Authentication Security

.0.0
Version 11
Network Security

Network Security OnBase 11.0.0

COPYRIGHTInformation in this document is subject to change without notice. The OnBase® Information Management System software described in this document is furnished only under a separate license agreement and may be used or copied only according to the terms of such agreement. It is against the law to copy the software except as specifically allowed in the license agreement, or without the expressed written consent of Hyland Software, Inc. If Hyland Software, Inc. and you have entered into a nondisclosure agreement, then this document or accompanying materials provided by Hyland Software, Inc. contains certain information which is confidential information of Hyland Software, Inc. and which may be used or copied only according to the terms of such nondisclosure agreement. All data, names, and formats used in this document’s examples are fictitious unless noted otherwise. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Hyland Software, Inc.©2011 Hyland Software, Inc. All rights reserved.Depending on the modules licensed, The OnBase® Information Management System software may contain portions of: Imaging technology, Copyright © Snowbound Software Corporation; CD-R technology, Copyright © Sonic Solutions; CD-R technology, Copyright © Rimage Corporation; OCR technology, Copyright © Nuance Corporation; Mail interface technology, Copyright © Intuitive Data Solutions; Electronic signature technology, Copyright © Silanis Technology, Inc.; Full text search technology, Office core assembly, ASP.NET extensions, application blocks, smart client architecture, Object Builder, and WPF controls, Copyright © Microsoft Corporation; Full Text Indexing technology, Copyright © Verity, Inc.; SYBASE Adaptive Server Anywhere Desktop Runtime, Copyright © SYBASE, Inc., portions Copyright © Rational Systems, Inc.; ISIS technology, Copyright © EMC Corporation; JLex technology, Copyright © 1996-2003 by Elliot Joel Berk and C. Scott Ananian; A2iA CheckReader, Copyright © A2iA; Terminal emulation technology, Copyright © Attachmate; User interface controls, Copyright © Infragistics; Terminal emulation technology, Copyright © NetManage; CAD document technology, Copyright © Open Text Corporation; ISIS scanning interface, Copyright © Pegasus Imaging Corporation; CD/DVD burner technology, Copyright © Prassi Software Incorporated; Code obfuscation technology, Copyright © PreEmptive Solutions; Icon library, Copyright © Professional Icons; OSA dlls, Copyright © Sharp Electronics Corp.; JAVA components, Copyright © Sun Microsystems; Signature pad technology, Copyright © Topaz Systems Incorporated; and User interface tools, Copyright © Xceed Software, Incorporated.Portions of the OnBase® software modules may be covered by one or more of the following U.S. Patents: 7,644,091 and 7,765,271. Portions contained within OnBase® are licensed by U.S. Patent Nos. 6,094,505; 5,768,416; 5,625,465 and 5,258,855. Hyland Software® and OnBase® are registered trademarks of Hyland Software, Inc. Application Enabler™ is an unregistered trademark of Hyland Software, Inc. EMC Centera® is a registered trademark of EMC Corporation. All other trademarks, service marks, trade names and products of other companies are the property of their respective owners.

Attribute Detail

Document Name Network Security

Department/Group Documentation

Revision Number 11.0.0

Part Number CORM-11.0.0- -OB

©2009 Hyland Software, Inc.

ii

OnBase 11.0.0 Network Security


iii



iv

Table of ContentsNetwork Security

ExposureOVERVIEW.................................................................................................................1

UsageUSAGE ...................................................................................................................... 3

Opening Multiple Web Client Sessions.............................................................................................3

ConfigurationCONFIGURATION ..................................................................................................... 6

Source of Security Information ..........................................................................................................6Normal System Security .........................................................................................7Windows NT Security ............................................................................................8

NT API Authentication Settings .........................................................................................10Novell Security ..................................................................................................... 12LDAP Security ...................................................................................................... 13

LDAP General Server Settings ............................................................................................15Server Bind Method ..............................................................................................................16User Mapping .........................................................................................................................17Group Mapping .....................................................................................................................18User/Group Association ......................................................................................................19Configuring Multiple LDAP Servers ..................................................................................20Windows Integration and Trusted Domains .....................................................................23

Additional Settings for NT and LDAP Authentication............................................................... 24Interactive User Authentication ........................................................................... 25Active Directory Username Mapping Attribute .................................................. 26

Additional Considerations for LDAP Security .................................................................26Synchronize User Attributes on Auto-Logon ...................................................... 27Authentication Only on Auto-Logon ................................................................... 27

Integrating OnBase User Groups with Domain User Groups................................................... 28Adding Users to OnBase with LDAP and NT Authentication.................................................. 29

ENABLING AUTOLOGON........................................................................................ 29OnBase Client..................................................................................................................................... 29Web Client .......................................................................................................................................... 29

Multiple Sites Configuration ................................................................................ 30Java Web Client .................................................................................................... 30

Desktop ............................................................................................................................................... 31INTEGRATION FOR SINGLE SIGN ON WITH NT OR LDAP AUTHENTICATION ... 32

EnableAutoLogin............................................................................................................................... 32


v

Table of Contents Network Security

forceSSOAutoLoginOverDomain .................................................................................................. 32ADDITIONAL SETTINGS FOR THE ONBASE WEB SERVER..................................... 33

Setting Access to the Application Pools......................................................................................... 34Adding the Web Server as a Trusted Site....................................................................................... 35Setting Automatic Logon in Internet Explorer............................................................................. 36

InstallationREQUIREMENTS..................................................................................................... 39

LDAP Directory Service................................................................................................................... 39About Virtual Environments ........................................................................................................... 3964-Bit Support Statement ................................................................................................................. 40Windows User Account Control Statement .................................................................................. 40Data Execution Prevention (DEP) ................................................................................................. 41

Determining DEP Settings .................................................................................. 41Configuring Exceptions to DEP Settings ............................................................ 42

