Enabling Kerberos Support for Windows Authentication.

July 26, 2006 | KB: 1001045
Web Access 7, WebLink 7, Laserfiche Server - Team (MSDE) 7, Laserfiche Server - United (MSSQL) 7, Laserfiche Server - United (Oracle) 7

Summary

Laserfiche Server can take advantage of the Kerberos authentication mechanism. This allows users to log in to Web Access and WebLink using Windows authentication even when Web Access or WebLink are installed on a different computer from the Laserfiche Server.

Resolution

This feature is included by default in Laserfiche Server 7.1.2 and later and Web Access 7.1 and later. Hotfix files are provided if you want to add support for this feature to Laserfiche Server 7.1.1, Web Access 7.0.x, or WebLink 7.0.x. Laserfiche Server must have version 7.1.1.410 or later of LFEng.dll. Laserfiche Web Access or WebLink must have version 7.0.0.401 or later of LaserficheServerObjects.dll.

To update Laserfiche Server 7.1.1

  1. Click here to download a zip file containing LaserficheServerObjects.dll (version 7.0.0.401) and LFEng.dll (version 7.1.1.410).
  2. Replace the LFEng.dll found in the Laserfiche Server installation folder with the one included in the zip file.
  3. Restart the Laserfiche Server service.
    1. Click Start and then click Control Panel.
    2. Double-click Administrative Tools.
    3. Double-click Services.
    4. Scroll down and select Laserfiche Server 7.x.
    5. From the Action menu, click Restart.

To update Web Access or WebLink

  1. Click here to download a zip file containing LaserficheServerObjects.dll (version 7.0.0.401) and LFEng.dll (version 7.1.1.410).
  2. On the computer where Web Access or WebLink is installed, replace the LaserficheServerObjects.dll located at C:\Program Files\Common Files\Laserfiche\LFObjects with the one included in the zip file.
  3. Register LaserficheServerObjects.dll.
    1. Click Start and then click Run.
    2. In the Run dialog box, type the following and then click OK to register LaserficheServerObjects.dll:

      regsvr32 "C:\Program Files\Common Files\Laserfiche\LFObjects\LaserficheServerObjects.dll"

More Information

By default, Kerberos does not allow authentication information received from a client computer to be passed to another server computer. In order to allow Windows authentication to function when Web Access/WebLink are installed on a separate computer from Laserfiche Server, you must enable delegation for the IIS server from the domain controller.

Requirements for delegation from the Web Access Server to the Laserfiche Server

  • Service Principle Names (SPNs) must be registered for two services:
    • World Wide Web Publishing (W3SVC)
    • Laserfiche Server 7.1 (LFS71)

    Note: The service's SPN must be registered by a domain administrator if the service account is a domain user account. If the service account uses the computer's account, then the process can register by itself or the local administrator can register it by using the Setspn.exe utility.

  • Any domain account used to authenticate to Web Access must be configured to allow for impersonation.
  • The computer hosting IIS and Web Access must be trusted for delegation.
  • The service account used by the World Wide Web Publishing service must be trusted for delegation.
  • Domain security must be configured such that the service account used by the World Wide Web Publishing service is able to impersonate another account.

For detailed information on performing the procedures necessary to satisfy the listed requirements, please see the following Microsoft TechNet article. Please become familiar with the information documented in the TechNet article as any troubleshooting procedure will include going through the checklists provided in the article.

Troubleshooting Kerberos Delegation

See the white paper, Setting Up Kerberos for WebLink7, for detailed instructions on implementing delegation with WebLink7.

Important: An incorrect configuration can seriously compromise network security. Please become familiar with the underlying mechanisms described in the listed TechNet article before implementing this type of installation.

Note: If the IIS server already has a Kerberos ticket from the domain controller, it will not get another one unless you clear it. After enabling delegation on the domain controller, make sure the IIS server gets a new Kerberos ticket as the IIS server will not do delegation until it gets the new ticket.

Note: If you are using Internet Explorer, make sure that the Enable Integrated Windows Authentication (requires restart) option is enabled. This option is available on the Advanced tab of the Internet Options dialog box.

Related Links

1012024 Enabling Kerberos Support for Windows Authentication in Laserfiche 8.