These forums are read-only and considered to be an archive. Please use the new Community for future interaction and posts.

Active Directory Authentication

Does FileVista support authenication off of Active Directory or an LDAP database?
Karl 2/14/2006 9:40 AM
If anonymous authentication is disabled in IIS, then FileVista will not prompt for credentials with the default login screen. You will be prompted with your browser's logon screen instead and Windows will handle the authentication depending on your IIS settings. So authenication against Active Directory or an LDAP database would be possible. FileVista will use the logged on user's information.
Cem Alacayir 2/14/2006 5:37 PM
I've defined a user with domain\username and username and neither seems to tie back to the Active Directory account. I enter the AD username and password in the browser login screen and am then passed to the Filevista login screen where the AD credentials do not work.

Suggestions?
lorennerol 9/7/2007 5:03 PM
Please open web.config and change the line 

<authentication mode="None" /> 

to 

<authentication mode="Windows" /> 

Authentication mode is set to "None" by default. This is to assure that FileVista's own authentication is used by default. Since you need to use domain authentication and bypass FileVista's authentication, you need to set the mode to "Windows".
Cem Alacayir 9/7/2007 5:25 PM
Hi Cem-

This fixed a portion of the problem. Unfortunately, the apps seems to be trying to parse the root directory structure using the service account rather than the user account, so I'm getting permission errors. What I need is for each FileVista session to retrieve the data in the context of the logged in user. Is this possible? The specific error I'm seeing is "An Error Occurred: Access to the path '\\server\root' is denied"

Thanks!
lorennerol 9/21/2007 2:26 PM
You need to enable impersonation so that ASP.NET runs the application in the context of the authenticated user.

You can do this by changing the line in web.config:

<identity impersonate="false" />

to 

<identity impersonate="true" />

Cem Alacayir 9/23/2007 7:51 AM
PERFECT!! Thank you.
lorennerol 9/23/2007 10:24 AM
Setting <identity impersonate="true" /> AND <authentication mode="Windows" /> works perfectly. This allows for ACL's to be defined on files/folders to control access. 

Using this method, would it be possible for you to relay an "access denied" message when a user attempts to access a file under their own context where they do not have permission to that file/folder?
bpo 9/25/2007 9:08 AM
Yes, the application will already relay "access denied" messages on those situations.

Although, you can define permissions for users in FileVista, users are first limited by Windows ACL's, i.e even if you give a user full permissions in FileVista, he will still receive "access denied" message whenever he is limited by ACL on that folder or file.



Cem Alacayir 10/1/2007 10:13 AM
I know its possible to use AD using the browsers login prompt, but I want to use the web form for the user to login with only to use AD to authenticate wtih.  Is this possible?
Adam 8/5/2008 9:54 AM
Sorry, as of current version this is not available.
Cem Alacayir 8/8/2008 3:03 PM
AWAKENING AN OLD POST



Where has the 

<identity impersonate="true" />

setting gone from the config in the latest version???

I need to run app under user account not the NETWORK SERVICE account.

HELP

Dan
Dan 7/19/2009 1:38 AM
You can add this setting after <system.web> tag in FileVista\web.config.
Cem Alacayir 7/21/2009 6:11 AM
I dont wanna pass user to login screen when they come from a particular site (means when its httprequest.urlreferrer="test.aspx"......in this case i dont want the user to go to log in screen)

so I went to Login.aspx created dummy label and on label's onload method and check for weahter this page comes from particular site..if so  I tried to post the login page programatically...but I am unsuccessful with this effort...can you provide any help on this? This is very urgent and thanks in advance for your help..

code sample is given below

<script runat="server">

    protected void LabelLoad(object sender, EventArgs e)
    {
        Uri URLReferrer = Request.UrlReferrer;
        if (URLReferrer != null)
        {
            string s = URLReferrer.ToString();
            if (s == "http://localhost/TestFileVistaWebSite/Default.aspx")
            {
                System.Net.HttpWebRequest httpRequest =
        (System.Net.HttpWebRequest)System.Net.WebRequest.Create("http://localhost/library.craftershome2.com/filevista/Login.aspx");

                httpRequest.Method = "POST";
                httpRequest.ContentType = "application/x-www-form-urlencoded";

                string poststring = String.Format("username={0}&password={1}&remember={2}&submitButton=clicked", "admin", "ganesh", "checked");
                byte[] bytedata = Encoding.UTF8.GetBytes(poststring);
                httpRequest.ContentLength = bytedata.Length;
                //httpRequest.Proxy = new Sy
                httpRequest.CookieContainer = new System.Net.CookieContainer();
                System.IO.Stream requestStream = httpRequest.GetRequestStream();
                requestStream.Write(bytedata, 0, bytedata.Length);
                requestStream.Close();
                

