Article No.3335User-ManagementCustom (“Other”) authentication method with Intrexx 19.03
Description :
Guide to using a custom (“Other”) authentication method in conjunction with IIS as the reverse proxy and Intrexx 19.03
Solution :
To use a custom (“Other”) authentication method in Intrexx, a new method needs to be added to LucyAuth.cfg (<portal>\internal\cfg) first.

Example:
Authentication with SSO (Windows authentication) and Intrexx authentication:

MyDemoAuth
{
de.uplanet.lucy.server.auth.module.integrated.IntegratedLoginModule sufficient
debug=false;

de.uplanet.lucy.server.auth.module.intrexx.IntrexxLoginModule sufficient
debug=false;

de.uplanet.lucy.server.auth.module.anonymous.AnonymousLoginModule sufficient
debug=false;
};

Once a method has been added, it can be selected in the Portal Manager (s. mixed.png). Please note that when switching to a custom (“Other”) authentication method, the following files need to be adjusted to use Windows authentication, if required (s. example configuration at the bottom). Our Knowledge Base also contains a corresponding article (Article No. 3259 – Troubleshooting: User authentication | Windows authentication with IIS)

- <portal>\external\htmlroot\web.config
- <portal>\external\htmlroot\WEB-INF\web.xml

Because every portal should be run with its own site in IIS (web server) as of Intrexx 19.03, a site must be created in each case for mixed authentication (e.g. internal.myportal for “SSO” and external.myportal for “intrexxauth”). The corresponding authentication method is then activated in the Authentication module of the respective site (s. iis-mixed.png).

Example:
Adjusting web.config and web.xml:

1. web.xml
Are the parameters in the XML set correctly? You should check whether the following parameters are set to “allow” (s. webxml.png):

<init-param>
<param-name>connector.security.header.allow.xuser</param-name>
<param-value>X-User</param-value>
</init-param>

<init-param>
<param-name>connector.security.header.allow.xdomain</param-name>
<param-value>X-Domain</param-value>
</init-param>

<init-param>
<param-name>connector.security.header.allow.xaccountname</param-name>
<param-value>X-AccountName</param-value>
</init-param>

<init-param>
<param-name>connector.security.header.allow.forwarded</param-name>
<param-value>Forwarded</param-value>
</init-param>

In addition, the following filter, or rather its parameter, must be set to “true” (s. webxml2.png):

<filter>
<filter-name>External Authentication Filter</filter-name>
<filter-class>de.uplanet.lucy.server.connector.servlet.ExternalAuthenticationFilter</filter-class>
<init-param>
<description>
This property is used to enable or disable the filter.
IMPORTANT: For compatibility reasons the default value of this property
is true for the External Authentication Filter.
Values: true (default) or false.
</description>
<param-name>enabled</param-name>
<param-value>true</param-value>
</init-param>

2. web.config
The “Windows” authentication mode must be enabled (by uncommenting the lines) (s. webconf.png).

<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>

Additionally, the “IntrexxWindowsAuthHttpModule” needs to be included in the list of modules (s. webconf2.png):

<modules>
<add name="IxProxyHeadersHttpModule" preCondition="managedHandler" type="UnitedPlanet.Intrexx.Web.IxProxyHeadersHttpModule"/>
<add name="IntrexxWindowsAuthHttpModule" type="UnitedPlanet.Intrexx.Web.IxWindowsAuthHttpModule" preCondition="managedHandler"/>

</modules>

3. Restart the services
If you have made changes to the configurations, you need to restart the portal service (Windows services) and IIS.

4. Activate Windows authentication in IIS
Windows authentication needs to be enabled on the corresponding site in the “Authentication” IIS module (s. iis.png).
Operationsystemunspecific
CategoryUser-Management
Databaseunspecific
Found in version:
  • 19.03
Attachments
modified09/01/2020