INI File ................................................................................................................................................ 43Previous File Location/File Name ...................................................................... 44Location ............................................................................................................... 44INI Considerations in a Citrix and Microsoft Windows Remote Desktop Environ-ment ...................................................................................................................... 45Editing the INI File ............................................................................................. 46

TROUBLESHOOTING .............................................................................................. 46HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials..................... 46(Autologin) No matching usergroups were found, access denied.............................................. 46

CONTACTING SUPPORT.......................................................................................... 46


vi

EXPOSURE

1
OVERVIEW
The Network Security module allows for tighter security controls and a more streamlined user experience when accessing OnBase by integrating with existing NT Authentication and LDAP (Active Directory and NDS) Authentication schemes. NT and LDAP Authentication have the added security benefit that users need only remember one password, making it less likely that they will write their passwords down where someone can find them. You can also choose whether you want users to be prompted for login credentials when accessing OnBase or if users are logged in to OnBase automatically based on the NT/LDAP credentials supplied when they logged on to their workstation.This manual provides information regarding how to integrate OnBase with NT or LDAP Authentication, but it is not intended to be a comprehensive overview of these authentication schemes. This manual is written on the assumption that the System Administrator has the necessary knowledge regarding the company’s network authentication schemes, and understands how they work.

Caution: These options provide the ability to implement global security changes to your OnBase system and should never be made available to the non-administrative user. If configured incorrectly, your OnBase system may be made more vulnerable and users can be locked out of OnBase.


1


1


2

USAGE

2

USAGE

If auto logon is enabled, users are automatically logged in to OnBase without having to provide credentials.

Note: User accounts configured as Service Accounts in OnBase cannot log in to OnBase using auto logon.

If Interactive User Authentication is also enabled, or if auto logon is not enabled, users are prompted for their network authentication credentials when logging in to OnBase.

Opening Multiple Web Client SessionsIf Internet Explorer is set to reuse windows for launching shortcuts, and you have only one window open with the OnBase Web Client, then relauching the Web Client from a shortcut automatically disconnects you from your current session and a new connection is established in your current window.If you are already logged in to the OnBase Web Client and attempt to initiate another session in a new browser window, then the Another OnBase session is currently active dialog is displayed.

• Select Close this session and continue using the active session to close the new session and leave the existing session open.

• Select Close the active session and continue logging in here to close the active session and continue with the new session. If auto logon is enabled, the user is logged in automatically.


3


2


4

CONFIGURATION

3

Network Security options are configured in the Network Security dialog box. In order to access the Network Security dialog you must launch the Configuration module with the ROMANZO switch applied.

Caution: Before using features enabled by the -ROMANZO switch, ensure that you understand the implications of any changes to your system. Contact your service provider with any questions regarding these features. Features enabled by the -ROMANZO switch should not be made available to the casual user. Remove the -ROMANZO switch after completing necessary actions.


5


3

CONFIGURATION

To access the Network Security dialog, select Network Security from the Utils menu in the Configuration module. The Network Security dialog is displayed. The options available in this dialog are described in the sections below.

Source of Security InformationThe options under Source of Security Information define how OnBase authenticates users.


6


3

Normal System SecurityNormal System Security is the default authentication method and is enabled for all OnBase systems, unless it has been modified by accessing the Network Security dialog. With normal System Security, users are authenticated using OnBase credentials and they are prompted for their credentials each time they log in.


7


3

Windows NT SecurityTo authenticate users using Windows NT Security, select Windows NT Security then click the Settings button. The NT Security dialog is displayed.

Caution: Setting your OnBase system to use NT Authentication cannot be undone.

1. For added security, select Challenge Logon Domain and enter a User and Password to authenticate against the domain the user is currently logging in from.

This feature ensures that the domain the user attempts to log in to OnBase from is a valid domain that you want accessing your system. For example, if a user creates a duplicate domain in an attempt to gain access to OnBase (a practice known as “spoofing”), the Challenge Logon Domain feature fails to authenticate against the spoofed domain because the user/password provided do not exist in the spoofed domain, thereby causing the log in to OnBase to fail.


8


3

Note: This is true even if All Domains or Specified Domains is selected for group discovery because the Challenge Logon Domain user is only authenticated against the domain the OnBase user is currently logging in from.

2. Under Find Groups in, select the domains you want to search for user records:

• Logon Domain Only searches only the current domain;

• All Domains searches all available domains;

Caution: If All Domains is selected, all available domains are searched to locate every instance of a user record. Depending on the number of domains to search, this process could be time-consuming and may result in a time-out.

• Specified Domains searches all the domains you enter in the field provided. Separate each domain with a comma.

Note: When using Windows NT Authentication in a multiple domain environment the domains must have a two-way trust between them.

Select Failover to Interactive Mode to display the interactive login dialog box if a user is attempting to authenticate via autologon from a domain that is not listed in the Specified Domains field. The Domain field in the interactive login is populated with the first domain listed in the Specified Domains field. The user must still be able to authenticate against one of the Specified Domains configured in order to log in successfully, even if they are not currently logged in to one of those domains.

Note: The Failover to Interactive Mode setting is currently only supported in the OnBase Client; it is not currently supported if OnBase is accessed via the Core. The Interactive User Authentication settings configured on the Network Security dialog are still respected even with the Failover to Interactive Mode option selected.

3. Select a Group Discovery Strategy from the drop-downselect list:

• Select First-level Groups if all of your users belong to a single security group (i.e., if your top-level security group contains no subgroups);

• Select Nested Security Groups if your users belong to different security groups (i.e., if your top-level security group contains subgroups).


9


3

NT API AUTHENTICATION SETTINGS

After your system has been configured to use Windows NT Security, the NT API Authentication Settings option is available under the Utils menu. These settings allow system administrators to prevent the OnBase API (mzNTSecurityConnect) being used for brute-force password discovery attacks.

1. Configure the settings in the NT API Authentication Settings dialog:

Option Description

Security Level


10


3

Active Incorrect login attempts are tracked and further login attempts are prevented if the failure threshhold is reached.

