Article No.3259User-ManagementTroubleshooting - User authentication | Windows authentication with IIS
Description :
If Windows authentication now longer functions correctly as of Intrexx 19.03, you need to check the following configurations.

1. Portal service
2. web.xml
3. web.config
4. Restart the services
5. Activate Windows authentication in IIS
Solution :
Requirements:
Please note that the interaction between Intrexx an IIS as a reverse proxy has changed as of Intrexx 19.03, therefore the following points need to be taken into account when using IIS.

- IIS installation
So that Intrexx and IIS can work together correctly, IIS must be prepared accordingly (ARR module, ASP.net, etc.). You can find a detailed guide for installing IIS in our Online Help at:
https://onlinehelp.unitedplanet.com/intrexx/9200/en/index.html?p=helpfiles/help.2.vorbereitung.html#Multiple-portals-under-one-address

- Switching from integrated authentication to a custom authentication method
Please note that when you switch from or to integrated authentication, Intrexx automatically adjusts the web.config and web.xml files. Therefore, this means that when you switch from integrated authentication to a custom authentication method, these files need to be readjusted.

Troubleshooting:
1. Portal service
Is the portal service (Windows services) executed by a user who has permission for the domain?

2. web.xml
Are the parameters in the XML set correctly? You should check whether the following parameters are set to “allow” (s. webxml.png):

<init-param>
<param-name>connector.security.header.allow.xuser</param-name>
<param-value>X-User</param-value>
</init-param>

<init-param>
<param-name>connector.security.header.allow.xdomain</param-name>
<param-value>X-Domain</param-value>
</init-param>

<init-param>
<param-name>connector.security.header.allow.xaccountname</param-name>
<param-value>X-AccountName</param-value>
</init-param>

<init-param>
<param-name>connector.security.header.allow.forwarded</param-name>
<param-value>Forwarded</param-value>
</init-param>

In addition, the following filter, or rather its parameter, must be set to “true” (s. webxml2.png):

<filter>
<filter-name>External Authentication Filter</filter-name>
<filter-class>de.uplanet.lucy.server.connector.servlet.ExternalAuthenticationFilter</filter-class>
<init-param>
<description>
This property is used to enable or disable the filter.
IMPORTANT: For compatibility reasons the default value of this property
is true for the External Authentication Filter.
Values: true (default) or false.
</description>
<param-name>enabled</param-name>
<param-value>true</param-value>
</init-param>

3. web.config
The “Windows” authentication mode must be enabled (by uncommenting the lines) (s. webconf.png):

<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>

Additionally, the “IntrexxWindowsAuthHttpModule” needs to be included in the list of modules (s. webconf2.png):

<modules>
<add name="IxProxyHeadersHttpModule" preCondition="managedHandler" type="UnitedPlanet.Intrexx.Web.IxProxyHeadersHttpModule"/>
<add name="IntrexxWindowsAuthHttpModule" type="UnitedPlanet.Intrexx.Web.IxWindowsAuthHttpModule" preCondition="managedHandler"/>

</modules>

4. Restart the services
If you have made changes to the configurations, you need to restart the portal service (Windows services) and IIS.

5. Activate Windows authentication in IIS
Windows authentication needs to be enabled on the corresponding site in the “Authentication” IIS module (s. iis.png).
Operationsystemunspecific
CategoryUser-Management
Databaseunspecific
Found in version:
  • 19.03
Attachments
modified09/01/2020