Optional FE Access Scenarios
Good to know
At this point the FrontEnd installation is complete. The following steps below are optional / exotic configuration scenarios. They are required only if one of the following cases applies to you:
- You want to allow for anonymous access to your frontend dashboards.
- You want to configure Client Certificate Authentication (e.g. for use of HTTPS or to allow users to log in via alternate means)
Configure Frontend (Dashboards) for Anonymous Access
Open Services and start the installed FE Core service.
- Check that service is successfully started without any errors in Event Viewer or in the log file → C:\Program Files\Luware AG\LUCS-FE\FeCore\Log\regularLog.txt
- Open Internet Information Services (IIS) Manager and make sure that the AnonymousAuthentication and FormsAuthentication values are enabled for the web application:
Click ‘LUCS – Frontend’ -> ‘Authentication’ item
Enable AnonymousAuthentication and FormsAuthentication values if it is necessary:
Open Configuration Editor for the web application and unlock anonymousAuthentication and windowsAuthentication sections if it is necessary.
These sections should be unlocked by default after installation by the Front End setup.
Select ‘anonymousAuthentication’ value from the ‘Section’ dropdown:
System.webServer – > security -> authentication
Unlock ‘anonymousAuthentication’ section if necessary (unlocked by default):
Click ‘WinAccount’ folder -> Authentication and make sure the ‘AnonymousAuthentication’ value is enabled and ‘WindowsAuthentication’ section is disabled.
Click Application Pools -> DefaultAppPool -> Advanced Settings
Click the browse icon for the ‘Identity’ value in the ‘Process Model’ section
Set ‘Built-in account’ value to the ‘NetworkService’.
- Ensure that the binding settings are set to appropriate values in IIS under the created web site ‘LUCSFrontend’.
- If LUCS Front end application was moved to a different machine, the database must be defragmented.
To defragment the database, the command below must be run from App_Data\DataStorage folder of the installed application:
esentutl /d DataCODE
Client Certificate Authentication
This chapter applies when you want to disable the standard Windows Authentication and switch to certificate-based authentication in the frontend.
The actions below result in updates to the Frontend Config files located in the default installation directories:
C:\Program Files\Luware\TM-FE\ C:\Program Files\Luware\LUCS-FE\ C:\Program Files\Luware\LUCS-WebConfigurator
Back up and re-merge your config files when updating your product installation to avoid having to perform the settings below again.
Configuration Windows Server 2012 R2 / 2016 / 2019
- Open Server Manager.
- In Server Manager, click the Manage menu, and then click Add Roles and Features.
On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IIS Client Certificate Mapping Authentication.
- Finish installation and Close Results
Configuration of Personal Certificates
This step is depending on your local IT policy. The steps below showcase a test account configuration from Luware and may vary greatly on your system. If already have a Client Authentication Certificate Issued for your user you can skip to the next step.
- Open MMC (Microsoft Management Console)
Check in Certificates - Current User > Personal > Cerificates that a personal certificate is issued to the user that is supposed to log into the LUCS frontend laterIf no Personal/Certificates are available, right mouse click on main panel and select All Tasks/Request new Certificate → Contact your system administrator / certificate authority to request a certificate
→ After a personal certificate is rolled out and available, continue with the next step.
Internet Information Services (IIS) configuration
This configuration must be done on all server instances where IIS is running and hosting any LUCS frontend websites.
LUCS Server configuration
- In IIS open the root node (Server)
Open Authentication dialog and set Active Directory Client Certificate Authentication to "enabled".
When you already have configured SSL you can skip step 1 to 4.
- In IIS open Sites and select Luware-XX-FE
- Open Site Bindings configuration and Add new binding.
In Site Binding dialog select https type, and select necessary SSL Certificate.
- Click OK to create new binding.
To avoid logins being possible without HTTPS we recommend to remove all existing Bindings except thew newly created at this point.
- Open SSL Settings dialog of Luware-LUCS-FE
Set check box "Require SSL" and Ignore client certification radio button and Apply settings.
- Click Apply to save changes.
- Again within Luware-LUCS-FE site, open Configuration Editor
Go to "sytem.webServer/security/authentication/" and set "clientCertificateMappingAuthentication" to false.
- Click Apply to save changes.
Luware-LUCS-WinAccount Folder configuration
- Again within Luware-LUCS-FE open folder "WinAccount"
- Open SSL Settings dialog of WinAccount
Check box "Require SSL" and select "Require client certification" radio button.
Click Apply to save changes.
- Again within Luware-LUCS-FE > WinAccount folder
Locate and set Windows Authentication to "Disabled"
- Again within Luware-LUCS-FE Open Configuration Editor dialog of WinAccount
- Set webServer/security/authentication/clientCertificateMappingAuthentication to true.
Set webServer/security/authentication/windowsAuthentication to false.