Inactive Incorrect login attempts are not tracked and no failure threshhold is enforced.

Forbid NT Authentication Any login attempt using the API NT connection method automatically fails.

Destination

Internal Mail The OnBase user account that receives NT API Authentication Security notifications via internal mail.

External Mail The external e-mail address that receives NT API Authentication Security notifications.

Notification

Failed Login Notification Select how to report notices of failed login attempts. They can be logged in the Event Log and sent to the Internal Mail or External Mail addresses.

Account Lockout Notification

Select how to report notices of users locked out of their accounts. They can be logged in the Event Log and sent to the Internal Mail or External Mail addresses.

System Lockout Notification Select how to report a notice of the system locking out all attempted connections using the API. It can be logged in the Event Log and sent to the Internal Mail or External Mail addresses.

Lockouts

System Lockout If the configured threshhold of failed logins is reached, all future attempts to login using the API fail.

• Interval: The amount of time in minutes that must elapse between failed login attempts.

• Number of Failures: The number of failed login attempts that can occur in the Interval configured.

• Number of Timed Lockouts: The number of System Timed Lockouts that can occur before all logins using the API are locked out.

Option Description


11


3

2. Click Apply.

Novell Security

Caution: Novell Security is not currently supported. Security must be configured using Normal System Security, Windows NT Security, or LDAP Security.

System Timed Lockout If the configured threshhold of failed logins is reached, the system is locked out from using the API to login for the length of time configured.


• Number of Failures: The number of failed login attempts that can occur in the Interval configured before API connection attempts are locked out.

• Duration: .The amount of time in minutes that API connection attempts are locked out.

Account Lockout If the configured threshhold of failed logins is reached, all future attempts by that user to login using the API fail.



• Number of Timed Lockouts: The number of Account Timed Lockouts that can occur before all logins by that user using the API are locked out.

Account Timed Lockout If the configured threshhold of failed logins is reached, that user is locked out from using the API to login for the length of time configured.



• Duration: .The amount of time in minutes that API connection attempts are locked out.

Option Description


12


3

LDAP SecurityTo authenticate users using LDAP Authentication, select LDAP Security then click the Settings button. The LDAP Servers dialog is displayed.

Caution: Setting your OnBase system to use LDAP Authentication cannot be undone.

To delete a server, select it in the LDAP pane and click Delete.


13


3

To configure a new server to authenticate against, click Add. To edit a server’s configuration, select it in the LDAP pane and click Edit. The LDAP Server Settings dialog is displayed.

The options available in this dialog are described below. Once the LDAP Server Settings have been configured, click Save.

Tip: See also Configuring Multiple LDAP Servers on page 20 for details on configuring more than one LDAP server.


14


3

LDAP GENERAL SERVER SETTINGS

These settings are used to locate the LDAP server on the network.

Setting Function

Name Assign a name to this LDAP Server configuration. Multiple configurations may be stored so this name should be unique.

Enable Select Enable to enable the server or deselect it to disable a server. Disabled servers are not used for authentication. Servers can also be enabled/disabled from the right-click menu options.

Host The fully qualified domain name or IP address of the LDAP server.

Port The port used by the LDAP server (the default value is 389). Port numbers can be up to 6 digits long.

Use SSL Select Use SSL to use SSL between the client and the LDAP server. The server must be configured to support SSL and the correct Port assigned (the SSL port is usually 636).

Search Root Distinguished Name

Enter the name of the sub-tree directory to search for users and groups on the LDAP server. Users and groups are expected to be unique within the specified sub-tree, as identified by the OnBase Group Name Attribute and OnBase User Name Attribute.


15


3

SERVER BIND METHOD

LDAP requires some form of authentication (server bind) in order to perform searches. Some LDAP servers allow an anonymous bind, while others require user authentication. OnBase access must be configured to perform searches on the LDAP server.

Setting Function

Anonymous This is the recommended setting if the server supports searches with an anonymous bind.

Current User Credentials Authenticates against the currently logged in user. This only works with Active Directory.

Proxy User Authenticate against a specific user account. The user need only have sufficient rights to performs searches and read entries. Enter the user’s distinguished name in the User DN field and supply the Password. Passwords up to 50 characters are supported.

Pre-6.2 version compatibility

Select this option to store the password in the database as plain text for compatibility with pre-6.2 versions. If this option is not selected the password is encrypted when stored in the database.


16


3

USER MAPPING

Configure how a user entry is stored on the LDAP in order to allow OnBase to locate a particular user and its associated groups on the server.

Setting Description

LDAP Class Name The name of the objectClass within the directory that is used to represent a user entry. This value varies, depending on how the network is set up. The suggested values are user for Active Directory and inetOrgPerson for NDS.

OnBase User Name Attribute

The name of the attribute within the user entry objectClass that corresponds to the user name within OnBase. The suggested values are samAccountname for Active Directory and uid for NDS.

Note: Many configuration settings depend on how your network and directory service are set up. For example, if a login uses first and last names, the matching LDAP attribute for the OnBase User Name Attribute field is Common Name or cn.

Fullname attribute The name of the attribute within the user entry objectClass that corresponds to the user’s full name. This setting is optional and is used to populate the User’s Real Name field in OnBase when a user account is automatically created in OnBase using LDAP user data (see Synchronize User Attributes on Auto-Logon on page 27).

The suggested values are name for Active Directory and givenname for Netware eDirectory.


17


3

GROUP MAPPING

Configure how a group entry is stored on the LDAP server in order to allow OnBase to locate the user groups a user belongs to.

E-mail Address attribute The name of the attribute within the user entry objectClass that corresponds to the user’s e-mail address. This setting is optional and is used to populate the User’s E-mail field in OnBase when a user account is automatically created in OnBase using LDAP user data (see Synchronize User Attributes on Auto-Logon on page 27).

Both Active Directory and Netware use mail for the E-mail Address attribute value.

