securing your ems environment · 4. specify the ems-specific active directory user account outlined...
TRANSCRIPT
EMSLIVE17EMSLIVE17
SECURING YOUR EMS ENVIRONMENT
EMS Software Customer Support Manager
October 18th 2017
Securing EMS database amp Securing EMS applications
Lana Jaff
EMSLIVE17EMSLIVE17
Securing EMS Database ndash Best Practices
EMSLIVE17
bull EMS employs an application-level security model All
EMS end-user accounts are provisioned within the EMS
application
bull Connectivity between the EMS database and all EMS
components can be managed in one of two ways
bull SQL Server Authentication ndash using ldquoEMSUserrdquo that is created
during the EMS database installation process
bull Windows Authentication mode
EMS and Database Authentication
EMSLIVE17
Fixed EMS SQL Server user account (EMSUser) is created during the EMS database
installation process
bull Pre-requisite for using SQL Server Authentication
bull This security model requires that the server authentication for the Microsoft SQL Server that your EMS database resides on
must be set to a mixed mode (SQL Server and Windows Authentication mode) Note If you select Windows Authentication during setup Setup creates the sa account for SQL Server Authentication but it is disabled
bull When selecting Mixed Mode Authentication during SQL server setup you must provide and then confirm a strong password for the built-in SQL Server system administrator account named sa
bull The sa account connects by using SQL Server Authentication
bull Any Windows or SQL Server account can be configured as a system administrator Because the sa account is well
known and often targeted by malicious users do not enable the sa account unless your application requires it
Never set a blank or weak password for the sa account
Connecting Through SQL Server Authentication
EMSLIVE17
bull If a user is a Windows domain user who has a login and password for Windows heshe must
still provide another (SQL Server) login and password to connect Keeping track of multiple
names and passwords is difficult for many users Having to provide SQL Server credentials
every time that one connects to the database can be annoying
bull SQL Server Authentication cannot use Kerberos security protocol Kerberos authentication
ensures that the client can verify the SQL Server is legitimate (which you cant do with SQL
Server authentication)
bull Windows offers additional password policies that are not available for SQL Server logins
bull The encrypted SQL Server Authentication login password must be passed over the network
at the time of the connection Some applications that connect automatically will store the
password at the client These are additional attack points
Disadvantages of SQL Server Authentication
EMSLIVE17
bull For example consider the scenario in which a trusted database
administrator leaves your organization on unfriendly terms
bull If you use Windows authentication mode revoking that userrsquos access
takes place automatically when you disable or remove the DBArsquos
Active Directory account
bull If you use mixed authentication mode you not only need to disable the
DBArsquos Windows account but you also need to comb through the local
user listings on each database server to ensure that no local accounts
exist in which the DBA may know the password Thatrsquos a lot of work
Disadvantages of SQL Server Authentication
EMSLIVE17
bull When a user connects through a Windows user
account SQL Server validates the account name and
password using the Windows principal token in the
operating system
bull This means that the user identity is confirmed by
Windows SQL Server does not ask for the password
and does not perform the identity validation
Connecting Through Windows Authentication
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17EMSLIVE17
Securing EMS Database ndash Best Practices
EMSLIVE17
bull EMS employs an application-level security model All
EMS end-user accounts are provisioned within the EMS
application
bull Connectivity between the EMS database and all EMS
components can be managed in one of two ways
bull SQL Server Authentication ndash using ldquoEMSUserrdquo that is created
during the EMS database installation process
bull Windows Authentication mode
EMS and Database Authentication
EMSLIVE17
Fixed EMS SQL Server user account (EMSUser) is created during the EMS database
installation process
bull Pre-requisite for using SQL Server Authentication
bull This security model requires that the server authentication for the Microsoft SQL Server that your EMS database resides on
must be set to a mixed mode (SQL Server and Windows Authentication mode) Note If you select Windows Authentication during setup Setup creates the sa account for SQL Server Authentication but it is disabled
bull When selecting Mixed Mode Authentication during SQL server setup you must provide and then confirm a strong password for the built-in SQL Server system administrator account named sa
bull The sa account connects by using SQL Server Authentication
bull Any Windows or SQL Server account can be configured as a system administrator Because the sa account is well
known and often targeted by malicious users do not enable the sa account unless your application requires it
Never set a blank or weak password for the sa account
