Before you start
The steps described below are only required if you intend to:
- Authenticate your users via SSL/https
- Want to disable the default Windows Account Login method and use certificate-based authentication instead (e.g. via dongle / key-file)
The steps below describe the procedure with LUCS as an example but apply for other Luware products as well.
The actions below result in updates to the Frontend Config files located in the default installation directories:
C:\Program Files\Luware\TM-FE\ C:\Program Files\Luware\LUCS-FE\ C:\Program Files\Luware\LUCS-WebConfigurator
Back up and re-merge your config files when updating your product installation to avoid having to perform the settings below again.
Configuration Windows Server 2012 R2 / 2016 / 2019
- Open Server Manager.
- In Server Manager, click the Manage menu, and then click Add Roles and Features.
On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IIS Client Certificate Mapping Authentication.
- Finish installation and Close Results
Configuration of Personal Certificates
This step is depending on your local IT policy. The steps below showcase a test account configuration from Luware and may vary greatly on your system. If already have a Client Authentication Certificate Issued for your user you can skip to the next step.
- Open MMC (Microsoft Management Console)
Check in Certificates - Current User > Personal > Cerificates that a personal certificate is issued to the user that is supposed to log into the TeamManager frontend laterIf no Personal/Certificates are available, right mouse click on main panel and select All Tasks/Request new Certificate → Contact your system administrator / certificate authority to request a certificate
→ After a personal certificate is rolled out and available, continue with the next step.
Internet Information Services (IIS) configuration
This configuration must be done on all server instances where IIS is running and hosting any TeamManager frontend websites.
TeamManager Server configuration
- In IIS open the root node (Server)
Open Authentication dialog and set Active Directory Client Certificate Authentication to "enabled".
When you already have configured SSL you can skip step 1 to 4.
- In IIS open Sites and select Luware-XX-FE
- Open Site Bindings configuration and Add new binding.
In Site Binding dialog select https type, and select necessary SSL Certificate.
- Click OK to create new binding.
To avoid logins being possible without HTTPS we recommend to remove all existing Bindings except thew newly created at this point.
- Open SSL Settings dialog of Luware-TeamManager-FE
Set check box "Require SSL" and Ignore client certification radio button and Apply settings.
- Click Apply to save changes.
- Again within Luware-TeamManager-FE site, open Configuration Editor
Go to "sytem.webServer/security/authentication/" and set "clientCertificateMappingAuthentication" to false.
- Click Apply to save changes.
Luware-TeamManager-WinAccount Folder configuration
- Again within Luware-TeamManager-FE open folder "WinAccount"
- Open SSL Settings dialog of WinAccount
Check box "Require SSL" and select "Require client certification" radio button.
Click Apply to save changes.
- Again within Luware-TeamManager-FE > WinAccount folder
Locate and set Windows Authentication to "Disabled"
- Again within Luware-TeamManager-FE Open Configuration Editor dialog of WinAccount
- Set webServer/security/authentication/clientCertificateMappingAuthentication to true.
Set webServer/security/authentication/windowsAuthentication to false.