Setting Description

LDAP Class Name The name of the objectClass that corresponds to a group entry. The suggested values are group for Active Directory and groupOfNames for NDS.

OnBase Group Name Attribute

The name of the attribute within the group entry objectClass that corresponds to the group name within OnBase. The suggested values are samAccountname for Active Directory and uid for NDS. It is also possible to use dn, but not all LDAP servers have an attribute that matches dn.

Setting Description


18


3

USER/GROUP ASSOCIATION

Configure how users and groups are associated on the LDAP server. Either the user entry contains the list of associated user groups, or the group entry contains the list of associated users. Each attribute value within the list is expected to match the distinguished name of the related entry.

Setting Description

Association Type Select the class that contains the list attribute.

Attribute The name of the list attribute.


19


3

CONFIGURING MULTIPLE LDAP SERVERS

Multiple LDAP servers can be configured for authentication. Once all the LDAP servers to authenticate agianst have been added, they can be further organized into server groups with Primary and Backup servers, using the options under the LDAP pane of the LDAP servers dialog:

If more than one LDAP server is configured the first server in the list is used for authentication. If that server fails or is disabled, the next server in the list is tried and the process continues until a valid server is found or the list is exhausted.

Note: The next server in the list is only tried if the current server cannot be used. If a server is valid but the login fails due to an invalid user name or password, no further authentication attempts are made on the other servers.

Primary, Backup, and Disabled Servers

A server that is set as Primary marks the start of a new server group. Each server listed after a primary server is considered a backup to that server, until the next primary server is encountered, which marks the start of a new server group.


20


3

When organizing servers as primary or backup servers, the order of the servers in the list is important, as the list is used to define server groups. A primary server should be followed by one or more backup servers before the next primary server, such that the primary server and the backup servers that follow it are considered one server group. To move a server up or down in the list, select the server to move and click Move Up or Move Down, as appropriate.When OnBase attempts to authenticate against the servers listed, the backup servers are only searched if a connection cannot be made to the primary server for that server group. If a user cannot be authenticated in a server group, the next server group is used to attempt authentication. If a server is disabled, it is not included in authentication attempts.Once a successful connection is made and the user is authenticated, the remainder of the server groups are not searched.

• To make a server a primary server, select it from the list and right-click it. Select Primary from the Type right-click menu options.

• To make a server a backup server, select it from the list and right-click it. Select Backup from the right-click menu options.

Note: The first server listed is always considered a primary server, even if its Type is set to Backup.

• To enable or disable a server, select it from the list and right-click it. Select Disabled from the Status right-click menu options to disable it. Select Enabled to enable it.

Exhaustive Searches

When authenticating a user, OnBase does not search the remainder of the server groups once the user is authenticated.


21


3

To override this behavior and continue searching all server groups, in order to determine a full list of the user’s user groups, select Exhaustive Search on the LDAP Servers dialog.

With this option selected, OnBase continues to search the server groups for the user even after the user has been authenticated.


22


3

Note: If a server is disabled, it is not searched for users even if Exhaustive Search is selected. Whether a server is enabled or disabled is listed under the Status column. See Primary, Backup, and Disabled Servers on page 20 to enable or disable a server.

WINDOWS INTEGRATION AND TRUSTED DOMAINS

You can add trusted domains to authenticate against in the Windows Integration pane of LDAP Servers dialog.


23


3

To add a trusted domain to the list, enter the domain name in the field at the bottom of the Windows Integration pane and click Add. To delete a domain from the list, select it and click Delete.To allow autologons only for users in domains added to the trusted domains list, select Restrict Autologon to Windows User in Trusted Domains. To allow authentication to all available domains, deselect this option.

Additional Settings for NT and LDAP AuthenticationIf you configure OnBase to use Windows NT Security or LDAP Security, the following options are also available:

• Interactive User Authentication

• Active Directory Username Mapping Attribute

• Synchronize User Attributes on Auto-Logon


24


3

• Authentication Only on Auto-Logon

Interactive User AuthenticationSelect the Interactive User Authentication option to prompt users for authentication credentials in order to log in to OnBase. This can be useful in situations where multiple OnBase users all use the same workstation under the same domain or Windows log in (for example, a generic scanning workstation).

• Select Thick Client to require a log in to the OnBase Client and Configuration modules.

• Select Core Services to require a log in to all Core-based modules.


25


3

If Interactive User Authentication is not selected, external authentication schemes are treated as autologons. This means that users are not prompted to log in to OnBase, and the domain or Windows user account currently logged in is used to authenticate the user in OnBase.

Note: Anonymous access to the OnBase Web server and application server virtual directories should be enabled when Interactive User Authentication is enabled.

Active Directory Username Mapping AttributeThe Active Directory Username Mapping Attribute option is only for use with Windows NT Security or LDAP Security when auto-logon is also being used. The default value is sAMAccountName, which is the Windows UserID attribute.The Active Directory Username Mapping Attribute option allows administrators to specify which Active Directory attribute to use when looking for the corresponding OnBase user account of the Active Directory user currently logged in. In other words, the attribute used to perform the group lookup in Active Directory (i.e., the attribute under which the user is logged in to Windows) may be different from the attribute used to create that user’s account in OnBase.For example, in OnBase, a user’s account user name is JSMITH, but in Windows the user logs in as ahdme001 and has the Active Directory displayName attribute set to JSMITH. In order for this user to successfully log in to OnBase using auto-logon, the Active Directory Username Mapping Attribute must be set to displayName. With this configuration, the user logs on to Windows as ahdme001 but is authenticated in OnBase under the JSMITH user account.

Caution: When specifying an Active Directory Username Mapping Attribute, you must choose an attribute that has a unique value for each user in Active Directory. If a non-unique attribute is chosen, it is possible that multiple Active Directory users will be mapped to a single user account in OnBase.

