Sidebar
KB0000110 Using Integrated Windows Authentication
Authentication Schemes
There are a number of authentication schemes to choose from when using PROJECT in a box, depending on the size and complexity of the implementation. This article describes two patterns, one with and one without Active Directory integration.
Note that we always recommend 'Integrated Windows Authentication' in a production environment.
'Simple' - No Active Directory
In 'Simple' authentication mode, a user must supply a PIAB-specific user and password.
The user names and hashed passwords are stored in the PIAB database, and the client sends these credentials to the server over the network in plaintext. Security can be improved by using HTTPS on the web server, which encrypts the traffic including credentials.
'Advanced' - Integrated Windows Authentication using Active Directory
In 'Advanced' authentication mode, a user who is logged into Windows is automatically logged into PIAB using their Windows login name. This is 'Single Sign-On'.
The users names are stored in the PIAB database and must match up with Active Directory login names. The user needs to be logged on as a Windows domain user. The IIS Virtual Directory or Website hosting the PIAB web service (piabws) is set to use 'Integrated Windows Authentication'. The PIAB client is also set to connect with 'Integrated Windows Authentication'. In use, the PIAB client picks up the logged-in username, authenticates to IIS, and then authenicates the user name with the PIAB database. No passwords are sent.
Summary of the Two Main Authentication Schemes
| Scheme | Description | Typical Use | Pros and Cons |
|---|---|---|---|
| Simple | -User names and passwords stored in the PROJECT in a box database -Anonymous access in IIS | Single-user installations e.g. Personal Edition on a laptop, or small implementations on a LAN with a handful of users to maintain. | -Simple to understand. -Users have to remember their PROJECT in a box user names and passwords |
| Advanced | -Single sign-on -Windows authentication in IIS -User names only stored in the PROJECT in a box database -User names sync with Active Directory using LDAP | On a larger Windows domain with many users. | -Single sign-on -Better security -Cheaper to administer for larger networks -Requires Windows Sysadmin skills to understand and set up. |
How To Setup 'Simple' Authentication
On the Server:
- Open the IIS Management Console
- Select the 'piabws' website or virtual directory, and right-click for properties
- Select the 'Directory Security Tab'
- In 'Anonymous Access and Authentication Control', click 'Edit'
- Enable 'Anonymous Access' and disable the other authentication mechanisms
- Click 'OK'
For Enterprise Hub:
- Run the 'PROJECT in a box Server' program (on the server).
- Select the 'Hub' tab
- Disable 'Use IIS Authentication'
On the Client:
- Run the PIAB Client
- Click 'Options'
- In the 'Authentication to Webserver' section, select 'Anonymous Access'
- Click 'OK' and login with your PIAB user and password
How To Setup 'Advanced' (Active Directory) Authentication
On the Server:
- Open the IIS Management Console
- Select the 'piabws' website or virtual directory, and right-click for properties
- Select the 'Directory Security Tab'
- In 'Anonymous Access and Authentication Control', click 'Edit'
- Disable 'Anonymous Access'
- Enable 'Integrated Windows Authentication'
- Click 'OK'
For Enterprise Hub:
- Run the 'PROJECT in a box Server' program (on the server).
- Select the 'Hub' tab
- Enable 'Use IIS Authentication'
On the Client:
- Run the PIAB Client
- Click 'Options'
- In the 'Authentication to Webserver' section, select 'Integarated Windows Access'
- Ensure 'Use Current Windows Credentials' is selected.
- Ensure 'Use IIS Authentication to login to the PIAB Server
- Click 'OK'
- Login - your Windows user name should be shown, and the password field disabled.
Page Tools