                System.Net.HttpWebResponse httpWebResponse =
                (System.Net.HttpWebResponse)httpRequest.GetResponse();

                Response.Redirect("http://localhost/library.craftershome2.com/filevista/Default.aspx");
            }
        }
    }
</script>
palani 1/18/2010 11:21 AM
Your code will not work because you are trying to post username and password in a different context. The session and cookies in that context will not be the same as your current ASP.NET request. So your code is simply acting such that a second user is connected and tries to log into FileVista.

Please see the below topic for a way to bypass the login page:
Pass-through login
Cem Alacayir 1/21/2010 6:49 PM
Above I see that Active Directory authentication is available.  You said that for this to work you would define a user with the same name in the FileVista application.  However, you said "FileVista will use the logged on user's information".

I am very interested in your product.  I would like use Active Directory authentication.  However, my site uses group logins in some instances.  Would it be possible to be logged in as one Active Directory user, access FileVista via Internet Explorer, and still be prompted for an Active Directory username and password?

Basically I would be logged in as USER_A.
I would access FileVista.  Then instead of FileVista using the logged in user's information I would then like to authenticate to FileVista using another Active Directory account, USER_B.

Would this work?
Adam Smith 6/21/2010 10:37 AM
I am using Windows 2008 R2 64 bit, IIS 7.0 , If anonymous authentication is disabled in IIS, got internal server error when browse httP://servername/filevista.
also I changed below settings in web.config.
<identity impersonate="true" />
<authentication mode="Windows" /> 
Windows authentication still not working.
my questions
1. even if using Windows authentication, I still need to create the same user account name in FileVista? with or without domain in front of the account ?  say my domain is "mydomain", the user account format should be : mydomain\user01  or just usero1 ? how about the password , with or without password ?

2. I don't need to point to AD or LDAP server ? I did not see such setings

3. in IIS7, authentication, what's the settings for Windows basic and Windows ? enable or disable ?
Jason 6/26/2010 3:42 PM
Adam,
Sorry, as of current version this is not possible.

Jason,
You don't need to point to AD or LDAP server. Basically you only need to configure IIS to handle the authentication.
Please follow these steps to configure FileVista for Active Directory Authentication.

1. Create a corresponding user in FileVista with the fully qualified name, ie. in format "domain\user" and make him an administrator by adding him to the Administrators group. Password is irrelevant as it is only used with the FileVista's login page. So you can set an arbitrary password. I recommend you to create this administrator in step 1 so that after you change authentication mode, you can access the administration page with the defined crendetials.

2. Open Authentication section for FileVista application in IIS 7 and disable "Anonymous Authentication". Choose and enable one of the three authentication options: Basic Authentication, Digest Authentication  and Windows Authentication.

Basic Authentication: This is not secure unless used along with SSL (HTTPS) because user name and password is transmitted as plain text.

Digest Authentication : This is more secure as it protects the password by hashing it.

Windows Authentication: This is also secure and the best authentication scheme in an intranet environment where users have Windows domain accounts.

3. Open FileVista\web.config and add this setting:

<authentication mode="Windows" /> 

If you want FileVista to run under the context of the authenticated user (impersonation) then add also this line:

<identity impersonate="true" />

Adding this setting is the same as enabling "ASP.NET Impersonation" option in Authentication section for FileVista application in IIS 7. If impersonation is not enabled FileVista will run under the context of application pool identity which is generally NETWORK SERVICE account.

4. From now on you should be able to run FileVista and see the browser login dialog instead of the FileVista login page. Authenticate with the administrator account you created in step 1 to access the the administration page. Create corresponding FileVista users for each domain user who is expected to log into FileVista. Always use the fully qualified user names, ie. in format "domain\user". You can set arbitrary passwords.
Cem Alacayir 7/23/2010 3:56 AM
Cem,

We are looking into an unlimited license purchase however there is one question still. We would prefer to not have to create user accounts in FileVista for each AD Domain user and instead let the NTFS/NTLM permissions prevail. Is it possible to not have to create both an AD account for new users AND a FileVista account for the AD domain users? Alternatively, can we assign a particular security group as what is looked at versus individual accounts in FileVista.

Looking for alternatives so that with a large number of users, we can maintain user accounts in Active Directory only and not propagate more administrative overhead.

Thanks!
Tom Lucas 11/18/2010 6:02 AM