Configuring Kerberos Authentication For Laserfiche Search Integration 8.2 For SharePoint White Paper



Similar documents
Laserfiche Web Access 8 and Kerberos Configuration in a Windows Server 2008 and IIS 7 Environment. White Paper

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Security and Kerberos Authentication with K2 Servers

Microsoft Dynamics GP Release

Configuring IBM Cognos Controller 8 to use Single Sign- On

Windows SharePoint Services Installation Guide

Registering and Unregistering Laserfiche Repositories

Guide to the Laserfiche Support Site. White Paper

Optimization in a Secure Windows Environment

CA NetQoS Performance Center

Integration Package for Microsoft Office SharePoint3

YubiKey PIV Deployment Guide

Smart Policy - Web Collector. Version 1.1

Mixed Authentication Setup

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

CA Technologies SiteMinder

SAM Context-Based Authentication Using Juniper SA Integration Guide

How-to: Single Sign-On

How to Configure Outlook Client for Exchange

CA Nimsoft Service Desk

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

White Paper. Fabasoft Folio Cross-Domain License Check. Fabasoft Folio 2015 Update Rollup 2

Secure Agent Quick Start for Windows

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Symantec Managed PKI. Integration Guide for ActiveSync

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

NTP Software File Auditor for Windows Edition

User Source and Authentication Reference

HP Device Manager 4.7

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

NetWrix Password Manager. Quick Start Guide

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

Installing and Configuring vcloud Connector

Security Assertion Markup Language (SAML) Site Manager Setup

Lab 00: Configuring the Microsoft Lync Ignite Environment Cloud Hosted Version

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

Using Windows Administrative Tools on VNX

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Active Directory integration with CloudByte ElastiStor

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

RSA Security Analytics

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

Defender Token Deployment System Quick Start Guide

Wavecrest Certificate

AD RMS Step-by-Step Guide

Lab 05: Deploying Microsoft Office Web Apps Server

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

Shared File Room Field Guide. Version 5.5

Active Directory Rights Management Service Integration Guide

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Modular Messaging. Release 4.0 Service Pack 4. Whitepaper: Support for Active Directory and Exchange 2007 running on Windows Server 2008 platforms.

MicrosoftDynam ics GP TenantServices Installation and Adm inistration Guide

Configuring WMI on Windows Vista and Windows Server 2008 for Application Performance Monitor

Troubleshoot ViewMail for Outlook Issues

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

DIGIPASS CertiID. Getting Started 3.1.0

Microsoft Corporation. Project Server 2010 Installation Guide

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Dell Command Integration Suite for System Center Version 4.1. Installation Guide

Specops Command. Installation Guide

HOTPin Integration Guide: DirectAccess

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Installing Management Applications on VNX for File

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Domain Controller Failover When Using Active Directory

Mashup Sites for SharePoint 2007 Authentication Guide. Version 3.1.1

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009

Web Interface with Active Directory Federation Services Support Administrator s Guide

IBM Connections Plug-In for Microsoft Outlook Installation Help

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.4.1

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

Windows Live Mail Setup Guide

Microsoft Dynamics GP SQL Server Reporting Services Guide

TestElite - Troubleshooting

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

Sage 300 ERP Sage CRM 7.2 Integration Guide

Shared File Room Field Guide

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

OrgPublisher EChart Security

Enterprise Deployment: Failover Clustering Considerations for Laserfiche. White Paper

Master Data Services. SQL Server 2012 Books Online

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Hyper-V Server 2008 Setup and Configuration Tool Guide

HP Device Manager 4.6

Using Internet or Windows Explorer to Upload Your Site

WatchDox SharePoint Beta Guide. Application Version 1.0.0

Project management integrated into Outlook

Transcription:

Configuring Kerberos Authentication For Laserfiche Search Integration 8.2 For SharePoint 2010 White Paper October 2011

2

Table of Contents About SharePoint Search Integration 8.2... 4 SPN Registration for the Laserfiche Server service account... 5 To configure constrained delegation with protocol transition for the C2WTS service account... 5 To configure constrained delegation for the SharePoint Web Services Default Application Pool identity... 6 Troubleshooting Tips... 7 The Delegation tab may not visible in the user s properties dialog box... 7 Use the SharePoint 2010 Central Administration Web site to configure the service accounts for the SharePoint Web Services Default application pool or the Claims To Windows Token Service... 7 The custom service account for C2WTS requires special local policy user rights on the SharePoint Server... 8 Removing Duplicate SPNs... 9 Resetting C2WTS to use Local System... 9 Impersonation Workaround... 10 Additional Resources... 11 3

