How to Configure AutoClassifier for .NET Authorization

.NET Authorization can be configured to secure access to the AutoClassifier Engine.

Use the following steps to enable .NET Authorization.

Info

  • Azure Virtual Machines may not have the Windows Authentication feature/role enabled by default as Azure Virtual Machines are not required to be attached to a domain.

  • The server is not required to be connected to a domain.

  • Local Users and Groups are sufficient.

Procedure

  1. The server where AutoClassifier is installed must have the Windows Authentication feature/role enabled. If the feature is already enabled, skip this step.
    1. Open the Windows Server Manager application.
    2. In the middle panel select Add roles and features.
  2. In the Server Roles section, navigate to Web Server (IIS) > Security.
  3. Enable Windows Authentication.
  4. Click Next > Install.
  5. Open IIS Manager, if it is not already open.
  6. Select the AutoClassifier Engine site from within the list of sites.
  7. Enable Basic Authentication for the AutoClassifier Engine site.

Enable the AutoClassifier Engine

  1. Navigate to the file web.config from the AutoClassifier Engine site.
  2. Edit the file using a program like Notepad++.

  3. Under the <system.web> section of the web.config file, enable Windows Authentication and list accounts to enable access.

    For example:
    <system.web>
       <authentication mode="Windows"/>
       <authorization>
          <allow users="domain\account1,domain\account2" />
          <deny users="*" />
    </authorization>
    For example, if your users are NOT attached to a domain:
    <system.web>
       <authentication mode="Windows"/>
       <authorization>
          <allow users="computername\account1,computername\account2" />
          <deny users="*" />
    </authorization>

    The App Pool user for the AutoClassifier Engine must be added to the list of Allowed Users.

    If you are running any additional components or services, also add either of the following:

    • App Pool user
    • Windows Service(s) user(s)

    If you use an Add-In site, the App Pool user for the Add-In site is required in the list of Allowed Users.
    ** By default the AutoClassifier Engine installation uses a single service user to run all components **

Set AutoClassifier Engine Bindings

Use the following steps to set your AutoClassifier Engine site bindings for:

  • .NET authorization
  • Windows authentication
  • HTTP or HTTPS bindings

Configuration for HTTP Bindings

  1. Open the web.config file.
  2. Under the <binding> section, enable the bindings (webHttpBinding and basicHttpBinding) for .NET Authorization:
<webHttpBinding>
   <binding name="httpsBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="None" />
   </binding>
  <binding name="httpBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="None" />
  </binding>
</webHttpBinding>
 
 
<basicHttpBinding>
   <binding name="httpsBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00" transferMode="StreamedResponse">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="None" />
   </binding>
   <binding name="httpBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00" transferMode="StreamedResponse">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="None" />
   </binding>
</basicHttpBinding>


Configuration for HTTPS Bindings

  1. Open the file web.config.
  2. Under the <binding> section, enable the bindings (webHttpBinding and basicHttpBinding) for .NET Authorization:
<webHttpBinding>
   <binding name="httpsBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="Transport" />
   </binding>
  <binding name="httpBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="Transport" />
  </binding>
</webHttpBinding>
<basicHttpBinding>
   <binding name="httpsBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00" transferMode="StreamedResponse">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="Transport" />
   </binding>
   <binding name="httpBinding" maxReceivedMessageSize="2147483647" openTimeout="01:00:00" sendTimeout="01:00:00" transferMode="StreamedResponse">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="Transport" />
   </binding>
</basicHttpBinding>

Test your Configuration

Test the new security configuration using the following steps:

  1. Launch the Site in a browser. 
    1. Log in as a user within the "Allowed" list.
  2. Launch the Site in a browser.
    1. Attempt to log in as a user NOT within the "Allowed" list.

Troubleshooting

Problem

A valid user is continually prompted for credentials when accessing the site on the installation server.

Solution

Depending upon network configuration, TCP/IP loopback can cause .NET Authorization to fail.

  1. To resolve, first identify if TCP/IP loopback is causing the issue.
  2. From a different server or laptop, attempt to open the site from a browser.
  3. If login is successfully obtained, TCP/IP loopback is blocking access on the server.
  4. Disable TCP/IP loopback on the server and re-test, accessing the site from the server.
    1. Reference: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-ipv6-in-windows
  5. If login is unsuccessful, re-check the previous configuration steps.

For Seamless Log in

To avoid logging in each time, set your web browser to seamlessly carry your credentials.

Add the site address to the Trusted sites list.

Procedure:

  1. Open Internet Explorer > Internet Options > Security > Trusted Sites.
  2. Add the address to the Trusted sites zone.
  3. In the Security tab of the dialogue, click Custom level...
  4. Scroll to User Authentication section of the Security Settings dialogue.
  5. Select Automatic logon with current username and password.
  6. Click OK.
  7. Apply the settings. Close the dialogue.
  8. Close your internet browser.
  9. Open and access the AutoClassifier Engine site.

  10. The site no longer prompt for credentials so long as the user is in the authorized configuration.

    Info

    ** Internet Settings are per user**

    Setting the Internet Settings to enable seamless log on only applies to the user who is logging in when the browser settings are made.
    Each user who desires seamless log on must make these Security changes to their browser to enjoy seamless log on.