This page is about LUCS Frontend / Backend User authentication and login.

(question) Looking for API Keys for Access Authentication? → head to API Setup and Preconditions

Methods of User Authentication

In order to authenticate users with LUCS you have the following possibilities:

Client Certificate Authentication

(info) In case you want to authenticate your users with alternative means such as tokens / dongles using a certificate, read the chapter below. Otherwise, skip to the follow-up actions below.


The actions below result in updates to the Frontend Config files located in the default installation directories:

C:\Program Files\Luware\TM-FE\
C:\Program Files\Luware\LUCS-FE\
C:\Program Files\Luware\LUCS-WebConfigurator
CODE

In particular: 

  • Web.config

  • \WinAccount\Web.config
  • AppSettings.config

Back up and re-merge your config files when updating your product installation to avoid having to perform the settings below again.

Configuration Windows Server 2012 R2 / 2016 / 2019

  1. Open Server Manager.
  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
  3. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IIS Client Certificate Mapping Authentication.

  4. Finish installation and Close Results

Configuration of Personal Certificates

(info) This step is depending on your local IT policy. The steps below showcase a test account configuration from Luware and may vary greatly on your system.  If already have a Client Authentication Certificate Issued for your user you can skip to the next step.

  1. Open MMC (Microsoft Management Console)
  2. Check in Certificates - Current UserPersonal > Cerificates that a personal certificate is issued to the user that is supposed to log into the LUCS frontend later

    If no Personal/Certificates are available, right mouse click on main panel and select All Tasks/Request new Certificate → Contact your system administrator / certificate authority to request a certificate

    → After a personal certificate is rolled out and available, continue with the next step.

Internet Information Services (IIS) configuration

(tick) This configuration must be done on all server instances where IIS is running and hosting any LUCS frontend websites.

LUCS Server configuration

  1. In IIS open the root node (Server)
  2. Open Authentication dialog and set Active Directory Client Certificate Authentication to "enabled".

Luware-LUCS-Site configuration

(info) When you already have configured SSL you can skip step 1 to 4.

  1. In IIS open Sites and select Luware-XX-FE 
  2. Open Site Bindings configuration and Add new binding.
  3. In Site Binding dialog select https type, and select necessary SSL Certificate.


  4. Click OK to create new binding.
    (warning)To avoid logins being possible without HTTPS we recommend to remove all existing Bindings except thew newly created at this point.
  5. Open SSL Settings dialog of Luware-LUCS-FE
  6. Set check box "Require SSL" and Ignore client certification radio button and Apply settings.

  7. Click Apply to save changes.
  8. Again within Luware-LUCS-FE site, open Configuration Editor 
  9. Go to  "sytem.webServer/security/authentication/" and set "clientCertificateMappingAuthentication" to false.


  10. Click Apply to save changes.

Luware-LUCS-WinAccount Folder configuration

  1. Again within Luware-LUCS-FE open folder "WinAccount
  2. Open SSL Settings dialog of WinAccount
  3. Check box "Require SSL" and select "Require client certification" radio button.

  4. Click Apply to save changes.

  5. Again within Luware-LUCS-FE WinAccount folder
  6. Locate and set Windows Authentication to "Disabled"


  7. Again within Luware-LUCS-FE Open Configuration Editor dialog of WinAccount
  8. Set webServer/security/authentication/clientCertificateMappingAuthentication to true.
  9. Set webServer/security/authentication/windowsAuthentication to false.


Sourceshttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/


Follow-Up Actions

(tick) The following tasks apply regardless of your authentication method chosen for your userbase.

When your intial topology setup is done, you need to perform the following steps: 

  1. Add new users, as described on the Agent Management section.
  2. Authorize users by giving permissions to access the Configuration backend or use the LUCS Web FrontEnd as either Agents and Supervisors.

    The concept of user authorization is described on the Role Based Access - RBAC (RBAC) page. 

    RBAC permissions are given to individual agents when editing individual Agent Roles.

    If your setup was done correctly, new users should now be able to authenticate with their credentials and log into LUCS. A restart of the