FH Web Authentication Options


Standard Authentication

Standard authentication is the default method for authenticating users on a FH Web Edition Host. Standard authentication allows users to sign in to FH Web Edition via the Sign In dialog by supplying their user name and password. Once authenticated, users are added to the host's INTERACTIVE group and given the same access rights as if they had signed in to the host at its console.

To Enable Standard Authentication

 

Client-Side Password Caching

Client-side password caching allows users who are not members of the FH Web Edition Host's domain to sign in to FH Web Edition without having to enter their user name and password every time they connect to the server. When Cache password on the client is enabled, the Sign In dialog includes a Remember me on this computer checkbox. If the user enables this, after the first manual authentication, the user's logon credentials are encrypted on the host using the SYSTEM account context, transmitted over the network, and stored on client computers in user-private directories. When the user makes subsequent connections to the server, the cached password is transmitted back to the host, where it is decrypted using the SYSTEM account context. The Sign In dialog is displayed with the user name and password and with Remember me on this computer checked. If the user disables the Remember me on this computer option, the user's credentials will be deleted from the client computer.

To Enable Client-Side Password Caching (Standard Authentication Only)

On most platforms, the cached password is stored in the user's home directory in a .dat file named for the FH Web Edition Host.

 

Integrated Windows Authentication

Integrated Windows authentication allows users to connect to an FH Web Edition Host and start a session without having to sign in to the host and re-enter their user name and password. When Integrated Windows authentication is the only option enabled, the user's user name and password are never transmitted over the network. Instead, FH Web Edition simply runs the user's session in the same security context as the FH Web Edition Client. Users are added to the host's NETWORK group instead of its INTERACTIVE group. As a result, they may be denied access to some resources. When users connect to a FH Web Edition Host using Integrated Windows authentication, they are able to access most of the same resources on the host that they would be able to access if they signed in to the host interactively. However, depending on the authentication protocols supported by the client's and host's operating systems and the network, when users access resources that reside on other computers on the network they might be required to re-enter their user name and password. If network resources are unable to request a user name and password, access might be denied. In order to access other computers on the network, the Active Directory must be configured to allow authentication credentials to be passed to other computers. Microsoft refers to the right to pass authentication credentials to a third or more computers as "delegation." Delegation is supported by Windows 2000 or later on Active Directory networks with the proper settings. Please refer to your Microsoft Windows operating system documentation for instructions on properly configuring an Active Directory Domain Controller. Windows NT Domains do not support delegation. When Integrated Windows authentication is enabled in this environment, users might not have access to resources that reside on other computers on the network.

To Enable Integrated Windows Authentication

 

Host Password Caching

A user that signs in to a FH Web Edition Host using integrated Windows authentication is added to the host's NETWORK group. By default, members of the INTERACTIVE group have greater access to the host's resources than members of the NETWORK group. As a result, a user that signs in via Integrated Windows authentication may encounter "access denied" errors under a number of conditions.

Note: Areas restricted from members of the NETWORK group include DCOM (also known as OLE and COM/COM+) security limitations, file security limitations, and application specific security checking. Administrators should verify that all resources (files, services, etc.) that Integrated Windows authenticated users need to access have the proper security settings to allow that access.

To avoid these errors, administrators can enable the Cache passwords on the host option. Doing so allows users to sign in from Windows computers that are members of the same domain as the FH Web Edition Host without having to enter their user name and password every time they connect. Users are prompted for a password when first connecting to the host or following a password change. Passwords are stored within their respective profiles and can only be decrypted from within their respective security contexts. With subsequent connections to FH Web Edition, users are automatically signed in and added to the host's INTERACTIVE group. They are granted the same access rights had they signed in to the host at its console.

Caching passwords on the host requires delegation, which is supported by Windows 2000 or later on Active Directory networks with the proper settings. Please refer to your Microsoft Windows operating system documentation for instructions on properly configuring an Active Directory Domain Controller.

To Enable Host Password Caching (Integrated Windows Authentication Only)

View PDF Document

Back to FH Links