LiquidFiles Documentation
LiquidFiles Documentation

LiquidFiles Windows Authentication Proxy

The Windows Authentication proxy will enable users of Windows domain to login into LiquidFiles automatically, without having to enter username and password. Note that LiquidFiles must be pre-configured for it, with all relevant users already configured.

The Proxy must be installed at IIS, configured for Windows Integrated Authentication. The Proxy is an ASP.NET 4 application, configured to run in Impersonation mode (you might need to configure your domain to support Impersonation capability). Once user is impersonated, Proxy will query LDAP or mapping file for email of the current user, and query LiquidFiles server for API key of that user (corresponding through email). The user must have been created at LiquidFiles.

Authentication mechanism

Without Windows Authentication proxy, user would authenticate at LiquidFiles appliance with email and password, obtaining permanent API key. API key is valid until reset at the server.

The Windows Authentication proxy relies on Windows authentication in the corporate network to authenticate incoming request from Windows Agent/Outlook plugin. This is done in background, no UI is shown and no password asked. To do this, ASP.NET application uses Windows Integrated authentication mechanism.

Once Windows Authentication proxy knows identity of incoming request, it will pull out email corresponding to that Windows user. You can configure LDAP lookup mechanism, or you can populate a file at Windows Authentication proxy, mapping NetBIOS user names to their email addresses.

After that, Windows Authentication proxy queries LiquidFiles server with this username, asking it to return permanent API key.

Once permanent API key has been obtained through LiquidFiles authentication proxy, plugin/agent will not attempt to re-authenticate until API key is reset at LiquidFiles server (and by default it will never be done automatically). Therefore, user does not have to be in Intranet zone (connected to IIS module and domain controller) all the time. User only needs to be connected to LiquidFiles authentication proxy to obtain API key.

Therefore, if you make LiquidFiles available from both within corporate network and outside corporate network, and users have laptop computers, it is necessary to only authenticate for the first time from within corporate network; after API key has been obtained and stored at laptop computer, it will be possible to use it without connection to LiquidFiles authentication proxy.

Requirements

  • LiquidFiles virtual appliance v2.3.13 or later.
  • Windows Domain environment
  • Windows Server 2003 or later with .NET 4 or later and IIS 7 or later at the server
  • Windows XP or later at the client computers.
  • IIS server must be in Intranet zone for client computers, and Intranet zone must allow automatic integrated authentication.
  • LiquidFiles Windows Agent version 2.0.28 or later is required

Configuration

Please check the Windows Auth Proxy Install Guide for instructions on how to configure the server. You do not need to use Kerberos, though with Kerberos it will work a little bit faster during initial authentication, but the effect is marginal. LiquidFiles Windows Authentication Proxy does not use Kerberos to talk to LiquidFiles Appliance. Kerberos and/or NTLM are only used between client machines and IIS/LiquidFiles Windows Authentication Proxy.

You may use GPOs to configure client computers.

Latest version: 0.7 by 2019-03-14

Previous version: 0.6 by 2014-12-18

Upgrades

There's no automated upgrades between versions. You are not likely to need to upgrade this application. If you do, you'd need to manually merge new and old web.config files by changing options that you've changed.

Known issues

At this moment the product is in beta and we do not offer automatic installer or configuration tool, except for detailed step-by-step instructions. Please contact us with any concerns about with the product.

AD forests where multiple domains exist are not explicitly supported, though support is possible. If you experience problem querying AD forests, please file a support request.

Release Notes

Version 0.7 (Released 2019-04-14)

  • NEW: support for JSON API with LiquidFiles servers 3.0.*
  • NEW: support for JSON client requests from Outlook plugins 2.0.106 and 3.*

Version 0.6 (Released 2013-12-18, updated 2014-12-18)

  • FIX: crashing while trying to detect if current user has admin permissions
  • FIX: crashing while trying to query list of users in Admin mode
  • NEW: options to detect whether current user is administrator (use lookup file, configure LDAP lookup)

Version 0.5 (Released 2013-11-26)

  • FIX: crashing while trying to detect if current user has admin permissions
  • FIX: incorrect HTTP state management resulting in "Object reference not set" error while querying for API key
  • FIX: Considerable delay on querying WinAuthProxy due to trying to detect if current user has admin permissions.

Version 0.4 (Released 2013-11-20)

  • NEW: support for seaches in Global Catalog.
  • NEW: administrator can test how AuthProxy works for other users by entering their name in netbios domain (e.g.. MYDOMAIN\username).

Version 0.3 (Released 2013-11-17)

Beta: This is NOT a stable version.

  • NEW: support for querying against Global Catalog - allows to use in environment with multiple domains organized into AD forest. This is a preview version; if you have such environment please contact us to get help installing and configuring it.

Version 0.2 (Released 2013-11-15)

  • FIXED: "Cannot create path" problem.

Version 0.1 (Released 2013-10-06)

  • Initial Release.