Connecting Through SQL Server Authentication
EMSLIVE17
bull If a user is a Windows domain user who has a login and password for Windows heshe must
still provide another (SQL Server) login and password to connect Keeping track of multiple
names and passwords is difficult for many users Having to provide SQL Server credentials
every time that one connects to the database can be annoying
bull SQL Server Authentication cannot use Kerberos security protocol Kerberos authentication
ensures that the client can verify the SQL Server is legitimate (which you cant do with SQL
Server authentication)
bull Windows offers additional password policies that are not available for SQL Server logins
bull The encrypted SQL Server Authentication login password must be passed over the network
at the time of the connection Some applications that connect automatically will store the
password at the client These are additional attack points
Disadvantages of SQL Server Authentication
EMSLIVE17
bull For example consider the scenario in which a trusted database
administrator leaves your organization on unfriendly terms
bull If you use Windows authentication mode revoking that userrsquos access
takes place automatically when you disable or remove the DBArsquos
Active Directory account
bull If you use mixed authentication mode you not only need to disable the
DBArsquos Windows account but you also need to comb through the local
user listings on each database server to ensure that no local accounts
exist in which the DBA may know the password Thatrsquos a lot of work
Disadvantages of SQL Server Authentication
EMSLIVE17
bull When a user connects through a Windows user
account SQL Server validates the account name and
password using the Windows principal token in the
operating system
bull This means that the user identity is confirmed by
Windows SQL Server does not ask for the password
and does not perform the identity validation
Connecting Through Windows Authentication
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull EMS employs an application-level security model All
EMS end-user accounts are provisioned within the EMS
application
bull Connectivity between the EMS database and all EMS
components can be managed in one of two ways
bull SQL Server Authentication ndash using ldquoEMSUserrdquo that is created
during the EMS database installation process
bull Windows Authentication mode
EMS and Database Authentication
EMSLIVE17
Fixed EMS SQL Server user account (EMSUser) is created during the EMS database
installation process
bull Pre-requisite for using SQL Server Authentication
bull This security model requires that the server authentication for the Microsoft SQL Server that your EMS database resides on
must be set to a mixed mode (SQL Server and Windows Authentication mode) Note If you select Windows Authentication during setup Setup creates the sa account for SQL Server Authentication but it is disabled
bull When selecting Mixed Mode Authentication during SQL server setup you must provide and then confirm a strong password for the built-in SQL Server system administrator account named sa
bull The sa account connects by using SQL Server Authentication
bull Any Windows or SQL Server account can be configured as a system administrator Because the sa account is well
known and often targeted by malicious users do not enable the sa account unless your application requires it
Never set a blank or weak password for the sa account
Connecting Through SQL Server Authentication
EMSLIVE17
bull If a user is a Windows domain user who has a login and password for Windows heshe must
still provide another (SQL Server) login and password to connect Keeping track of multiple
names and passwords is difficult for many users Having to provide SQL Server credentials
every time that one connects to the database can be annoying
bull SQL Server Authentication cannot use Kerberos security protocol Kerberos authentication
ensures that the client can verify the SQL Server is legitimate (which you cant do with SQL
Server authentication)
bull Windows offers additional password policies that are not available for SQL Server logins
bull The encrypted SQL Server Authentication login password must be passed over the network
at the time of the connection Some applications that connect automatically will store the
password at the client These are additional attack points
Disadvantages of SQL Server Authentication
EMSLIVE17
bull For example consider the scenario in which a trusted database
administrator leaves your organization on unfriendly terms
bull If you use Windows authentication mode revoking that userrsquos access
takes place automatically when you disable or remove the DBArsquos
Active Directory account
bull If you use mixed authentication mode you not only need to disable the
DBArsquos Windows account but you also need to comb through the local
user listings on each database server to ensure that no local accounts
exist in which the DBA may know the password Thatrsquos a lot of work
Disadvantages of SQL Server Authentication
EMSLIVE17
bull When a user connects through a Windows user
account SQL Server validates the account name and
password using the Windows principal token in the
operating system
