Summary

Laserfiche Directory Server Security Token Service (STS) 10.4.3 requires HTTP communication with Laserfiche Directory Server (LFDS). STS versions prior to 10.4.3 require WCF communication. End applications still using WCF will require configuration if alternate service is to enabled for them. For applications using HTTP, alternate service is no longer relevant.

HTTPS Configuration

Laserfiche Directory Server 10.4.3 no longer relies on WCF for encryption and communication with STS instances and end applications using HTTP to reach LFDS. HTTPS configuration is recommended in order to maintain the same security as in older versions of LFDS. It is also recommended to configure a valid SSL binding on your IIS website hosting Laserfiche Directory Server.

1. Run the Directory Server endpoint configuration utility called XmlEndpointUtility.exe to configure endpoint binding information for the Directory Server service. By default, this utility is located in the Directory Server installation folder.
2. Use the HTTPS configuration section to configure the HTTPS certificate binding for secure communication between Directory Server and STS (as well as any Laserfiche applications using HTTP).

   Note: To learn more about HTTPS configuration, navigate to Configuring the Directory Server and STS Endpoints.

3. Bind an SSL certificate to your chosen secure LFDS port. By default, the HTTPS port is 5049.

   Note: On initial installation or upgrade, the selected certificate will be bound upon closing the utility. Reopening the utility will show a Configure Port Binding button. To bind a different certificate, click Delete Current Binding, select a new certificate from the list, and click Configure Port Binding to bind the new SSL certificate to the specified port.

   Note: Note: To learn more about binding a certificate to the HTTPS port in XMLEndpointUtility, navigate to Certificate Requirements for Laserfiche Directory Server.

4. Configure STS as follows:
• Run the Security Token Service's endpoint configuration utility called STSEndpointUtility.exe. By default, this utility is located in the Web/WebSTS subfolder of the Directory Server installation folder.
• Verify the fully qualified domain name for the Directory Server instance.
• Select the Use SSL checkbox. If using custom ports in XMLEndpointUtility, make sure that the port is included in the fully qualified domain name (FQDN) field in the format: host.domain.com:PortValue, for example, machinename.sampledomain.com:5049.

WCF Configuration

If separating Laserfiche Directory Server and end applications using WCF across domains without trust, alternate service (certificate authentication) will be necessary for communication between them. When turning on alternate service, the configuration utility prompts for a certificate. This certificate does not have to be the same as the certificate used for IIS SSL bindings. The certificate for alternate service is used for authenticating the machines on untrusted domains.

1. Run the Directory Server endpoint configuration utility called XmlEndpointUtility.exe. By default, this utility is located in the Directory Server installation folder.
2. Confirm that the Laserfiche Directory Server machine's fully qualified domain name (FQDN) and the Laserfiche Directory Server service user's principal name (UPN) are correct.
3. Select the Enable alternate service checkbox to add an alternate service certificate binding.
4. Select the appropriate trusted certificate to use for communication between Laserfiche Directory Server and the end application.
5. Configure each end application using WCF as follows:
• Configure each client application by opening the application's respective endpoint utility and verifying the LFDS FQDN and enabling alternate service.

  Note: To learn more about certificates used for alternate service, navigate to Certificate Requirements for Laserfiche Directory Server.

Note: To learn more about configuration, navigate to Configuration White Papers.