2017 R1 Update Rollup 1

Authentication with Kerberos (Basic, Cookie)Permanent link for this heading

The following chapters describe a basic authentication method using Kerberos and HTTP cookies. This authentication method authenticates using Kerberos credentials entered by the user and then stores a cookie with the authentication information, so that credentials are only required and validated during the initial request. Consequently, clients such as the Fabasoft Folio Client do not require credentials once the cookie is available.

Performance Note: This authentication method should only be used for web services that are accessed interactively via web browsers. Otherwise, HTTP requests from non-browser clients that ignore cookies set by the server (e.g. conversion service requests) may cause significant performance problems because every single HTTP request has to create a new Fabasoft Folio session in that scenario. Use the environment variable FSCVEXT_AUTHMETH to configure the authentication method for specific hosts or web services.

ConfigurationPermanent link for this heading

The following settings are necessary for the configuration of Kerberos (basic, cookie):

  1. Open the Virtual Application Configuration, which is referenced in the Current Domain or Domain Type.
  2. Click the “Authentication” tab.

The following relevant properties are available:

  • Cookies
    • Cookie Valid in Session
      Set the value of this property to “Yes”, if the authentication should only be valid during a user session.
    • Authentication Expires After Minutes
      Define after how many minutes the authentication of a user expires, who is actively working with the system.
    • Authentication of an Idle Session Expires After Minutes
      Define after how many minutes the authentication of a user expires, who is not actively working with the system.

Via the environment variable FSCVEXT_AUTHBASICDOMAIN it is possible to define a default domain for authentication used when only a user name without a domain name was applied. Additionally, on Linux, this variable will be used to resolve short domain names. Therefore it is possible to define more domain names separately by a ‘;’. Doing so, the first specified domain of the list will be used as default domain.

Example: FSCVEXT_AUTHBASICDOMAIN = "default.test.com; eng.test.com; sq.test.com"