bull This means that the user identity is confirmed by
Windows SQL Server does not ask for the password
and does not perform the identity validation
Connecting Through Windows Authentication
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
Fixed EMS SQL Server user account (EMSUser) is created during the EMS database
installation process
bull Pre-requisite for using SQL Server Authentication
bull This security model requires that the server authentication for the Microsoft SQL Server that your EMS database resides on
must be set to a mixed mode (SQL Server and Windows Authentication mode) Note If you select Windows Authentication during setup Setup creates the sa account for SQL Server Authentication but it is disabled
bull When selecting Mixed Mode Authentication during SQL server setup you must provide and then confirm a strong password for the built-in SQL Server system administrator account named sa
bull The sa account connects by using SQL Server Authentication
bull Any Windows or SQL Server account can be configured as a system administrator Because the sa account is well
known and often targeted by malicious users do not enable the sa account unless your application requires it
Never set a blank or weak password for the sa account
Connecting Through SQL Server Authentication
EMSLIVE17
bull If a user is a Windows domain user who has a login and password for Windows heshe must
still provide another (SQL Server) login and password to connect Keeping track of multiple
names and passwords is difficult for many users Having to provide SQL Server credentials
every time that one connects to the database can be annoying
bull SQL Server Authentication cannot use Kerberos security protocol Kerberos authentication
ensures that the client can verify the SQL Server is legitimate (which you cant do with SQL
Server authentication)
bull Windows offers additional password policies that are not available for SQL Server logins
bull The encrypted SQL Server Authentication login password must be passed over the network
at the time of the connection Some applications that connect automatically will store the
password at the client These are additional attack points
Disadvantages of SQL Server Authentication
EMSLIVE17
bull For example consider the scenario in which a trusted database
administrator leaves your organization on unfriendly terms
bull If you use Windows authentication mode revoking that userrsquos access
takes place automatically when you disable or remove the DBArsquos
Active Directory account
bull If you use mixed authentication mode you not only need to disable the
DBArsquos Windows account but you also need to comb through the local
user listings on each database server to ensure that no local accounts
exist in which the DBA may know the password Thatrsquos a lot of work
Disadvantages of SQL Server Authentication
EMSLIVE17
bull When a user connects through a Windows user
account SQL Server validates the account name and
password using the Windows principal token in the
operating system
bull This means that the user identity is confirmed by
Windows SQL Server does not ask for the password
and does not perform the identity validation
Connecting Through Windows Authentication
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull If a user is a Windows domain user who has a login and password for Windows heshe must
still provide another (SQL Server) login and password to connect Keeping track of multiple
names and passwords is difficult for many users Having to provide SQL Server credentials
every time that one connects to the database can be annoying
bull SQL Server Authentication cannot use Kerberos security protocol Kerberos authentication
ensures that the client can verify the SQL Server is legitimate (which you cant do with SQL
Server authentication)
bull Windows offers additional password policies that are not available for SQL Server logins
bull The encrypted SQL Server Authentication login password must be passed over the network
at the time of the connection Some applications that connect automatically will store the
password at the client These are additional attack points
Disadvantages of SQL Server Authentication
EMSLIVE17
bull For example consider the scenario in which a trusted database
administrator leaves your organization on unfriendly terms
bull If you use Windows authentication mode revoking that userrsquos access
takes place automatically when you disable or remove the DBArsquos
Active Directory account
bull If you use mixed authentication mode you not only need to disable the
DBArsquos Windows account but you also need to comb through the local
user listings on each database server to ensure that no local accounts
exist in which the DBA may know the password Thatrsquos a lot of work
Disadvantages of SQL Server Authentication
EMSLIVE17
bull When a user connects through a Windows user
account SQL Server validates the account name and
password using the Windows principal token in the
operating system
bull This means that the user identity is confirmed by
Windows SQL Server does not ask for the password
and does not perform the identity validation
Connecting Through Windows Authentication
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull For example consider the scenario in which a trusted database
