is also set to connect with Windows Authentication. In use, the PIAB client picks up the logged-in username, authenticates to IIS, and then authenicates the user name with the PIAB database. No passwords are sent.

Summary of the Two Main Authentication Schemes

Scheme Description Typical Use Pros and Cons
Simple-User names and passwords stored in the PROJECT in a box database
-Anonymous access in IIS
Single-user installations e.g. on a laptop, or for an externally accessed PIAB where a VPN is not available. -Simple to understand.
-Users have to remember their PROJECT in a box user names and passwords
Windows Authentication-Single sign-on
-Windows authentication in IIS
-User names only stored in the PROJECT in a box database
-User names match Active Directory names
Recommended as the default mode.-Single sign-on
-Better security
-Cheaper to administer for larger networks
-Requires Windows Sysadmin skills to understand and set up.

How To Setup Simple Authentication

The steps are:

  1. Set IIS to use Anonymous Authentication, using the IIS management console
  2. Set the PIAB server to use Anonymous Authentication, using the PIAB Server Management Tool
  3. Set the PIAB Windows App to use Anonymous Authentication, using its Options form

1. IIS

Set IIS to use to Use Anonymous Authentication:

  1. Open the IIS Management Console
  2. Select the piabws IIS Application
  3. Select the Authentication feature
  4. Enable Anonymous Authentication and disable the other authentication mechanisms

2. PIAB Server

Set the PIAB Server to use Anonymous Authentication:

  1. Open the PROJECT in a box Server Management Tool
  2. Select the Web App tab
  3. Disable Use IIS Authentication
  4. Click File > Save

3. Windows Desktop App

Set the Windows Desktop App to use Anonymous Access

  1. Run the PIAB Client
  2. Click Options
  3. In the Authentication to Webserver section, select Anonymous Access
  4. Click OK


How To Setup Windows Authentication

The steps are:

  1. Set IIS to use Windows Authentication, using the IIS management console
  2. Set the PIAB server to use Windows Authentication, using the PIAB Server Management Tool
  3. Set the PIAB Windows App to use Windows Authentication, using its Options form

1. IIS

Set IIS to Use Windows Authentication:

  1. Open the IIS Management Console
  2. Select the piabws IIS Application
  3. Select the Authentication feature
  4. Enable Windows Authentication and disable the other authentication mechanisms

2. PIAB Server

Set the PIAB server to use IIS Authentication:

  1. Open the PROJECT in a box Server server management tool.
  2. Select the Web App tab
  3. Enable Use IIS Authentication
  4. Click File > Save

3. Windows Desktop App

Set the Windows Desktop App to use IIS Authentication

  1. Run the PIAB Client
  2. Click Options
  3. In the Authentication to Webserver section, select Integrated Windows Authentication
  4. Click OK

Note that the options Use IIS Authentication to login to the PIAB server and Use Current Windows Credentials are enabled by default when you enable Integrated Windows Authentication. It is possible to bypass this in the special case of the PIAB Admin user, which is sometimes useful for maintenance purposes.

Result

When you open PIAB home page in the browser, the user field in the login page will be greyed-out and contain your Windows login name, normally including the domain. There is no password field visible. In order to login, there must be a corresponding user within PIAB (without the domain name):

Similarly, the PIAB Windows Desktop App login form will show your Windows login, with the user name and password fields greyed out.

5_1/kb0000110.txt · Last modified: 2018/04/26 16:26 (external edit)