Before you start

The steps described below are only required if you intend to:

  • Authenticate your users via SSL/https
  • Want to disable the default Windows Account Login method and use certificate-based authentication instead (e.g. via dongle / key-file)

The steps below describe the procedure with LUCS as an example but apply for other Luware products as well.


The actions below result in updates to the Frontend Config files located in the default installation directories:

C:\Program Files\Luware\TM-FE\
C:\Program Files\Luware\LUCS-FE\
C:\Program Files\Luware\LUCS-WebConfigurator
CODE

In particular: 

  • Web.config

  • \WinAccount\Web.config
  • AppSettings.config

Back up and re-merge your config files when updating your product installation to avoid having to perform the settings below again.

Configuration Windows Server 2012 R2 / 2016 / 2019

  1. Open Server Manager.
  2. In Server Manager, click the Manage menu, and then click Add Roles and Features.
  3. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IIS Client Certificate Mapping Authentication.

  4. Finish installation and Close Results

Configuration of Personal Certificates

(info) This step is depending on your local IT policy. The steps below showcase a test account configuration from Luware and may vary greatly on your system.  If already have a Client Authentication Certificate Issued for your user you can skip to the next step.

  1. Open MMC (Microsoft Management Console)
  2. Check in Certificates - Current UserPersonal > Cerificates that a personal certificate is issued to the user that is supposed to log into the TeamManager frontend later

    If no Personal/Certificates are available, right mouse click on main panel and select All Tasks/Request new Certificate → Contact your system administrator / certificate authority to request a certificate

    → After a personal certificate is rolled out and available, continue with the next step.

Internet Information Services (IIS) configuration

(tick) This configuration must be done on all server instances where IIS is running and hosting any TeamManager frontend websites.

TeamManager Server configuration

  1. In IIS open the root node (Server)
  2. Open Authentication dialog and set Active Directory Client Certificate Authentication to "enabled".

Luware-TeamManager-Site configuration

(info) When you already have configured SSL you can skip step 1 to 4.

  1. In IIS open Sites and select Luware-XX-FE 
  2. Open Site Bindings configuration and Add new binding.
  3. In Site Binding dialog select https type, and select necessary SSL Certificate.


  4. Click OK to create new binding.
    (warning)To avoid logins being possible without HTTPS we recommend to remove all existing Bindings except thew newly created at this point.
  5. Open SSL Settings dialog of Luware-TeamManager-FE
  6. Set check box "Require SSL" and Ignore client certification radio button and Apply settings.

  7. Click Apply to save changes.
  8. Again within Luware-TeamManager-FE site, open Configuration Editor 
  9. Go to  "sytem.webServer/security/authentication/" and set "clientCertificateMappingAuthentication" to false.


  10. Click Apply to save changes.

Luware-TeamManager-WinAccount Folder configuration

  1. Again within Luware-TeamManager-FE open folder "WinAccount
  2. Open SSL Settings dialog of WinAccount
  3. Check box "Require SSL" and select "Require client certification" radio button.

  4. Click Apply to save changes.

  5. Again within Luware-TeamManager-FE WinAccount folder
  6. Locate and set Windows Authentication to "Disabled"


  7. Again within Luware-TeamManager-FE Open Configuration Editor dialog of WinAccount
  8. Set webServer/security/authentication/clientCertificateMappingAuthentication to true.
  9. Set webServer/security/authentication/windowsAuthentication to false.


Sourceshttps://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/