There are two IIS authentication scenarios for which the software can be configured:
-
Anonymous Authentication - can be used for running all server-side processes, in which case these are the only SDx/IIS users. This is the default configuration.
-
Integrated Windows Authentication - passes client user credentials to the server to be used by IIS to run server-side processes, making all domain users SDx/IIS users.
The Windows Authentication server feature must be installed on the application server in order to enable IWA.
Enabling Integrated Windows Authentication (IWA) as the authentication method for a server site would use domain user accounts to authenticate internal services, such as Business Intelligence reports or other components, such as the License Service.
If you want to use integrated Windows Authentication on a license server, you must set the type of security to use for your license server site. For more information, see Configure integrated Windows Authentication (IWA) for the license server.
Enable Integrated Windows authentication (IWA)
-
Select a site in the tree view, and click Tools > Enable Integrated Windows Authentication.
-
Set the application pool identity to a domain user or a local user.
This user will be added to the SPFUsers group so that it will have permissions to run the SDx Server application pools.
To enable Windows Authentication, your HxGN SDx application pool identity must be set to a domain user or a local user account that is a member of the SPFUsers group on that server.
Disable Integrated Windows authentication (IWA)
-
Select a site in the tree view, and click Tools > Disable Integrated Windows Authentication.
-
Select the option required to set the application pool identity:
-
Set the application pool identity back to the default Server Manager user settings.
For example, when you create a site, Server Manager creates an application pool with a local user as the application pool identify. So, if you name the server SPF2019, by default Server Manager creates an application pool named SPF2019 with a default local user named SPF2019. The default application pool identity in this example is the local user SPF2019.
-
Keep the existing domain user as the application pool identity, but the user must be in the SPFUsers group.
-
Set the application pool identity to the local user you specify.
-
Manually enable Integrated Windows authentication (IWA)
You need to perform the following actions on your SDx Server virtual directory in IIS:
The Tools > Enable Integrated Windows Authentication command automates this procedure.
-
Manually set the application pool identity to a domain user or local user in the SPFUsers group.
-
Set Anonymous Authentication setting to Enabled (all others disabled).
-
Set the ServerRequest.asmx setting to IWA Enabled (all others disabled).
-
Set the Ping.html setting to IWA Enabled (all others disabled).
-
Set the SPFBaseService.asmx setting to IWA Enabled (all others disabled).
-
Set the SPFGeneralService.asmx setting to IWA Enabled (all others disabled).
-
Set the SPFService.asmx setting to IWA Enabled (all others disabled).
-
Set NTLM as the top provider in Windows Authentication.
If you are using the Intergraph Authorization Server (which was discontinued as of Update 23), you must also edit the Authentication web.config file and set the EnableCookieAuthentication setting to False. This does not need to be performed if you are using any other authorization server.