About SharePoint Search Integration 8.2 Laserfiche SharePoint Search Integration 8.2 for SharePoint 2010 allows SharePoint Search to periodically index the contents of your Laserfiche repository. You can then create a SharePoint Search Center for users to search for documents in a Laserfiche repository from SharePoint. When a SharePoint user submits a search request, the integration dynamically connects to the Laserfiche Server to check that user s Laserfiche security in order to exclude any Laserfiche documents or folders that the user should not be able to see. By default, the integration impersonates as the SharePoint user s Windows account when connecting to the Laserfiche Server. This method allows the integration to use an optimized method for retrieving the Laserfiche entry access rights for that user to determine what documents to display in the SharePoint search results. To preserve a single sign-on experience, the search integration does not prompt the SharePoint user to provide their Windows user account and password. Instead, the integration relies on a Windows feature called the Claims to Windows Token Service (C2WTS) to generate a Windows security token for that user. When the integration and the Laserfiche Server are on the same computer, no additional configuration is required. But, when the integration and the Laserfiche Server are on different computers in the domain, you must allow protocol transition and Kerberos constrained delegation on the following service accounts in Active Directory: The Claims to Windows Token Service s (C2WTS) service account The SharePoint Web Services Default IIS application pools identity (the integration runs within this application pool) Both service accounts must be trusted for delegation to the Laserfiche Server service account. Note: If C2WTS or the SharePoint Web Services IIS application pool are running as Local System or Network Service, you must allow protocol transition and constrained delegation on the SharePoint computer in Active Directory. 4

SPN Registration for the Laserfiche Server service account Before we configure constrained delegation to the Laserfiche server, first make sure that there are valid SPNs registered for the Laserfiche Server. SPN registration requires domain administrator privileges. Use the setspn.exe command-line utility. 1. As a domain administrator, click Start and click Command Prompt. 2. Type the following and press ENTER Setspn s HTTP/LFServerName LFServerServiceAccount Where LFServerName is the name of your Laserfiche Server and LFServerServiceAccount (e.g., mydomain\jdoe) is the domain name of the user for the Laserfiche Server service. 3. Repeat the above step with: Setspn s HTTP/FQDNLFServerName LFServerServiceAccount Where FQDNLFServerName is the fully-qualified domain name to your Laserfiche Server (e.g., myserver.domain.com). To configure constrained delegation with protocol transition for the C2WTS service account 1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers. 2. Do one of the following: By default, C2WTS runs under Local System. If C2WTS is running as Local System, expand the item for your domain and select the Computers item. Locate the SharePoint server and view its properties. If C2WTS is running under a custom service account, expand the item for your domain and select the Users item. Locate the appropriate user and view its properties.. 3. On the Delegation tab, select the Trust this computer/user for delegation to specified services only option. 4. Select the Use any authentication protocol option. 5. Click Add to open the Add Services dialog box. 5

6. In the Add Services dialog box, click Users and Computers. 7. In the Select Users or Computers dialog box, type the name of the service account for the Laserfiche Server service. If the Laserfiche Server is running under Local System, type the name of the computer hosting the Laserfiche Server. Click OK. 8. Back in the Add Services dialog box, select the Laserfiche Server SPN you would like to delegate to and click OK. The Service Type is HTTP. To configure constrained delegation for the SharePoint Web Services Default Application Pool identity 1. Click Start, point to Administrative Tools, and click Active Directory Users and Computers 2. Do one of the following: By default, the SharePoint Web Services Default application pool runs under Network Service. If the application pool is running as Network Service, expand the item for your domain and select the Computers item. Locate the SharePoint server and view its properties. If the SharePoint Web Services Default application pool is running under a custom service account, expand the item for your domain and select the Users item. Locate the appropriate user and view its properties. 3. On the Delegation tab, select the Trust this computer/user for delegation to specified services only option. 4. Select the Use any authentication protocol option. 5. Click Add to open the Add Services dialog box. 6. In the Add Services dialog box, click Users and Computers. 7. In the Select Users or Computers dialog box, type the name of the service account for the Laserfiche Server service. If the Laserfiche Server is running under Local System, type the name of the computer hosting the Laserfiche Server. Click OK. 8. Back in the Add Services dialog box, select the Laserfiche Server SPN you would like to delegate to and click OK. The Service Type is HTTP. 6

Troubleshooting Tips When using the default user accounts for the SharePoint Web Services application pool identity (Network Service) and the Claims to Windows Token Service (Local System), the entire Kerberos configuration process is reduced to using the Active Directory Users and Computers snap-in to enable Kerberos constrained delegation on the SharePoint computer. When you use custom service accounts, additional prerequisites and best practices are required. The following section highlights common scenarios, best practices, and pitfalls. The Delegation tab may not visible in the user s properties dialog box By default, the Active Directory Users and Computers MMC snap-in does not automatically display the Delegation tab for all users. As a workaround, register a placeholder SPN for the user. For example: Setspn s FakeProtocol/AnyServerName UserAccount Once registered, you can now view the Delegation tab to configure constrained delegation. Note: It is possible to manually edit a user s attributes to configure constrained delegation. For more information, see Microsoft documentation on the msds-allowedtodelegateto attribute and the UserAccountControl attribute s TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION bit. Use the SharePoint 2010 Central Administration Web site to configure the service accounts for the SharePoint Web Services Default application pool or the Claims To Windows Token Service Instead of using IIS Manager or the Services snap-in to change the process identities for the SharePoint Web Services Default application pool or C2WTS, use the SharePoint 2010 Central Administration site to streamline the configuration process. For example, C2WTS only accepts requests from domain accounts explicitly listed in its configuration file. By default, SharePoint adds the WSS_WPG local group to the configuration file. When you use Central Administration to modify the identity of the SharePoint Web Services Default IIS application pool, SharePoint will automatically add that account to the WSS_WPG group. To register a managed account 7