administrator leaves your organization on unfriendly terms
bull If you use Windows authentication mode revoking that userrsquos access
takes place automatically when you disable or remove the DBArsquos
Active Directory account
bull If you use mixed authentication mode you not only need to disable the
DBArsquos Windows account but you also need to comb through the local
user listings on each database server to ensure that no local accounts
exist in which the DBA may know the password Thatrsquos a lot of work
Disadvantages of SQL Server Authentication
EMSLIVE17
bull When a user connects through a Windows user
account SQL Server validates the account name and
password using the Windows principal token in the
operating system
bull This means that the user identity is confirmed by
Windows SQL Server does not ask for the password
and does not perform the identity validation
Connecting Through Windows Authentication
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull When a user connects through a Windows user
account SQL Server validates the account name and
password using the Windows principal token in the
operating system
bull This means that the user identity is confirmed by
Windows SQL Server does not ask for the password
and does not perform the identity validation
Connecting Through Windows Authentication
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull Windows authentication is handled by the operating system and passes a token to SQL for authentication No
password is sent across the network
bull Windows authentication can use Kerberos security protocol if set up correctly while SQL authentication canrsquot
Kerberos security protocol provides password policy enforcement with regard to complexity validation for
strong passwords provides support for account lockout and supports password expiration
bull Windows authentication can handle more complex password policies and in SQL Authentication the DBA can
actually turn off the password policies
bull Using windows authentication allows for an easier separation of duties A security team can handle the Active
Directory users and passwords while all the SQL Server admin has to do is grant the existing ID necessary
permissions
bull Brute force attack SQL will accept ndashas per design- and try to authenticate -depending on the server-
thousands or more new connections request by second The SQL account will not be locked even for invalid
credentials ButhellipThe AD will lock the account after a number of invalid attempts when using Windows Auth
Advantages of Windows Authentication
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull Specifying Windows authentication does not disable SQL Server
logins Use the ALTER LOGIN DISABLE Transact-SQL statement
to disable highly-privileged SQL Server logins
bull We recommend using Windows authentication wherever
possible Windows authentication uses a series of encrypted
messages to authenticate users in SQL Server
Other points to Note
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17EMSLIVE17
How to implement Windows Authentication
in your EMS Environment
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
Pre-requisites
bull An EMS-specific Active Directory security group that contains all of your EMS desktop client users is required This group will be granted explicit permissions
to your EMS and EMS_Master databases
bull An EMS-specific Active Directory user account that is a member of the Active Directory security group outlined above is required This account will be used
to configure this database authentication option for EMS web based products
Steps to configure
1 Using Microsoft SQL Server Management Studio add a login for the EMS Active Directory security group outlined above
2 Under the User Mapping area map the login to your ldquoEMSrdquo database
3 Add the db_datareader and db_datawriter roles
4 Using Microsoft SQL Server Management Studio execute the following statement against your EMS database
sp_addrolemember EMS_Role securitygrouprsquo
Note Replace securitygroup with the name of your EMS Active Directory security group
5 Repeat steps 2 - 4 for ldquoEMS_Masterrdquo database
MS SQL Configuration for Windows Authentication
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
1 Go to EMS Desktop client userrsquos PC and open the Registry Editor
2 Locate and expand HKEY_CURRENT_USER
3 Locate and expand Software
4 Locate and expand EMS Software
5 Highlight your EMSx product folder
6 Right-click and add a DWORD (32-bit) Value
7 Rename the New Value 1 entry to UseAuthentication
8 Modify the Value data field to 1
EMS Desktop Client Configuration for Windows Authentication
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
1 Access Internet Information Services (IIS) Manager on your Web Server
2 Create a new Application Pool that will be used by your EMS web based application(s) installed on this web server
3 Change the Application Pool Identity to run under a Custom account
4 Specify the EMS-specific Active Directory user account outlined in the Pre-Installation Requirements section
5 Change the Application Pool in your EMS web based application to the pool defined above
6 Open the webconfig file for the EMS web based product and disable the EMSUser as shown below
