InfoRouter LDAP Authentication

Installing The Ldap Authentication Web Service

Introduction:

All users must have a valid account to access infoRouter.

Access to document libraries, folders and documents are all subject to security. By default, such access is controlled by the infoRouter authentication and security system.

In addition to this built-in authentication system, infoRouter also provides support for LDAP by integrating directly into the Active Directory system to authenticate infoRouter users.

To achieve this, you must install the LDAP Authentication Web Service to a server on your network. This server could be the infoRouter machine itself or another server.

The server you choose to install this web service must be a part of the domain you are trying to authenticate against.

If you use more than on LDAP server, you must install this web service on multiple machines or create multiple websites (or virtual directories) for each LDAP server you wish to use.

Summary of events:

You will create a website or virtual directory to perform the authentication from LDAP You will configure this web service to point to the LDAP Domain Finally, you will configure infoRouter to connect to this web service to make authentication calls.

The website or virtual directory contents are supplied in a folder called LDAP Authentication Web Service. This folder is located in the PROGRAM SETUPS folder under the infoRouter installation directory.

C:\inforouter\programsetups\LDAP Authentication Web Service

Installing the ldap authentication web service

You must use the contents of this directory to create a website or a virtual directory that will be accessed by infoRouter to authenticate LDAP users.

To do this, perform the following:

1) Copy the contents shown above into a folder which will become the working directory for the website or virtual directory you are about to create.

2) Using the IIS Manager tool, create a website or virtual directory on the infoRouter server or some other server on the network.

3) Give the website or virtual directory a name like “IRAuthenticationSrv ”

4) Make the working directory of the website the folder you created in step 1.

5) Edit the file called Web.config in the working directory using Notepad.exe to enter the actual LDAP Domain Name.

The web.config file should look like the sample below:

In the above sample, users will be authenticated against a domain called ACME. Change ACME with your actual domain name.

Remember:

Domain names are case-sensitive

The expected value here is a domain name and NOT a server name or IP address.

The value for the parameter called AUTHENTICATIONMETHOD can be either “ADSI” or “SSPI” The “ADSI” method uses .net objects. It can be slow at times but returns descriptive error messages and can be run in X64 mode on IIS.

The “SSPI” method is the old fashion low-level windows API implementation. SSPI is very fast and scalable but runs only in 32 bit IIS mode.

Unfortunately, the SSPI method does not return descriptive error messages in cases where the Primary or the Backup domain controllers are not available or operational. Other common problems are also not adequately reported using this method.

We recommend the use of the ADSI method on X64 machines.

The ADSI method is the default setting.

Configuring infoRouter to use the LDAP Authentication Web Service

Now that you have installed the infoRouter LDAP Authentication Web Service, you must configure infoRouter to use this web service for authentication.

Notice that before configuring infoRouter, the user properties window will look like the following:

Notice that the only option for “Authentication Type” is infoRouter.

Follow the instructions below to configure infoRouter to use the LDAP Authentication Web Service:

The way to define the existence of such a service or services to infoRouter is to create a few entries in the infoRouter Web Application Configuration (Web.config) file.

This file is located in a path such as the following (depending on which drive you installed infoRouter):

C:\inforouter\site\web.config

D:\inforouter\site\web.config

E:\inforouter\site\web.config

The following sample demonstrates how this declaration is done in the infoRouter web.config file.

Edit the web.config file and enter the following keys into the <appsettings> section of the web.config file.

In the above sample, your LDAP domain is called ACME.

If you have more than one LDAP server with different user sets, then the web.config settings should look like the following:

A separate key for each NT Domain server is required to identify the web service application that performs the authentication service.

In the sample above you have two LDAP servers and they are called ACME and XYZ.

Accordingly, when infoRouter needs to authenticate a user from the “ACME” domain server, it will ask a server called ACMESRV if the user credentials for the user match what was entered by the user at the infoRouter login screen.

Similarly, when a user from the “XYZ” domain attempts to log in to infoRouter, infoRouter will ask a server called XYZSRV to verify the user credentials.

This web service application was developed to support authentication from multiple domains. So if you have multiple domains within the same organization but a single instance of infoRouter to support all users, install this web service to as many domains as required.

Once you make the edits to the web.config file and display the user properties of any given user, the screen will look like the following:

Notice that the screen now allows you to choose an “Authentication type” and infoRouter is no longer the only option. ACME appears as an alternative authentication source.

For each user you wish to authenticate from this new authentication source, you must edit their user profiles to change the authentication type to the new source.

Now that you have installed the LDAP Authentication Web Service and configured infoRouter, you should be able to authenticate a user from the defined LDAP server.

Perform the following to test the configuration:

1.	Login to infoRouter as the “SYSADMIN”
2.	Navigate to the infoRouter Control Panel
3.	Click on the “Manage Users” link.
4.	Define a new user or edit the user profile of an existing user.
5.	This user must have a valid LDAP Account (Same user id in infoRouter and LDAP).
6.	Make sure to choose the LDAP domain name in the Authentication Type field.
7.	The password you specify at this point does not matter. The LDAP password is the one that will be used. Make up a password which will essentially be ignored by infoRouter.
8.	Save the user profile.
9.	Logout
10.	Navigate back to infoRouter and click on the Member Login link
11.	Specify the user name and password (LDAP password) of the account you just edited and click ok.

You should be able to login using the user id and password as it was defined in LDAP.

If for some reason you cannot login, refer to the troubleshooting section in the following pages.

Troubleshooting

Try navigating to infoRouter and logging in with an LDAP user id and password.

Make sure that this user has been marked as LDAP Authenticated in infoRouter. In this case the authentication type should read “ACME” in the user properties screen.

If this user cannot be authenticated, there could be two possible reasons.

Possible Reason 1:

The LDAP authentication service has not been configured correctly.

To test this, try the following:

Launch a browser window and type the URL of the infoRouter Authentication Web Service you just installed.

The URL should be something like this:

http://<servername>/<irauthenticationserviceVirtualDir>/irAuthenticationSrv.asmx

<servername> is the name of the server where the service was installed

<irauthenticationserviceVirtualDir> is the virtual directory to which you installed the service.

You should see a screen like this.

Click on the “AuthenticateUser” link

Enter the User Name and Password of the LDAP Authenticated user and click “Invoke”

The service may respond in two ways: TRUE and FALSE

Both are OK.

If the server indicates that the user is unknown or bad password, this means that the service is running ok. Try typing in the user id and password again making sure to enter them both correctly.

If the server indicates “TRUE” for the success parameter and nothing for the Error parameter then the user can be authenticated correctly using this server.

In any case, if you get one of the above responses from this service, this will mean that the service has been configured correctly.

If you can authenticate a user id and password correctly using this screen but cannot authenticate from infoRouter, try looking into possible reason 2.

Possible Reason 2:

This is the case where the infoRouter server has not been properly configured to call the correct authentication service.

To check this, navigate to the web.config file located in the c:\inforouter\site directory. Remember to do this on the infoRouter web server.

Edit the web.config file with the Notepad application

You should see a section in the <appsettings> section such as the following:

Make sure that the URLs are typed in correctly.

A good way to make sure that the URL is valid is to copy the entire URL in the value field and paste it into a browser window. Make sure that you can successfully access the authentication server.