Intelledox

Windows Authentication

Windows Authentication uses Windows Active Directory to authenticate and authorize users into the Infiniti platform. User credentials are automatically retrieved based on who the user has logged onto the machine as they are not prompted for a username or password.

Windows authentication automatically retrieves profile information such as their name and email address and also subscribes (and unsubscribes) to groups automatically authorizing access to particular forms and where appropriate administrative features.

End users must belong to the same domain as the Infiniti web server, or to a trusted domain.

Appropriate AD groups need to be added to Infiniti before users hit the site so that users can be authorized as needed by the business. For example

  • Give the 'Domain_Admins' group Global Administrator privileges
  • Give the 'Internal_HR' group access to the onboarding and exit forms.

How to Enable Windows Authentication

By default Infiniti Installations use Forms Authentication as the licensing and an administrator group must be configured before windows Authentication can be configured.

Step 1 - Identify and configure and Active Directory Infiniti administrator group.
When the first user (usually a server administrator) attempts access, Infiniti needs to assign them permissions so they can access appropriate functions. If this step is not completed users will not be able to actually do anything post authentication. Use the article below to configure an external group.

Step 2 Modify Produce and Manage web.Config Files

  • From the Infiniti Web server open the Produce web.config file (usually similar to c:\inetpub\wwwroot\Infiniti\Produce\web.config)
  • Find the 'authentication' element
  • Modify the mode attribute to 'Windows' as in the example below:**
    ...
    <authentication mode="Windows" />
    <membership>
      <providers>
        <clear />
      </providers>
    </membership>
    ...
  • Save changes
  • Repeat for Manage's web.config file.

Tip: Start with Produce

It is possible to isolate windows authentication to the Produce application only to test configuration settings. Thus, if any configuration needs modifying in manage it is possible to make changes under forms authenticaiton.

Step 3 Configure IIS

  • From the web server IIS, expand the connections tree until the Manage Application appears.
  • Double-click the Authentication Icon.
  • Ensure Windows Authentication is the only item enabled.

Step 4 - Optional appSettings.json setting configuration
The following optional settings can be configured to suit the environment where necessary.

  • From the Infiniti Web server open the Manage web.config file (usually similar to c:\inetpub\wwwroot\Infiniti\Manage\appSettings.json)
  • Add and configure and Authentication object as per the table and example below
Setting
Description
Example Setting

NestedGroups

Controls whether the groups, the user is a member of, are checked to see if they are a member of any other group. This can be slow on some domains so when this option is off only the groups, the user is directly a member of, will be checked against Infiniti groups. The default is 'true'.

True/False

ADPath

This is setting overrides the default directory search path of "LDAP://mydomainname". The domain name used comes from the user's Windows credentials (Eg: companyName\user123). This might not be the correct or quickest place to perform AD queries, so use this setting to specify an alternate path.

LDAP://intelledox.local

KeepDomain

When set to True, accounts will be created in the format "domain\username." This attribute enables Multi-Domain support when usernames are not unique between domains. Default is false.

True/False

Logging

A logging mode where verbose logging information is written to the Infinti database useful for troubleshooting. Default is false.

True/False

{
  "AppSettings": {
    "PortalURL": "",
    "ProduceURL": "http://server/Produce/"
  },
  "ConnectionStrings": {
    "DefaultConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=InfinitiDev;Data Source=server123",
    "DboConnection": "Password=infiniti;Persist Security Info=True;User ID=infiniti;Initial Catalog=InfinitiDev;Data Source=server123"
  },
  "Extensions": [
    "Intelledox.Extension.DatasourceBuiltin.OleDbDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.SqlServerDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.CsvDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.OdbcDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.RSSDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.WebserviceDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.XmlDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.InfinitiDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.JsonDatasource, Intelledox.Extension.DatasourceBuiltin",
    "Intelledox.Extension.DatasourceBuiltin.RestDatasource, Intelledox.Extension.DatasourceBuiltin"
  ],
  "Authentication": {
    "Settings": {
      "CookiePrefix": "",
      "Timeout": "30"
    },
    "Windows": {
      "KeepDomain": "False",
      "Logging": "False",
      "NestedGroups": "True",
      "ADPath": "LDAP://intelledox.local"
    }
  }
}

