User Authentication
This page is about LUCS Frontend / Backend User authentication and login.
Looking for API Keys for Access Authentication? → head to API Setup and Preconditions
Methods of User Authentication
In order to authenticate users with LUCS you have the following possibilities:
- Your local AD directory: The LUCS Server and SfB server use the credentials specified in the FQDN. This is set up in your LUCS Essential Topology Settings settings as part of the Post-Installation Steps.
- Azure / O365 Account: Read more about how to perform Azure Application Registration of Luware Apps and Tenant Setup O365 and Exchange
Client Certificate Authentication
In case you want to authenticate your users with alternative means such as tokens / dongles using a certificate, read the chapter below. Otherwise, skip to the follow-up actions below.
The actions below result in updates to the Frontend Config files located in the default installation directories:
C:\Program Files\Luware\TM-FE\
C:\Program Files\Luware\LUCS-FE\
C:\Program Files\Luware\LUCS-WebConfiguratorIn particular:
Web.config
- \WinAccount\Web.config
- AppSettings.config
Back up and re-merge your config files when updating your product installation to avoid having to perform the settings below again.
Configuration Windows Server 2012 R2 / 2016 / 2019
- Open Server Manager.
- In Server Manager, click the Manage menu, and then click Add Roles and Features.
On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IIS Client Certificate Mapping Authentication.
- Finish installation and Close Results
Configuration of Personal Certificates
This step is depending on your local IT policy. The steps below showcase a test account configuration from Luware and may vary greatly on your system. If already have a Client Authentication Certificate Issued for your user you can skip to the next step.
- Open MMC (Microsoft Management Console)
Check in Certificates - Current User > Personal > Cerificates that a personal certificate is issued to the user that is supposed to log into the LUCS frontend later
If no Personal/Certificates are available, right mouse click on main panel and select All Tasks/Request new Certificate → Contact your system administrator / certificate authority to request a certificate→ After a personal certificate is rolled out and available, continue with the next step.
Internet Information Services (IIS) configuration
This configuration must be done on all server instances where IIS is running and hosting any LUCS frontend websites.
LUCS Server configuration
- In IIS open the root node (Server)
Open Authentication dialog and set Active Directory Client Certificate Authentication to "enabled".
Luware-LUCS-Site configuration
When you already have configured SSL you can skip step 1 to 4.
- In IIS open Sites and select Luware-XX-FE
- Open Site Bindings configuration and Add new binding.
In Site Binding dialog select https type, and select necessary SSL Certificate.
- Click OK to create new binding.
To avoid logins being possible without HTTPS we recommend to remove all existing Bindings except thew newly created at this point. - Open SSL Settings dialog of Luware-LUCS-FE
Set check box "Require SSL" and Ignore client certification radio button and Apply settings.
- Click Apply to save changes.
- Again within Luware-LUCS-FE site, open Configuration Editor
Go to "sytem.webServer/security/authentication/" and set "clientCertificateMappingAuthentication" to false.
- Click Apply to save changes.
Luware-LUCS-WinAccount Folder configuration
- Again within Luware-LUCS-FE open folder "WinAccount"
- Open SSL Settings dialog of WinAccount
Check box "Require SSL" and select "Require client certification" radio button.
Click Apply to save changes.
- Again within Luware-LUCS-FE > WinAccount folder
Locate and set Windows Authentication to "Disabled"
- Again within Luware-LUCS-FE Open Configuration Editor dialog of WinAccount
- Set webServer/security/authentication/clientCertificateMappingAuthentication to true.
Set webServer/security/authentication/windowsAuthentication to false.
Sources: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/
Follow-Up Actions
The following tasks apply regardless of your authentication method chosen for your userbase.
When your intial topology setup is done, you need to perform the following steps:
- Add new users, as described on the Agent Management section.
Authorize users by giving permissions to access the Configuration backend or use the LUCS Web FrontEnd as either Agents and Supervisors.
The concept of user authorization is described on the Role Based Access - RBAC (RBAC) page.
RBAC permissions are given to individual agents when editing individual Agent Roles.
If your setup was done correctly, new users should now be able to authenticate with their credentials and log into LUCS. A restart of the