Select Auto-login using integrated Windows authentication from the drop-down list and click Save

4. Ensure IIS is configured for integrated Windows authentication.

Using Windows Authentication

When Windows Authentication is configured as the login method for a repository, users with valid Windows credentials will either be prompted to enter their Windows credentials or automatically be logged in using these

credentials when they visit the Web Access page. You can configure login methods on the Web Access Configuration Page.

Configuring Web Access for Windows authentication

1. Configure your Laserfiche repository to accept Windows users for authentication.

In order for a Windows user to be able to log in using Windows Authentication, that user must be allowed access to the repository.

The Windows account can be granted access in a few different ways:

• The Windows account can be added directly.

• The Windows user can be associated with a Laserfiche user.

• The Windows group has been added to the Trusted Accounts list.

Laserfiche administrators can do this through the Laserfiche

Administration Console. The administrator must also configure Web Access to accept Windows credentials and pass them to the

Laserfiche server.

2. Ensure IIS is configured so users can automatically be logged in using Window authentication.

By default, IIS is configured to allow users to log in using their Windows credentials without any additional configuration.

However, if you are updating to a newer version of Web Access or have previously modified your IIS settings, follow the steps below to configure IIS for Windows authentication.

Note: Ensure the Windows Authentication feature is installed under Security on IIS 7 or IIS 8 to allow Windows users to automatically log in.

Tip: In IIS 7, IIS 8, or IIS 8.5, you will need to have Windows Authentication first installed under IIS, Security before you can enable it.

1. Open Internet Information Services (IIS) Manager. You can find it under Administrative Tools in the Start Menu in Windows 7 or machines with server operating systems like Windows Server 2003 or Windows Server 2008.

2. Select the Web Access virtual directory. By default, this will be namedLaserfiche and located under Default Web Site in the Web Sites folder.

3. If you are using IIS 7, IIS 7.5, IIS 8, or IIS 8.5:

• Double-click on Authentication in the center pane.

• In the Authentication Configuration Pane, enable Windows Authentication. If you do not see a Windows Authentication option, check to see whether the Windows Authentication feature is installed on your copy of IIS.

Note: The Web Access application runs as the application pool user. This user requires read and write access to the tempDirectory and

cacheDirectory and read access to the Config subfolder inside the Web Files folder of the Web Access installation folder. Access to these specific files is configured for you during the Web Access installation.

3. If the Laserfiche Server and Web Access are installed on different machines, and you want to log in using Windows Authentication, you have three options:

• Option 1: You can configure Kerberos to enable users to log in using Integrated Windows authentication. Users will never be prompted to provide credentials, as the browser will

automatically authenticate and log them in. This method requires knowledge and setup of Kerberos.

• Option 2: You can configure Basic Authentication to enable users to log in by providing Windows credentials to the browser.

If the user's first login attempt is successful, all future login attempts will not prompt for credentials until the session times out. This method requires knowledge and setup of Basic

Authentication.

• Option 3: You can configure Web Access to enable users to log in by providing Windows credentials to the Web Access Login Page. Users must manually provide credentials each time they want to log in. Since this method requires no knowledge or setup of Kerberos or Basic Authentication, it is the method we

recommend.

Tip: When using Option 2 or 3, credentials are passed in plaintext. As a result, these methods should never be used without also using SSL.

Configuring Kerberos

Kerberos support enables Windows authentication to fully function when Web Access and the Laserfiche Server are installed on different computers.

Kerberos allows authentication information to be delegated from the computer hosting Web Access to the computer hosting Laserfiche Server. For more information on enabling Kerberos for Windows authentication, see the

Enabling Kerberos Support for Windows Authentication Knowledge Base article and/or the Setting Up Kerberos for Web Access 8 on IIS 7 white paper.

Configuring SSL and Basic Authentication

Basic authentication can be used as an alternative to Kerberos to allow information to be delegated from the computer hosting Web Access to the computer hosting the Laserfiche Server. This authentication method allows the application to run as the browser user, provided the browser user provides correct Windows authentication.

These Windows credentials are transmitted in plain text, which means the web server does not need to use Kerberos to authenticate into a separate machine. Because the credentials are sent from IIS to Web Access in plain text, this method should never be used without also using SSL to protect the password.

Configuring Basic Authentication

To configure Basic Authentication on the machine hosting the Web Access server (IIS):

IIS 6 (Windows Server 2003)