Question about AuthenticationClient token creation

Darko_Poletto

Hello,

Currently (and for the last several years) my application has connected to the clients server using a username and password that is stored in a config file.  There is a call made to AuthenticationClient's AuthenticateUser function to get a token, and that token is then applied to the DocumentManagementClient's AuthenticationToken property. 

 

The client is now questioning whether or not it is possible to use a domain user's account within their system for the calls to ContentServer, rather than the stored user/pass.  That domain user would have access to login via the web based interface of ContentServer itself.  The flow is the user is logged into the domain and accesses a web based application.  That app sends a request to the windows service in question to retrieve a document from ContentServer.

 

Is there any method availble to take a domain user and generate a token to allow my service to access the server using domain credentials rather than the stored custom account that it currently uses?

Appu Nair

Yes it is possible but again it really depends on how your organization have your LL server look at the domain user.I will explain one use case where this has worked for me.

1. ​​The organizations users click on a livelink link,they are not challenged and make their way into livelink,in the livelink web server  IWA(NTLM) is active and anonymous is Off.Livelink authentication is set to use the passed in REMOTE_USER in this fashion userid only.If you look for a user in AD it will show that user as domain name\<user> but you look in livelink users and group it will be just user.
   
2. If the above situation is correct in your scenario here's how one does the SSO way of CWS.For your anonymous WSDL there might be an application called les-services or cws pointing to <OTHOME>\webservices\dot-net\cws make a copy of that folder lets called that myssocws
   
3. Make this into a application like the other one using IIS.In its authentication make sure it is using authentication of IWA like you livelink application.
   
4. Come back to the Web.Config inside the myssocws folder and make wherever you see thinsg like  
   <binding name="AuthenticationBinding" maxReceivedMessageSize="1024000" messageEncoding="Text" transferMode="Buffered">
             <security mode="None">
               <transport clientCredentialType="None" />
             </security>
   
           </binding>
   
   Now if you look in standard WCF programming you will know that it is for a anonymous bound application
   

 <binding name="AuthenticationBinding" maxReceivedMessageSize="1024000" messageEncoding="Text" transferMode="Buffered">

          <security mode="TransportCredentialOnly">

            <transport clientCredentialType="Windows" />

          </security>

        </binding>

You have to do this for all NON SSL bindings

Check the accuracy I am saying this from memory

At this point if the WSDL is reachable then just like the GUI user gets in the code will also get it,you provide empty strings in your code for authentication.

If your LL is serviced by OTDS then your job is easier because your call is transferred to OTDS and it will do a SP Negotiate and the token it returns is for the valid user a.k.a domain user,you just have to use that for your code.

some links https://appukili.wordpress.com/2013/06/07/content-server-cs10-single-sign-on/​ I used to do this in LAPI days even before OT had formal documentation,I bet nowadays nobody uses IWA because of the rigor it takes and patience and there may be easier OT documents

Appu Nair
Principal Architect | Alitek
Website: alitek.com

---

From: eLink Entry: Content Server Development Forum <development@elinkkc.opentext.com>
Sent: Wednesday, March 7, 2018 8:12 AM
To: eLink Recipient
Subject: Question about AuthenticationClient token creation

 

Question about AuthenticationClient token creation

Posted by dpoletto@skeinc.com (Poletto, Darko) On 03/07/2018 09:08 AM

Hello,Currently (and for the last several years) my application has connected to the clients server using a username and password that is stored in a config file.  There is a call made to AuthenticationClient's AuthenticateUser function to get a token, and that token is then applied to the DocumentManagementClient's AuthenticationToken property.  The client is now questioning whether or not it is possible to use a domain user's account within their system for the calls to ContentServer, rather than the stored user/pass.  That domain user would have access to login via the web based interface of ContentServer itself.  The flow is the user is logged into the domain and accesses a web based application.  That app sends a request to the windows service in question to retrieve a document from ContentServer. Is there any method availble to take a domain user and generate a token to allow my service to access the server using domain credentials rather than the stored custom account that it currently uses?

---

[To post a comment, use the normal reply function]
Forum:	Content Server Development Forum
Content Server:	My Support

 
Confidentiality Note: This message contains information, which may be privileged or confidential, or exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee responsible for delivering the message to the intended recipient, you are hereby NOTIFIED that any dissemination, distribution, retention, archiving, or copying of this communication is strictly prohibited. If you receive this message in error, please notify sender immediately.