To edit a workgroup, click on the Edit icon on the Button Bar. Then, select a workgroup to edit from the pulldown menu and click the Edit button under the pulldown menu. You can also click on the Edit icon to the left of a workgroup name from the Home Page.

The following workgroup settings can be modified:

• Description - Modify the text entered to describe the workgroup

• Authentication - Modify the type of authentication that should be set for the workgroup. Do not change this setting unless you clearly understand the new authentication mechanism you are selecting. Changes in authentication can block access for some or all of your current users.

  NetResults Tracker is authentication performed by the Tracker application itself using a Login web page which requests the user's Tracker User ID and Password. The Microsoft IIS web server will be configured to allow "Anonymous" access (no authentication is performed by IIS itself). All other forms of authentication use the Microsoft IIS web server and Windows operating system to authenticate the user before they are given access to any Tracker web pages. The Tracker Login Page is not displayed. However, a user's web browser may display a pop-up to request the user's credentials (Windows user name, password, and, in some cases, domain) if it needs this information (or is configured to always request this information) in order to complete authentication with the IIS web server.

  Selecting "IIS Basic", "IIS Integrated Windows" or "IIS Basic and Integrated Windows" authentication enables single sign-on capability provided by the Microsoft IIS web server. If one of those authentication mechanisms is selected, the IIS web server and Windows operating system will authenticate the user and then verify that the user should be given access to the Tracker web pages (using the Windows file system permission settings on the web pages). If the Windows authentication and access control checks pass, then IIS will pass the request on to Tracker. Tracker will then search its own user account list for a matching entry (Windows User name matches Tracker User ID) to verify that the user should be given access to the workgroup before displaying the user's Home Page.

  A summary of the reasons why you might select one form of authentication over another is provided below.

  Generally speaking, NetResults Tracker authentication is the simplest for you to set up and has the lowest Windows Server licensing costs. However, it does require that your users maintain a separate user account for Tracker and for Windows (if they are using Windows). If they routinely change their password, they will have to change their Windows password and their Tracker password. NetResults Tracker authentication works with all supported browsers running on any operating system.

  If you use one of the three forms of IIS authentication, your users will not need to maintain a separate password (authentication will be done by IIS using their Windows user account) and you can use Windows to enforce password policies. However, it is generally harder to configure and maintain (especially if you are using IIS Integrated Windows or IIS Basic and Integrated Windows). It may cost more for your Windows Server licensing to use Windows authenticated users (contact your Microsoft reseller and ask about Windows authenticated users accessing the IIS web server).

  IIS Basic Authentication works with all supported web browsers on any operating system. However, it sends Windows passwords in "clear text", so it should only be used in conjunction with SSL.

  IIS Integrated Windows does encrypt passwords (even without SSL), but can not be used with any browser other than Internet Explorer. Also, IIS Integrated Windows (or "IIS Basic and Integrated Windows") can not be used in an environment where there is a (hardware or software) firewall or proxy server between your end users (their web browsers) and the web server. Though it may appear to work in some cases, it will (sometimes intermittently) have situations where the browser requests the users credentials over and over. Keep in mind that software which acts as a firewall or proxy server may not label itself as such. It may be labeled as "intrusion prevention" software or "web acceleration" software. Some "pop-up blocker" software packages also use a proxy server. If you were using IIS Integrated Windows authentication and one or more of your users suddenly starts complaining that they are being repeatedly asked to enter their user name and password or are getting an "access denied" error, odds are that they are now using a firewall or proxy server (perhaps installed on their browser machine or in their network).

  If you wish to use one of the IIS authentication mechanisms, we recommend using IIS Basic combined with SSL. This will allow your users to use any supported browser (including Firefox) and will work through firewalls and proxy servers. For further details on the differences between these choices, please consult the Microsoft Authentication documentation:

  • Windows Server 2016, IIS 10.0 The "Practical Applications" table has useful information.
  • Windows Server 2012, IIS 8.0 and Windows Server 2012 R2, IIS 8.5
  • Windows Server 2008, IIS 7.0 and Windows Server 2008 R2, IIS 7.5 In particular, we recommend the summary table in this section.

• Require SSL - Enable or disable the option to require SSL (Secure Socket Layer) encryption on the workgroup. Enabling this option (checking the box) requires that a valid Server Certificate has been entered on the web server to apply SSL to this workgroup.

• Host Name or IP Address - Update the Host Name or IP Address used to reach the web site where this workgroup has been created. The information stored in this field is used to configure the URL for this workgroup.

• Port Number - Update the port number used to reach the web site where this workgroup has been created. The information stored in this field is used to configure the URL for this workgroup.

• Database User Name - This option is only available for MySQL, SQL Server or Oracle workgroups. If you wish to change the Database User Name, enter the new User Name and also enter the corresponding password in the Database User Password and Confirm User Password fields.

