|
To edit a workgroup, click on the Edit icon on the Button Bar. Then, select a workgroup to edit from the pulldown menu and click the Edit button under the pulldown menu. You can also click on the Edit icon to the left of a workgroup name from the Home Page.
The following workgroup settings can be modified:
NetResults Tracker is authentication performed by the Tracker application itself using a Login web page which requests the user's Tracker User ID and Password. The Microsoft IIS web server will be configured to allow "Anonymous" access (no authentication is performed by IIS itself). All other forms of authentication use the Microsoft IIS web server and Windows operating system to authenticate the user before they are given access to any Tracker web pages. The Tracker Login Page is not displayed. However, a user's web browser may display a pop-up to request the user's credentials (Windows user name, password, and, in some cases, domain) if it needs this information (or is configured to always request this information) in order to complete authentication with the IIS web server.
Selecting "IIS Basic", "IIS Integrated Windows" or "IIS Basic and Integrated Windows" authentication enables single sign-on capability provided by the Microsoft IIS web server. If one of those authentication mechanisms is selected, the IIS web server and Windows operating system will authenticate the user and then verify that the user should be given access to the Tracker web pages (using the Windows file system permission settings on the web pages). If the Windows authentication and access control checks pass, then IIS will pass the request on to Tracker. Tracker will then search its own user account list for a matching entry (Windows User name matches Tracker User ID) to verify that the user should be given access to the workgroup before displaying the user's Home Page.
A summary of the reasons why you might select one form of authentication over another is provided below.
Generally speaking, NetResults Tracker authentication is the simplest for you to set up and has the lowest Windows Server licensing costs. However, it does require that your users maintain a separate user account for Tracker and for Windows (if they are using Windows). If they routinely change their password, they will have to change their Windows password and their Tracker password. NetResults Tracker authentication works with all supported browsers running on any operating system.
If you use one of the three forms of IIS authentication, your users will not need to maintain a separate password (authentication will be done by IIS using their Windows user account) and you can use Windows to enforce password policies. However, it is generally harder to configure and maintain (especially if you are using IIS Integrated Windows or IIS Basic and Integrated Windows). It may cost more for your Windows Server licensing to use Windows authenticated users (contact your Microsoft reseller and ask about Windows authenticated users accessing the IIS web server).
IIS Basic Authentication works with all supported web browsers on any operating system. However, it sends Windows passwords in "clear text", so it should only be used in conjunction with SSL.
IIS Integrated Windows does encrypt passwords (even without SSL), but can not be used with any browser other than Internet Explorer. Also, IIS Integrated Windows (or "IIS Basic and Integrated Windows") can not be used in an environment where there is a (hardware or software) firewall or proxy server between your end users (their web browsers) and the web server. Though it may appear to work in some cases, it will (sometimes intermittently) have situations where the browser requests the users credentials over and over. Keep in mind that software which acts as a firewall or proxy server may not label itself as such. It may be labeled as "intrusion prevention" software or "web acceleration" software. Some "pop-up blocker" software packages also use a proxy server. If you were using IIS Integrated Windows authentication and one or more of your users suddenly starts complaining that they are being repeatedly asked to enter their user name and password or are getting an "access denied" error, odds are that they are now using a firewall or proxy server (perhaps installed on their browser machine or in their network).
If you wish to use one of the IIS authentication mechanisms, we recommend using IIS Basic combined with SSL. This will allow your users to use any supported browser (including Firefox) and will work through firewalls and proxy servers. For further details on the differences between these choices, please consult the Microsoft Authentication documentation:
After modifying the fields you wish to update, click on the Continue button.
Authentication Details - If you selected an option other than "NetResults Tracker" for the Authentication field, you will be prompted to provide additional information for the authentication configuration:
Note: Tracker only adds to or modifies your existing Windows file system permissions for the selected User Groups. It does not remove or modify any existing entries for other User Groups which you do not select (or those which you specifically unselect). In other words, the file system permissions will be set to guarantee that users in the selected User Groups will pass the IIS access check. They will not be set to make sure that all other users will fail the IIS access check. If Tracker did that, it might remove access for users who may not need to browse to the web pages, but do need access to the files themselves (such as local administrators, backup operators, etc.). So, for example, if you have installed the workgroup in a Windows folder which has access for Everyone, then the IIS web server will give Everyone (who successfully authenticates with a valid Windows user account) access to the Tracker web pages. However, Tracker will still reject access for users who do not have a Tracker user account (excluding Knowledge Base and Submit via Web for Unregistered Users pages which don't require a Tracker user account). If you wish to narrow this list (so that more IIS access control is performed), then you should set the file system permissions on the folder that you selected as the Location for the workgroup. If you wish to remove permissions for some users, then do so prior to completing this Edit Workgroup operation (so that all of the settings which the Edit Workgroup operation configures will be maintained). Be careful to not remove access that may be needed by users/tools which run on the web server machine (such as for the Administrators of the server, the user accounts that are used by the backup tool(s) which you use, etc.).
After creating the workgroup, you must still add a Tracker user account with the User ID that matches the Windows user account for each user who will use the workgroup. Please note that changes made to the user profile information in the user accounts in Tracker will not be reflected in Active Directory (and vice versa).
NetResults Tracker © 1997-2017 NetResults Corporation. All rights reserved.