ADDITIONAL CONSIDERATIONS FOR LDAP SECURITY

In order to use the Active Directory Username Mapping Attribute option with LDAP Security you must also edit the LDAP server settings to change the attribute for the user class that maps to the OnBase user so that the LDAP attribute corresponds to the Active Directory attribute being used.When using auto-logon with LDAP, OnBase determines the currently logged-in Windows user and extracts the specified Active Directory Username Mapping Attribute value (sAMAccountName by default), then uses that value to query the LDAP server for a matching user.


26


3

Synchronize User Attributes on Auto-LogonSelect the Synchronize User Attributes on Auto-Logon option to automatically update the user’s OnBase account with changes made to the logged-in user’s real name or e-mail address in NT or LDAP since the last login. The default behavior is to not update these attributes in OnBase.

Note: If the user’s real name or e-mail is deleted, that attribute is not deleted from OnBase.

To use this feature with LDAP, the LDAP configuration must include values for the Fullname and E-Mail Address attributes (see User Mapping on page 17).

Authentication Only on Auto-LogonIf this option is selected, NT and LDAP autologons do not perform any group membership synchronization with the external system. The external system is only used to perform user authentication. All group membership configuration must be completed in OnBase.This means that OnBase no longer creates a new user account the first time a user logs in to OnBase. In order to add the user to OnBase, an administrator must manually create the user account.

Note: This setting should be selected for Institutional Databases. This setting does not affect the behavior of the Synchronize User Attributes on Auto-Logon option.


27


3

Integrating OnBase User Groups with Domain User GroupsTo remove users from an OnBase User Group when they are removed from the corresponding domain user group, in order to keep a one-to-one relationship between the domain and OnBase User Groups, complete the following steps:

1. In the Configuration module, select User Groups/Rights from the Users menu. The User Groups & Rights dialog box is displayed.

2. Select a user group from the list and click the Authentication Settings button. The Authentication Settings dialog box is displayed.

3. Select Remove users from this group if no matching domain group found.4. Click OK.

With this option enabled, theOnBase User Group is checked against the corresponding domain user group at log in if autologon is also used. If the user logging in is a member of the OnBase User Group but is not a member of the corresponding domain user group, the user is removed from that OnBase User Group.

Caution: This option will remove users from OnBase User Groups if the user groups do not exist on the domain. Make sure your OnBase User Groups have the same names as the corresponding domain user groups. The group names do not need to have matching cases (for example, AdminUsers is considered the same as adminusers or ADMINUSERS).


28


3

Adding Users to OnBase with LDAP and NT AuthenticationWhen logging in to OnBase with a user name that doesn’t exist in OnBase, the user is automatically added to OnBase as long as:

• The user is authenticated on the LDAP server or NT domain

• and the corresponding User Groups exist in OnBase.

Note: If your system uses Institutional Databases, users must always be manually created and added to the correct Institution before the user can be authenticated using NT or LDAP. See Authentication Only on Auto-Logon on page 27.

When a user account is created in this way, the user’s e-mail address and real name values are populated in OnBase using the values from the domain. The user is also added to the OnBase User Groups that correspond to the domain user groups that the user is a member of.

Note: If a User Template has been configured in OnBase, those user settings are applied to new user accounts. See User Groups & Rights in the System Administration module reference guide for details.

ENABLING AUTOLOGON

The OnBase Client, Web Client, Java Web Client, and Desktop can all be configured to enable autologon.

OnBase ClientTo enable autologon in the OnBase Client, append the -AL command line switch to the OnBase Client.

Web ClientTo enable the Web Client for NT or LDAP Authentication, you must set the EnableAutoLogin key of the OnBase web server’s Web.Config file to true:<add key="EnableAutoLogin" value="true"/>

This attribute is automatically set to true if you installed the OnBase web server with NT/LDAP Authentication enabled. If this value is set to false, the Web Client and any modules that access OnBase via the OnBase web server use standard OnBase authentication. User accounts must be configured in OnBase for any users who have to log in in this way.


29


3

Tip: See also, Additional Settings for the OnBase Web Server on page 33.

Multiple Sites ConfigurationIf you need some modules to use NT or LDAP Authentication and others to use standard OnBase authentication to log in, two instances of the OnBase web server must be installed to different virtual directories (e.g., http://web-server/AppNet1 and http://web-server/AppNet2). One instance of the OnBase web server is then configured with the EnableAutoLogin value set to true, meaning the NT or LDAP method configured for the data source is used to log in, while the other has it set to false, meaning standard OnBase authentication is used to log in, regardless of the NT/LDAP configuration.

Note: If this value is set to false, user accounts must be configured in OnBase for any users who have to log in using standard OnBase authentication.

The modules are then configured to access OnBase using the appropriate OnBase web server for the desired authentication method. Both OnBase web servers can still connect to the same data source and will work together as one system.

Java Web Client

When NT authentication is used with the Java Web Client, the logon behavior varies depending on the user’s browser and platform. The following table describes the expected automatic logon behavior for each browser and platform when the user who logged on to the computer has permission to access the Web Server virtual directory.

Internet Explorer Firefox Safari

Mac N/A The user is prompted twice for credentials: once by the browser, and once by the Java Runtime Environment (JRE).

The user is prompted once for credentials by the Java Runtime Environment (JRE).

Windows Automatic and interactive logon behave the same as they do in the OnBase Web Client.

The user is prompted once for credentials by the browser.

N/A


30


3

Complete the following steps to prevent Firefox browsers from prompting users for credentials on either Mac OS X or Windows. When using Firefox on Mac OS X, users will still be prompted once for credentials by the JRE.

1. From an open Firefox window, type about:config into the address bar.2. Locate the following settings: network.automatic-ntlm-auth.trusted-uris (for NTLM)

and network.negotiate-auth.trusted-uris (for Kerberos). To quickly locate these settings, type auth in the Filter field provided.

3. Modify these settings by adding a comma-delimited list of trusted servers. When a user accesses the Java Web Client on these servers, the browser will not prompt the user for credentials.