Step 5 Test

User Groups

A user's group memberships can be retrieved via a net user command.

net user yourUser /domain
net user johnd /domain

  • Ensure you are logged in as a user that is a member of the AD group created in step 1
  • Close all browsers to ensure any existing Infiniti Sessions are removed.
  • Open a new browser and navigate to Infiniti Manage or Produce.
  • You should be logged into Mange or Produce Home respectively.

User Profile Mapping

From V11, users will be able to setup user profile mapping in Manage >> Settings >> User Profile Mapping for Windows authenticated environments.

Infiniti’s windows identity provider will respond to the defined user profile mapping. The identity provider will try and match the field name in Infiniti to the corresponding field in the Active Directory. If the field does not exist in the AD the user property will remain empty and logging will indicate this failure when turned on.

Defined standard fields Username, First Name, Last Name and Email address are populated by default with the corresponding AD fields. These standard fields will be overwritten if a mapping field is defined.

Following is the example of error log displayed in Infiniti if the defined user mapping field is not present in the Active directory

WINDOWS AUTHENTICATION VALIDATE START
Domain: 'Domain'
Username: 'UserA'
DomainUser: 'UserA'
directoryPath: 'LDAP://Server.local'
GROUP QUERY (GroupA)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupA))
Query: 14.96ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 13.9624ms
AD user and matching Infiniti groups found
User mapping field: Phone not found. Please ensure that the User mapping corresponds to an Active Directory existing field.
User mapping field: Fax not found. Please ensure that the User mapping corresponds to an Active Directory existing field.
User mapping field: displayname found.

Logging and Troubleshooting

With the logging setting in step 4 above enabled. Logs can be retrieved from the Infiniti database using the following SQL query.

SELECT *
FROM EventLog
ORDER BY DateTime DESC

An example working log is provided below.

WINDOWS AUTHENTICATION VALIDATE START
Domain: 'INTELLEDOX'
Username: 'user123'
DomainUser: 'user123'
directoryPath: 'LDAP://intelledox.local'
USER PROFILE QUERY
Filter: (&(ObjectClass=person)(sAMAccountName=user123))
Query: 453.4937ms
GROUP QUERY (GroupX)
Filter: (&(ObjectClass=group)(sAMAccountName=Ix_GroupX))
Query: 31.2193ms
GROUP QUERY (GroupY)
Filter: (&(ObjectClass=group)(sAMAccountName=Email-GroupY))
Query: 0ms
GROUP QUERY (IxSupport)
Filter: (&(ObjectClass=group)(sAMAccountName=IxSupport))
Query: 15.6266ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 22.1467ms
AD user and matching Infiniti groups found
WINDOWS AUTHENTICATION VALIDATE START
Domain: 'INTELLEDOX'
Username: 'user123'
DomainUser: 'user123'
directoryPath: 'LDAP://intelledox.local'
USER PROFILE QUERY
Filter: (&(ObjectClass=person)(sAMAccountName=user123))
Query: 453.4937ms
GROUP QUERY (GroupX)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupX))
Query: 31.2193ms
GROUP QUERY (GroupY)
Filter: (&(ObjectClass=group)(sAMAccountName=GroupY))
Query: 0ms
GROUP QUERY (ChangedName)
Filter: (&(ObjectClass=group)(sAMAccountName=ChangedName))
Query: 15.6266ms
PRIMARY GROUP SEARCH
filter '(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\46\f0\c8\3e\8e\0e\83\f8\4b\ea\4c\77\01\02\00\00)'
Query: 12.0327ms
No matching Infiniti groups found

Windows Authentication


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.