How do I control how users login to the site?

Introduction
Intranet Connections offers multiple methods of user access. The site administrator can decide whether to allow users to access the site without any authentication or with either local or AD logins. In this article we will outline the various site settings.



Logins
Intranet Connections can be configured to support anonymous access. Under an anonymous access scenario users will be able to access the site homepage without logging in. They will be able to browse any content that is globally viewable and publish or comment anywhere that either global add or anonymous commenting is set. See the content security overview webinar for details about global rights and securing site content. To access any secure content or to submit forms or tickets that they can subsequently review the user will need to log in using the login link in the top navigation.

Note that anonymous access is not recommended as the preferred site security mode since it prevents your users from utilizing the many personalization options available in the product and it eliminates significant portions of the auditing and security controls available for admins. Anonymous access is also strongly discouraged in scenarios where your site is externally available (accessible from the internet). Regardless of whether the site is anonymously accessible or not, all three authentication modes listed below are available.

To enable anonymous access go to Admin > Security > Site Level Login and select NO allow a mix of anonymous access and specific user logins



Authentication Mode: Form
Forms based authentication uses logins stored within the site itself. Form logins can be created manually through Admin > Security > Create a Login or through the CSV Import Utility. Users with forms logins can be subjected to password security and expiry controls via the Admin > Security > Password Options interface and they can have their passwords reset by an admin or reset it themselves via the user settings options in the directory.

Forms mode requires that the intranet's IIS directory security is set to Anonymous Access enabled.



Authentication Mode: Windows Authentication
Windows Authentication based logins are accounts which share the same username as a user's network (domain) credentials. Windows authenticated accounts do not have their passwords managed or stored within the intranet and in the edit user interface the password fields will be greyed out for AD Auth logins. AD Auth logins are also not subject to the password expiry regulations and restrictions outlined in the Password Options interface (see above) as these are controlled at the domain level by network administration. Windows auth logins can be created via the Create a Login form, via CSV import or using AD Synchronization. Note that with AD Authentication enabled you cannot create new forms based logins and any existing forms based logins will be unable to access the site. Users also do not explicitly log out of a AD Auth site, they simply close their browser session.

When a user connects to a site using Windows Authentication mode they will be challenged for their network credentials by a pop up authentication request. By altering the user's browser settings this authentication can be made automatic allowing for seamless sign on without the user being prompted to log in.

Windows Auth mode requires that the intranet's IIS directory security is set to Windows Authentication enabled with Anonymous Access disabled.



Authentication Mode: Mixed
Mixed Authentication mode simply allows both login methods to operate on the same site. All users arriving at the site for the first time will receive the product login page (rather than the windows popup credential request) but there will be a Windows Authentication checkbox. If the user selects this checkbox the site will try to authenticate them using domain credentials in the exact manner as noted above. Forms based logins simply enter their credentials in the username and password field.

Note: even in a mixed mode environment it is possible to achieve pass-through login for your Windows Auth users. When selecting the Windows Authentication checkbox a permanent cookie is stored in the user's browser that indicates they prefer this login method (note the cookie stores neither their username or password, simply the decision to use Windows Auth). Provided the user does not click the logout link (top navigation) but instead just closes their browser tab or session they will be automatically signed in the next time they access the site. Clicking logout will destroy this cookie.

Mixed authentication requires that the intranet's IIS directory security is set to both Windows Authentication and Anonymous Access enabled.

Referenced by:

Have more questions? Submit a request

0 Comments

Article is closed for comments.