4. Restart Firefox. If the user who logged on to the computer has permission to access the Web Server virtual directory, the browser will not prompt the user for credentials.

To allow Mac users to log on using NT authentication, additional steps may be required. If you encounter the error “HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials,” see the Microsoft KB article located at the following URL: http://support.microsoft.com/kb/871179

DesktopWhen using the Desktop, authentication credentials are encrypted before they are passed over HTTP from the Desktop to the server.NT or LDAP authentication is supported in the Desktop by selecting the Domain Security installation option in the Hyland Client Components installer when the Desktop is installed. No further configuration is needed.

Note: NT or LDAP Authentication must already be configured for the datasource before installing the Desktop with the Domain Security option selected.

When connecting to OnBase using the Desktop on a computer that is not connected to a domain, LDAP Authentication can be used to log in as long as it is configured to use Interactive Authentication and the Restrict Autologon to Windows User in Trusted Domains option is not selected. If the client machine is not connected to a domain, LDAP with autologon is not supported. NT Authentication always requires that the client machine is connected to a domain.The Desktop also respects the Interactive User Authentication check box option for Core Services (see, Interactive User Authentication on page 25). Select this option to prompt users for authentication credentials in order to log in to the Desktop.


31


3

If Interactive User Authentication is not selected, users are not prompted for authentication credentials and are automatically logged in to the Desktop, as long as the following Windows registry key exists and has the correct value:HKEY_LOCAL_MACHINE\SOFTWARE\Hyland\DMDesktop\NTAuthenticationDatasource.

Note: For 64-bit systems, this registry key is: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Hyland\DMDesktop\NTAuthenticationDatasource

This registry key must be created manually. Set the type to String (REG_SZ) and set the value to the ODBC datasource name for OnBase.

Caution: Changes to the Windows registry can damage your system if they are done incorrectly. Ensure you add or update only this registry key when enabling autologons. Contact your first line of support for further information or assistance.

See also, Additional Settings for the OnBase Web Server on page 33 for additional configuration settings.

INTEGRATION FOR SINGLE SIGN ON WITH NT OR LDAP AUTHENTICATION

Integration for Single Sign On can be used with NT or LDAP authentication. To use Integration for Single Sign On with NR/LDAP, set both the EnableAutoLogin and forceSSOAutoLoginOverDomain web.config settings to true. The settings are described below.

EnableAutoLoginEnableAutoLogin - Set this value to true to use Windows NT Security, Novell Security, or LDAP Security if one of these network security options is enabled in OnBase Configuration. Set to true also when using Integration for Single Sign-On. Set this value to false to use Normal System Security regardless of your network security option. When using Integration for Single Sign-On, set this value to false if bypassing the Single Sign-On security is required. When doing this, a user can log into OnBase using any valid username and password on any workstation.

forceSSOAutoLoginOverDomain


32


3

forceSSOAutoLoginOverDomain - works with autologon when the database is configured for NT/LDAP authentication but the desired configuration for the virtual directory is Single Sign-On autologon, not NT/LDAP. The module’s EnableAutoLogin setting must be set to true.Set forceSSOAutoLoginOverDomain to true to ignore the database domain authentication settings and use OnBase authentication when logging in. The autologon (enabled by EnableAutoLogin), combined with the use of OnBase authentication over domain authentication, causes Single Sign-On to retrieve user credentials from the Single Sign-On provider (SAP, PeopleSoft or SiteMinder, for example). This creates an autologon using Single Sign-On.This allows the virtual directory to ignore the NT/LDAP settings in the database and always use OnBase authentication (username/password OR Single Sign-On). If Single Sign-On is configured on the virtual directory and autologon is enabled, users will be able to automatically log on to OnBase via Single Sign-On. A separate virtual directory can be configured with forceSSOAutoLoginOverDomain set to false to log in users automatically via NT/LDAP.

Note: This setting is intended for VPN usage.

ADDITIONAL SETTINGS FOR THE ONBASE WEB SERVER

When using NT or LDAP Authentication with the OnBase web server, the AllowNTAuthenticationOnForwarding attribute in the web.config file of the OnBase web server must be set to TRUE. If NT/LDAP authentication is configured for the OnBase web server during its installation, this attribute is already set to TRUE.When using NT/LDAP Authentication with the Desktop or the Web Client you must make sure anonymous access to the virtual directories for the OnBase web and application servers is disabled. This is disabled by default when the servers are installed, if you select to use NT/LDAP Authentication during installation.When Anonymous Access is disabled, the servers must be added as trusted sites (see below).

Note: Anonymous access to the web server and application server virtual directories should be enabled when Interactive User Authentication is enbaled.


33


3

Setting Access to the Application PoolsTo use NT Authentication, it is recommended that access to the application pools is set to use the Network Service account and the applications running in the application pool are configured to use impersonation. The impersonation account should be a member of the Account Operators group (i.e., have the Account Operator right).

Note: Depending on the network configuration, the application pools need multiple rights to get group information for a user from all relevant domains. In most situations the Account Operators group has sufficient rights to perform this task. Your network administrator can determine a viable alternative to the Account Operators group if it lacks sufficient rights.

To assign a user to the application pools:

1. Click Start, then right-click My Computer and select Manage to enter the Computer Management console.

2. Click the plus sign next to Services and Applications.3. Click the plus sign next to Internet Information Services.4. Click the plus sign next to Application Pools.5. Select the Application Pool that the OnBase virtual directory you are configuring uses

(AppNet is the default virtual directory for the OnBase web server; AppServer is the default virtual directory for the application server).

6. Right-click and select Properties.7. Click the Identity tab.8. Select the Configurable radio button.9. Enter the User name and Password for the user you want this application pool to use.10. Click OK.11. Select File | Exit to exit Computer Management.

Repeat this process for both the OnBase web and application servers, if both servers are installed.


