System Administration

Configure Authentication Settings

An Administrator can configure different authentication modes (Basic, Integrated, and Custom) to access the Stewardship Tier. A user can also be set up to log in as an anonymous user.

NOTE: Either Basic or Integrated authentication must be supported to log in to the Stewardship Tier. If both types are enabled, the Stewardship Tier attempts to authenticate the user by Integrated authentication, then by Basic authentication.

Authentication settings are configured on the Security Settings tab on the Parameters page.

This topic contains the following sections:

• Configure Anonymous Authentication
• Configure Basic Authentication
• Configure Integrated Authentication
• Configure Custom Integration

Configure Anonymous Authentication

When an anonymous user clicks a workflow link in an email, that user is logged in to the Stewardship Tier without having to enter a user name and password.

To configure a user account to use Anonymous authentication:

1. Click Admin > Configuration > Parameters in the Navigation pane.
2. Click the Security Settings tab.
3. Click the Support Anonymous check box to enable it.
4. Select Admin > Security > Users in the Navigation pane.

5. Click Edit for a user.

   View the field descriptions for the Users page

6. Click the ANONYMOUS check box to enable it.
7. Click Save.

Configure Basic Authentication

Basic Authentication is the default configuration for the Stewardship Tier, no additional configuration is required. The user must enter a valid Stewardship Tier user ID and password to log in and access a WebApp. An Administrator must grant the user permissions to WebApps and pages. Refer to Set Security for more information.

Basic Authentication does not maintain any relationship with the corporate Windows domain or any external authentication provider.

The Basic Authentication check box can be updated on the Parameters page’s Vertical View on the Security Settings tab.

NOTE: Support Basic Authentication dictates the display of the Login page. Do not disable the Support Basic Authentication check box unless configuration of Integrated Authentication is complete.

Configure Integrated Authentication

If the Support Integrated Authentication check box is enabled on the Parameters page, corporate system user IDs are permitted to log in to the Stewardship Tier. The Stewardship Tier uses the corporate ID and cross-references it with the local Stewardship Tier ID. After a user has successfully been authenticated by the corporate system and logged in to a computer, the Stewardship Tier can be started without an additional login.

Integrated Authentication is typically used in a Windows Domain environment. Integration with other authentication providers is also possible.

NOTE: If the site uses Integrated Authentication, users can be added to WebApp groups on initial log in. Refer to Use Auto Register to Add Users to WebApp Groups Automatically for more information.

Authentication methods require configuration steps in IIS, in the file system on the web server, and in the Stewardship Tier.

Enable Integrated Authentication at a High Level

To enable Integrated Authentication at a high level:

1. Disable IIS Enable Anonymous Access.
2. Enable IIS Integrated Windows Authentication.
3. Include the user’s corporate ID in the user’s account settings in the Stewardship Tier.

Enable Integrated Authentication in IIS and Windows

To enable Integrated Authentication in IIS and Windows:

1. Open IIS Manager (under Administrative Tools).
2. Expand the tree on the left and select the Stewardship Tier virtual directory.
3. Double-click the Authentication icon.
4. Right-click Anonymous Authentication and select Disable from the list menu.

5. Right-click Windows Authentication and select Enable from the list menu.

   NOTE: At this point the Stewardship Tier may not be accessible to all users.

6. Close IIS Manager.

7. Locate the Stewardship Tier Installation Directory in Windows Explorer.

8. Right-click the Stewardship Tier directory and select Properties from the list menu.
9. Click the Security tab.
10. Click Edit.

11. Enter Authenticated Users in the Enter the object names to select field.

    NOTE: To browse for the Authenticated Users group, click the Advanced and Find Now buttons.

12. Click Check Names button and verify that the name is recognized.
13. Click OK.
14. Select Modify from the Permissions for Authenticated Users option box.
15. Click OK to close the Permissions for Stewardship Tier window.
16. Click OK to close the Stewardship Tier Properties window.

17. Repeat steps #9 – 16 to grant Modify permissions to the Authenticated Users group on all folders that are used by the Stewardship Tier and the WebApps. This will depend on which WebApps are installed and what file locations were chosen during the installation process.

    NOTE: The specific folders where permissions must be modified will be different at different sites. All folder locations accessed by the Stewardship Tier must have the appropriate permissions set, or errors will be reported.

Enable Integrated Authentication in the Stewardship Tier

To enable Integrated Authentication in the Stewardship Tier:

1. Select Admin > Configuration > Parameters in the Navigation pane.
2. Click the Security Settings tab.
3. Click the Support Integrated Authentication check box.
4. Click Admin > Security > Users in the Navigation pane.
5. Click Vertical View for a user who will be accessing the Stewardship Tier using Integrated Authentication.

6. Click Edit.

   View the field descriptions for the Users page’s Vertical View.

7. Enter the Windows User Name.

   NOTE: Use the format domain\username. Do not provide a password.

   NOTE: A validation warning "User will not be able to login with basic authentication if password is NULL or empty" may appear. If users will only be logging in using Windows Integrated Authentication then accept the validation warning by clicking the Yes button; otherwise set a password.

8. Confirm that Integrated Authentication has been configured correctly by accessing the site from a client computer (not the web server). Verify that the site can be accessed without the user having to provide credentials.

   NOTE: Perform the steps below if Integrated Authentication is the only supported authentication method and Basic is not required.

9. Select Admin > Configuration > Parameters in the Navigation pane.
10. Click the Security Settings tab.
11. Click Support Basic Authentication check box to uncheck it.

Configure Custom Integration

When the parameter Support Custom Authentication is enabled on the Parameters page’s Security Settings tab, user authentication is delegated to a third party plugin to be developed on site. This is implemented through an external page that references Stewardship Tier provided assemblies and implements the expected functionality.