ltadd name=deaConnection useEmsUser=False useDetailedLogging=true defaultCommandTimeout=20gt
7 Launch your EMS web based product to verify connectivity
EMS Web Applications Configuration for Windows Authentication
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17EMSLIVE17
Securing EMS Applications ndash Best Practice
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP the protocol over which data is sent between your browser and the website that you are connected to
bull HTTPS uses SSL or TLS protocol to establish encrypted links between a web server and a browser in an online communication
bull The usage of SSL TLS technology ensures that all data transmitted between the web server and browser remains encrypted
bull You can setup SSL for EMS web applications the same way as you do for any other website in IIS No configuration changes needed within EMS applications
Using HTTPS
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull Obtain a certificate for your server
bull Create a HTTPS Binding on the site level
bull The default settings for a new binding are set to HTTP on port 80
Select https in the Type drop-down list Select the self-signed
certificate you created in the previous section from the SSL
Certificate drop-down list and then click OK
bull Browse to the EMS application site using HTTPS
How to setup an HTTPS site in IIS
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull The Integrated Authentication module provides single-sign-on capability using one of the following authentication methods
bull Windows Authentication
bull LDAP Authentication
bull Portal Authentication (eg SAML)
Note You need to obtain a separate license to use this module
Integrated Authentication
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull Integrated Windows Authentication (IWA) is a built-in Microsoft Internet Information Services (IIS)
authentication protocol that can be used to automatically authenticate and sign-in a web user It can be used
for all EMS applications that use the web user accounts
bull Integrated Windows Authentication is best used on intranets where all clients accessing EMS are within a
single domain
bull When a domain user logged onto a networked PC hits the EMS site their Active Directory credentials
(DomainUser ID) are compared against corresponding DomainUser ID information recorded in the Network
ID field of your EMS Web User records If a match exists the Web User will be automatically logged-into the
EMS site
bull In IIS enable Windows Authentication on the application level and disable Anonymous
bull Populate the NetworkID field for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform Services)
Windows Authentication
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull Lightweight Directory Access Protocol (LDAP) is an application protocol for querying directory information The LDAP
Authentication method provides single-sign-on capability using your organizationrsquos LDAP environment and can be used in
both intranet and internet deployments of EMS site
bull When a user logs-into an EMS Site with their User ID and Password their credentials are authenticated against LDAP and
compared against corresponding user information recorded in the Network ID andor External Reference fields of your
EMS Web User records If a match exists the Web User will be logged-into EMS inheriting any Web Process Template
rights that their LDAP Group has been assigned to
bull Log-into Web Application with a Web User that belongs to a Web Security Template containing the Web Administrator role
(Configuration gt Web gt Web Security Templates)
bull Populate your LDAP server information in http[ServerName] EMSWebAppLDAPConfigurationaspx in this page on the
web app page and test the configuration using an account in your LDAP server
bull Populate the External referenceNetwork ID fields for your web users
bull Supported EMS Applications EMS Web application Desktop client Mobile Application (Platform services) Kiosk Campus
Planning Interface
LDAP Authentication
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17
bull The Portal Authentication method provides single sign-on capability using your organizationrsquos portal
bull When a user logged into some EMS applications a predefined user-specific variable (eg email address employeestudent ID network ID etc) captured by your portalsign-on page is compared against corresponding information recorded in the Network ID andor External Reference fields of your EMS Web User records If a match exists the Web User will be automatically logged-into EMS
bull The Field Used to Authenticate Web User web app Parameter (within System Administration gt Settings gt Parameters (Everyday user applications tab) is used by the Web App to determine which value should be used for authentication
bull Several built-in authentication methods to pass-in credentials are available including
bull Server Variable (Header Variable)
bull Session
bull Form
bull Cookie
bull Query String
bull Federated (SAML)
bull Direct users to the default EMS Web app page (http[ServerName]EMSWebAppDefaultaspx )
bull Supported EMS Applications EMS Web application Mobile Application (Platform services)
Portal Authentication
EMSLIVE17EMSLIVE17
Thank You
EMSLIVE17EMSLIVE17
Thank You