34


3

Adding the Web Server as a Trusted SiteOnBase products that rely on the Web Server work best when the Web Server is added to Internet Explorer’s Trusted Sites. To add your server as an Internet Explorer Trusted Site, perform the following steps:

1. Go to Tools | Internet Options, and click on the Security tab.


35


3

2. Click Trusted sites. Click the Sites button to display the Trusted sites dialog box.

3. Type the URL of your Web Server into the field labeled Add this Web site to the zone. Click Add, and the Web Server address will show up in the list in the Web Sites window.

Certain features of OnBase will exhibit unusual behavior if your Web Server is not listed under Trusted Sites. For example, when you create a new envelope, the header bar may display VBScript instead of Create New Envelope, due to security restrictions imposed on sites which are not in the list.

Setting Automatic Logon in Internet Explorer

1. From the Security tab in the Internet Options dialog, ensure that Trusted sites is the selected web content zone.

2. Click the Custom Level... button in the Security level for this zone box to open the Security Settings dialog.


36


3

3. Scroll down to the bottom, and under User Authentication, ensure that Automatic logon with current username and password is selected.


37


3


38

INSTALLATION

4

The Network Security module is natively available in OnBase. To access it, simply append the -ROMANZO switch to the Configuration module executable before launching it.

Caution: Before using features enabled by the -ROMANZO switch, ensure that you understand the feature and implications of any changes to your system. Contact your service provider with any questions regarding these features. Features enabled by the -ROMANZO switch should not be made available to the casual user. Remove the -ROMANZO switch after completing necessary actions.

REQUIREMENTS

LDAP Directory ServiceFor LDAP Authentication the directory service software must be compatible with LDAP version 3.

About Virtual EnvironmentsHyland Software develops, tests, and supports the OnBase suite of products on specific Operating Systems, not specific hardware configurations. When OnBase is operated in a virtual environment (such as Citrix, VMware, Hyper-V, or Windows Remote Desktop) there may be limitations or subtle differences imposed by the environment. The customer and the virtual environment vendor are responsible for any interactions or issues that arise at the Hardware or Operating System layer as a result of their use of a virtual environment.When it appears that an OnBase performance-related issue is either caused by (or is unique to) the virtual environment, organizations may be asked to validate that the issue occurs in a non-virtual environment. Hyland Software will make this request if there is reason to believe that the virtual environment is a contributing factor to the issue.


39


4

Each OnBase site is unique. Hyland Software depends on the customers who deploy OnBase in virtual environments to do so only after careful design and adequate planning (that takes into account the workloads of your organization), and in accordance with recommendations provided by the virtual environment’s vendor. As with any implementation, Hyland Software strongly recommends that any customer deploying an OnBase solution in a virtual environment thoroughly test the solution before putting it into production.For information about using OnBase in a Citrix and Microsoft Windows Remote Desktop environment, please see the OnBase in a Citrix and Microsoft Windows Remote Desktop Environment reference guide, available from your solution provider.

64-Bit Support StatementThe OnBase suite of products is tested on 64-bit systems and is capable of being deployed on 64-bit systems using the Windows 32-bit on Windows 64-bit Emulator (WOW64) layer. However, OnBase modules that integrate with third-party applications may not be able to be used with the 64-bit versions of these applications. For these modules, only the 32-bit versions of these third-party applications are currently supported by the OnBase integrations. Consult the module-specific requirements section in each module reference guide for complete requirements details.Supported database versions that are deployed on a 64-bit database server are also supported. For more information, contact your solution provider.

Windows User Account Control StatementHyland Software is dedicated to ensuring that OnBase is compatible with Windows User Account Control (UAC). UAC is a feature of Windows operating systems that was introduced with Windows Vista. It limits the ability of standard users to make global system changes to a workstation and prevents malicious software from making unauthorized changes to protected areas.For details on UAC, refer to your Microsoft support information or see http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.You may encounter UAC in OnBase when:

• Installing or uninstalling OnBase, an OnBase module, or OnBase ActiveX controls.

• Copying, moving, or saving files to the Program Files directory, Windows directory, or another protected location.

• Modifying system-wide settings, such as the registry.If Windows UAC is enabled, the above operations will prompt for administrator privileges, even if an administrator is currently logged on.


40

http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx


4

Data Execution Prevention (DEP)Data Execution Prevention, or DEP, is a Windows feature that prevents execution of code from places where it should not be executed. DEP was introduced with the release of SP1 for Windows Server 2003 and SP2 for Windows XP. DEP is also included with Windows Vista, Windows Server 2008, and Windows 7. Two kinds of DEP may be present on any system running these operating systems: DEP software and hardware-based DEP. Each type of DEP prevents a different type of undesired code execution. DEP software is contained in all Windows operating systems (of the above-listed versions and later) by default. Hardware-based DEP, or computer-hardware enforced protection, requires a processor that will support hardware-based DEP. Processors that support hardware-based DEP do so through a set of instructions on the processor that implement the hardware protection. Hardware-based DEP is only used in Windows when such a processor is present.If there is an issue with OnBase as a result of DEP, make sure an exception for OnBase has been created in your DEP settings.

Determining DEP SettingsThe following instructions will help you determine whether DEP settings need to be adjusted on your system:

1. Log on to your operating system with administrator rights.2. Click the Start button. Right-click on My Computer and select Properties. The System

Properties dialog box displays.3. Select the Advanced tab. 4. Select the Settings button in the Performance section. The Performance Options dialog

box displays.5. Select the Data Execution Prevention tab.

When configuring DEP, two options are present to choose from: Turn on DEP for essential Windows programs and services only and Turn on DEP for all programs and services except those I select. The first option is selected by default for Windows XP and Vista operating systems. The second option is selected by default in Windows Server 2003 operating systems. When DEP is only turned on for essential Windows programs and services, OnBase will perform normally. However, when Turn on DEP for all programs and services except those I select has been chosen, and hardware-based DEP is enabled, exceptions need to be configured to exempt OnBase from DEP.


41


4

Note: Text at the bottom of the Data Execution Prevention tab will indicate whether hardware-based DEP is supported on your system.