• Database User Password and Confirm User Password - This option is only available for MySQL, SQL Server and Oracle workgroups. If you entered a new value for Database User Name, enter and confirm the password for this user. Or, enter and confirm the password, if you simply want to update the password for the user.

• Use SQL Native Client Provider - This option is only available for SQL Server workgroups. When enabling this option by checking the box, Tracker will use SQL Native Client Provider to connect to SQL Server. By default this property is unchecked so that Tracker will use SQL OLE DB Provider to connect. This property is optional and can be used if you want to take advantage of SQL Server features such as database mirroring. Use of this feature is only recommended in cases where you have an expert SQL Server administrator with detailed knowledge of SQL Server client configuration. Enabling this property may require you to download and install the SQL Native Client on the web server.

• Fail Over Location (Server) - This option is only available for SQL Server workgroups and will only be displayed when Use SQL Native Client Provider is enabled. Specify the name of the "mirror" server that should be used in the event that the principal server fails. This property is optional and can be used if you want to take advantage of SQL Server features such as database mirroring in a version of SQL Server where it is supported. Use of this feature is only recommended in cases where you have an expert SQL Server administrator with detailed knowledge of SQL Server client configuration. Please leave this property blank if you are not using database mirroring or are not familiar with database mirroring. Click here for more information about database mirroring.

• Comment - Update the additional information listed for this workgroup

• History Comment - Enter a description of the changes being made to the workgroup settings

After modifying the fields you wish to update, click on the Continue button.

Authentication Details - If you selected an option other than "NetResults Tracker" for the Authentication field, you will be prompted to provide additional information for the authentication configuration:

• Windows Domain Name or Computer Name - The Windows domain or computer name selected on the Edit Workgroup page will be displayed. When you use one of the Microsoft IIS authentication schemes, user authentication and access control will be performed as follows. First, the Microsoft IIS web server in conjunction with the web browser and (in most cases) your Windows domain server will authenticate the user which is trying to access a web page in the workgroup. That authentication may be implicit (user will not see it happen) or it may be explicit (user may see a pop-up displayed by their browser requesting Windows user name, password, and, in some cases, domain) depending on the browser configuration, web server configuration, and your domain configuration. If the end user successfully authenticates to Windows/IIS, the IIS web server will then perform access control by comparing the Windows user account to the Windows file system permission on the web page being accessed. If that access control check passes, the web page request will then be passed on to Tracker. Tracker will then check its user account information to see if that user account exists in Tracker and has access to the workgroup. If so, the Home Page for that user will be displayed and the user's login session will be started. If the user was browsing to the Knowledge Base page or the Submit via Web for Unregistered Users page, then the last check will not be performed because those pages do not require that the user has a Tracker user account.

• Windows User Groups - The Windows user groups available in the selected domain or computer will be listed. If you were using one of the IIS authentication mechanisms prior to performing this Edit operation, the user groups that were selected on the Add Workgroup or the most recent Edit Workgroup operation will be displayed. Select the Windows user group(s) that should be allowed to access this workgroup. To select multiple user groups, hold down the Ctrl button on your keyboard as you select the user groups. The Windows file system permissions on the Tracker web pages for this workgroup will be modified to allow access by each User Group which you select.

  Note: Tracker only adds to or modifies your existing Windows file system permissions for the selected User Groups. It does not remove or modify any existing entries for other User Groups which you do not select (or those which you specifically unselect). In other words, the file system permissions will be set to guarantee that users in the selected User Groups will pass the IIS access check. They will not be set to make sure that all other users will fail the IIS access check. If Tracker did that, it might remove access for users who may not need to browse to the web pages, but do need access to the files themselves (such as local administrators, backup operators, etc.). So, for example, if you have installed the workgroup in a Windows folder which has access for Everyone, then the IIS web server will give Everyone (who successfully authenticates with a valid Windows user account) access to the Tracker web pages. However, Tracker will still reject access for users who do not have a Tracker user account (excluding Knowledge Base and Submit via Web for Unregistered Users pages which don't require a Tracker user account). If you wish to narrow this list (so that more IIS access control is performed), then you should set the file system permissions on the folder that you selected as the Location for the workgroup. If you wish to remove permissions for some users, then do so prior to completing this Edit Workgroup operation (so that all of the settings which the Edit Workgroup operation configures will be maintained). Be careful to not remove access that may be needed by users/tools which run on the web server machine (such as for the Administrators of the server, the user accounts that are used by the backup tool(s) which you use, etc.).

  After creating the workgroup, you must still add a Tracker user account with the User ID that matches the Windows user account for each user who will use the workgroup. Please note that changes made to the user profile information in the user accounts in Tracker will not be reflected in Active Directory (and vice versa).

• Windows User for Admin - Enter the Username of the Windows user account that will be authenticated as the Tracker Admin user account for the workgroup. The user selected must be a member of one of the groups selected for Windows User Groups above and in the Windows Domain or Host Name selected above. This allows you to associate any Windows user with the Tracker Admin user account (so that you do not have to create a Windows user account with the user name Admin).