1. Open the SharePoint 2010 Central Administration site. 2. Click Security. 3. Under General Security, click Configure managed accounts. 4. On the Managed Accounts page, click Register Managed Account. 5. Specify the desired Windows domain name and password and click OK. To change the application pool identity 1. Open the SharePoint 2010 Central Administration site. 2. Under Security, click Configure service accounts. 3. In the top drop-down list, select the Service Application Pool SharePoint Web Services Default option. 4. In the Select an account for the component drop-down list, select the desired account and click OK. To change the Claims to Windows Token Service identity 1. Open the SharePoint 2010 Central Administration site. 2. Under Security, click Configure service accounts. 3. In the top drop-down list, select the Windows Service Claims to Windows Token Service option. 4. In the Select an account for the component drop-down list, select the desired account and click OK. The custom service account for C2WTS requires special local policy user rights on the SharePoint Server By default, C2WTS runs under the Local System account. If you want C2WTS to run as a custom user account, be aware that the service account for C2WTS must have the following local policy user rights on the SharePoint Server: Act as part of the operating system Impersonate a client after authentication Log on as a service Use the Local Security Policy MMC snap-in to add the account to listed rights. 1. Click Start, point to Administrative Tools, and click Local Security Policy. 2. Expand Local Policies and select User Rights Assignment. 3. Double-click Act as part of the operating system. 8

4. Click Add User or Group and specify the custom C2WTS service account. 5. Repeat the above steps with the Impersonate a client after authentication right and the Log on as a service right. Removing Duplicate SPNs A Service Principal Name (SPN) must be unique. Duplicate SPNs prevent Kerberos authentication from functioning. Use the setspn.exe command-line utility to identify and remove duplicate SPNs. To identify duplicate SPNs 1. As a domain administrator, click Start and click Command Prompt. 2. Type the following and press ENTER to display duplicate SPNs: Setspn x To remove an SPN 1. As a domain administrator, click Start and click Command Prompt. 2. Type the following and press ENTER to remove the specified SPN: Setspn d spn ServiceAccount Resetting C2WTS to use Local System The SharePoint Central Administration does not allow you to reset C2WTS to run as Local System. Please see the following Microsoft TechNet article for details on using Windows PowerShell to reset the Claims to Windows Token Service back to using Local System. http://technet.microsoft.com/en-us/library/gg502596.aspx 9

Impersonation Workaround The Laserfiche SharePoint Search Integration includes a different method for connecting to the Laserfiche Server when checking Laserfiche entry access rights. You can configure the integration to log in to Laserfiche with the same Windows account that you specified in the Laserfiche SharePoint Search Configuration utility. In this scenario, the integration no longer attempts to impersonate the user running the search when connecting to the Laserfiche Server and Kerberos authentication is not necessary. However, be aware that the benefit of no longer needing to configure Kerberos comes at the expense of search performance. To switch to this alternate login method, create a UseC2WTS DWORD value in the HKEY_LOCAL_MACHINE\SOFTWARE\Laserfiche\SharePoint Integration\8.2 registry key. To create the UseC2WTS registry value 1. Click Start and type the following into the search box: Regedit 2. Expand KEY_LOCAL_MACHINE. 3. Expand SOFTWARE. 4. Expand Laserfiche. 5. Expand SharePoint Integration 6. Expand 8.2. 7. Create a new DWORD value named: UseC2WTS 8. Set the value to 0 to configure the Search Integration to connect to the Laserfiche Server using a static account. Note: Configuring the Search Integration in this manner removes the need to configure Kerberos authentication, but introduces performance slowdowns. SharePoint searches of Laserfiche documents will take longer to return results and there is a greater chance of searches timing out. 10

Additional Resources See the following Microsoft TechNet articles on Kerberos authentication for SharePoint 2010. http://technet.microsoft.com/en-us/library/gg502594.aspx The same set of articles is also available as a Microsoft Word document: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=231 76 11

Configuring Kerberos Authentication For Laserfiche Search Integration 8.2 For SharePoint 2010 October 2011 Author: Roger Wu Technical Editor: Zhiyu Chen, Brian McKeever Compulink Management Center, Inc. Global Headquarters 3545 Long Beach Blvd. Long Beach, CA 90807 U.S.A Phone: +1.562.988.1688 www.laserfiche.com Laserfiche is a trademark of Compulink Management Center, Inc. Various product and service names references herein may be trademarks of Compulink Management Center, Inc. All other products and service names mentioned may be trademarks of their respective owners. Laserfiche makes every effort to ensure the accuracy of these contents at the time of publication. They are for information purposes only and Laserfiche makes no warranties, express or implied, as to the information herein. Copyright 2011 Laserfiche All rights reserved 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information