Configuring Exceptions to DEP SettingsTo configure exceptions to DEP settings:

1. In the Data Execution Prevention tab, the Turn on DEP for all programs and services except those I select option should be already selected.

Caution: Do NOT select this option if it is not already selected. Selecting this option enables a higher DEP security level, which could potentially cause issues with other applications on your system.

2. Click Add...

3. Browse out to the location of your OnBase Configuration and/or Client executable files. Click Open.

Note: The location of the executables must be full paths.


42


4

4. Selected applications will display in the exceptions list.

If you continue to experience problems, consult your service provider.

INI File


43


4

INI files (initialization files) are plain-text files that contain configuration information. These files are used by Windows and Windows-based applications to save and access information about your preferences and operating environment. OnBase uses an initialization file named onbase32.ini. If a user does not have rights to access the onbase32.ini file, that user will be unable to use the Client or Configuration modules.The onbase32.ini file is primarily used to store settings specified in the Client or Configuration module. For example, when a user selects a default data source in the OnBase Client’s Workstation Options dialog box, this selection is saved to the onbase32.ini file. The onbase32.ini file is also used to make modifications to OnBase modules that cannot be made through the module’s interface.

Previous File Location/File NameEvery version of the OnBase Client prior to 8.2.0 used an INI file named OnBase.ini. In OnBase 8.2.0 and subsequent versions, the INI file was moved to a new location to be consistent with changes Microsoft has made to Windows. Since the location has changed, the name of the file has also been changed to alleviate some confusion between the needs of OnBase 8.2.0 and installations of older executables. The new file name is onbase32.ini.

LocationThe table below shows the default location of the onbase32.ini for supported operating systems.

Operating System Default Location

Windows XP C:\Documents and Settings\All Users\Application Data\Hyland Software

Windows Server 2003 C:\Documents and Settings\All Users\Application Data\Hyland Software

Windows Vista C:\ProgramData\Hyland Software

Windows Server 2008 C:\ProgramData\Hyland Software

Windows Server 2008 R2 C:\ProgramData\Hyland Software

Windows 7 C:\ProgramData\Hyland Software


44


4

Note: To maintain backwards compatibility with previous versions of OnBase, OnBase will check the workstation’s C:\Windows folder for the OnBase INI file if it is not found in the folder specified above. If the OnBase INI file is found in the C:\Windows folder, OnBase will copy the file to the new location. The previously-existing version of the OnBase INI file will remain in the C:\Windows folder, but will no longer be used by OnBase.

Your onbase32.ini file may reside in a different location, if that location is specified by the following command line switch on the OnBase Client shortcut target.-INIFILE= "full path\filename", where full path and filename are replaced by the specific path and file name.If this command line switch is not used and you move or rename your onbase32.ini file, OnBase will recreate the file in the default folder and ignore the newly created file.

INI Considerations in a Citrix and Microsoft Windows Remote Desktop EnvironmentIn remote desktop environments, a remote session is established in which the user is running applications that are not installed locally. This presents a challenge when an application, such as OnBase, requires a user-specific INI file to establish unique settings. In a remote desktop environment, you must ensure that each user has a single, unique INI file to make sure any user-specific settings are consistent for that user.

Note: The default location of the OnBase INI file is not unique in a remote desktop environment.

To ensure that the INI file is accessible by OnBase and unique to each user in a remote desktop environment, the -INIFILE command line switch must be applied to the OnBase Client shortcut and be set to a unique location for the INI file.

Note: Additional details regarding the deployment of OnBase in a remote desktop environment is discussed in detail in the OnBase in a Citrix and Microsoft Windows Remote Desktop Environment module reference guide, available from your first line of support.


45


4

Editing the INI FileUsers with the Configuration Product Right can open the onbase32.ini file from the OnBase Client by selecting Admin | Utilities | Edit INI File. When multiple onbase32.ini files exist, opening the onbase32.ini file from the OnBase Client ensures that a user is editing the correct onbase32.ini file instance. In most cases, this will be the onbase32.ini file residing in the default directory described above. If an alternate location for the onbase32.ini file is specified by the -INIFILE command line switch, the file in the specified location will be opened.

TROUBLESHOOTING

LDAP/NT authentication errors and messages are written to the LDAP/NT Authetication tab of the Diagnostics Console. See the Diagnostics Service and Diagnostics Console module reference guide for details on using the Diagnostics Console.The following sections describe common problems and the solutions to them.

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials

This is a known issue when using IIS 6.0. See Microsoft technical article 871179 at http://support.microsoft.com/kb/871179 for more information.

(Autologin) No matching usergroups were found, access deniedThis error message may be displayed when attempting to automatically log on to the OnBase Client using LDAP authentication with Microsoft Active Directory. The cause is usually incorrect settings in Configuration for the User and User Group mappings.It is a best practice to use the suggested values for the mappings, as outlined in Configuration under User Mapping on page 17 and Group Mapping on page 18. If your system is already configured with the suggested values and this error is still encountered, please contact your first line of support for additional assistance.

CONTACTING SUPPORT

When contacting your solution provider, please provide the following information:

• The OnBase module where the issue was encountered.

• The OnBase version and build (Example: 11.0.0.571) and/or the Core Services version and build (Example: 11.0.0.6).


46

http://support.microsoft.com/kb/871179


4

• The type and version of the connected database, such as Microsoft SQL Server 2008 or Oracle 11g, and any Service Packs that have been installed.

• The operating system that the workstation is running on, such as Windows XP or Windows Server 2008, and any Service Packs that have been installed. Check the supported operating systems for this module to ensure that the operating system is supported.

• The name and version of any application related to the issue.

• The version of Internet Explorer, and any Service Packs that have been installed, if applicable.

• A complete description of the problem, including actions leading up to the issue.• Screenshots of any error messages.

Supplied with the above information, your solution provider can better assist you in correcting the issue.


47


4


48