Forums  »  adTempus  »  Web Client  »  Automatic Authentication

Automatic Authentication

smp (34 posts)
January 7, 2009 10:22 AM
Accepted Answer

When I select Automatic Authentication, I can successfully log in. However the job management functions are not available. When I log in with a user account which is a member of the local Administrators group, I have the Run and Hold options available.

For testing purposes, I have configured the IIS site to run under the default IIS user (IUSR_<server name>), and I have granted that account (and the local Administrators group) Full Control applied to "Server settings, all adTempus objects" in the adTempus Server Options.

Permalink
J.D. Staff (46 posts)
January 8, 2009 04:03 PM
Accepted Answer
It doesn't matter what account IIS is using, or what permissions that account has. Your permissions within adTempus are based on the identity you log in under.

When you select Automatic Authentication, right next to that it tells you what user you're connecting as. Is it the identity you expect? Is that user a member of the Administrators group? If not, you won't be able to do anything unless you first log in as an Administrator using the Console and give yourself permissions.
Permalink
smp (34 posts)
January 9, 2009 07:38 AM
Accepted Answer

The user specified next to the Automatic Authentication radio button on the login page is "Automatic authentication (connect as user <server name>\IUSR_<server name>". This is expected, as the IIS web site is configured to run under this account. This user is not a member of the local Adminstrators group.

However in adTempus under Tools -> Server Options -> General Options -> Security Settings tab, the <server name>\IUSR_<server name> user account has been explicitly granted "Full Control", applied to "Server settings, all adTempus objects".

I made sure to close my browser and restarted the adTempus service, but didn't change the behavior.
Permalink
J.D. Staff (46 posts)
January 9, 2009 12:35 PM
Accepted Answer
When you use Automatic Authentication what should happen is that you connect to adTempus under the identity that you're running your web browser under. If you are logged in to the network as "slick50" then the user name that appears next to Automatic Authentication should be "slick50". I can think of two reasons why it would be using the wrong identity:

1) you didn't configure the authentication settings for the web application (see step 15 of the installation instructions)

2) the web server is a different server from adTempus, and kerberos delegation is not configured. In this case the web server can't pass your identity on to adTempus.

We could try to figure out why the permissions aren't working for the IUSR account, but that's not a good security model to be working under, it means that any user who can connect to the web application will be able to connect to adTempus, and everyone will be connecting to adTempus under the same identity.

The better solution is to figure out why automatic authentication isn't passing the right identity, or use explicit authentication.
Permalink
smp (34 posts)
January 9, 2009 12:46 PM
Accepted Answer
Aha, you got it. I had Anonymous Access enabled on the web site. When I disabled it, my account was displayed on the Automatic Authentication line.
 
Thanks for laying out how this works.
Permalink

Replies are disabled for this topic.