If the InfoWorks Workgroup Server and all the clients are using Active Directory it is possible to configure the Workgroup Server to perform authentication and authorisation checks on connecting users. Authorization checks can be done at the server and database level.
Authentication is not available when using older clients. ICM 8.0, InfoNet 18.0 or WS Pro 2.0 or later are required.
By default, Authentication is enabled. Authentication will be attempted each time the client connects to the server. The authentication will be done for the user running the client software. It is not necessary or possible for the user to enter alternative credentials. Note that some products (e.g. ICM Live) have services that access the Workgroup Server.
By default, the server requires the authentication to succeed for the connection to succeed. This must be disabled if you wish older (ICM 7.5, InfoNet 17.5 or WS Pro 1.5 or earlier) to connect to the Workgroup Server. To do this, use the AuthMandatory keyword.
The Authorization check allows the users who can connect to the server or use a database to be controlled. To enable authorization, the AuthRequiredSecurityGroup keyword is used to specify an AD group to which the connecting user must belong.
The AuthRequiredSecurityGroup keywork can be set to restrict access to the whole server by placing it in snumbat.ini and/or for each individual database by placing it in the master.ini for each database.
Errors and warnings generated by the Workgroup Server will be written to the Event Log or the log file, these can help with diagnosing any problems. Additional diagnostic information is available if the LogLevel is reduced to 1 or 0 and the output is set to be a file.
The following keywords may be specified in the snumbat.ini file to control authentication and authorization:
Keyword in snumbat.ini | Description |
---|---|
AuthType |
Blank – No authentication is attempted Negotiate – Authentication will be attempted when the client connects to the server (default). |
AuthMandatory |
0 – Client can still connect even if authentication fails 1 – Client will not be allowed to connect if authentication fails.
Note: This will prevent older clients which do support authentication from connecting to this Workgroup Server (default).
|
AuthRequiredSecurityGroup |
Blank – No authorization check when connecting to server. Name of AD security group to which user must belong in order to be allowed to connect to this Workgroup Server. The client will not be able to connect to the server if authentication failed, the user account does not belong to specified AD group or if the group cannot be found. Note: This check will only be enforced if AuthMandatory is 1 or absent.
|
The following keywords may be specified in a database master.ini to enable a database specific authorization check:
Keyword in master.ini | Description |
---|---|
AuthRequiredSecurityGroup |
Blank – No authorization check when opening database Name of AD security group to which user must belong in order to be allowed to use this database. The client will not be able to use the database if authentication failed, the user account does not belong to specified AD group or if the group cannot be found. |
Keyword in group.ini | Description |
---|---|
AuthRequiredSecurityGroup |
Blank – No authorization check when accessing the database group Name of AD security group to which user must belong in order to be allowed to use any database in the group (note that master.ini will take priority for a database) or create databases in the group. The client will not be able to use this database group if authentication failed, the user account does not belong to specified AD group or if the group cannot be found. |
The most common configurations of these settings would be to either all full access without authentication, or to restrict access to all databases at the Workgroup Server level. To restrict all databases managed by a Workgroup Server you would use the following.
snumbat.ini:
AuthType=Negotiate AuthMandatory=1 AuthRequiredSecurityGroup=AD Security Group WDS
To allow a mixture of unrestricted and restricted databases, you should make the Workgroup Server authentication optional and update the master.ini file for each database with restrictions.
snumbat.ini:
AuthType=Negotiate AuthMandatory=0
For each restricted database group:
group.ini:
AuthRequiredSecurityGroup=AD Security Group DBGroup
For each restricted database (that is not using a group.ini setting)
master.ini:
AuthRequiredSecurityGroup=AD Security Group DB