cancel

Trim v6 Authentication

Highlighted
dw_2
Frequent Contributor.

Trim v6 Authentication

From reviewing our server logs it appears that the domain of the user's workstation is passed to the HP Trim application regardless of how they log onto the application (either double-click or by performing a 'run as').

 

Is there a configuration change that can be made to either the desktop client or the application authentication to allow it to recognize more than a single domain?

9 REPLIES
EWillsey
Acclaimed Contributor.

Re: Trim v6 Authentication

TRIM only uses the Windows Token to check the network login name against the TRIM location structure.

 

Most likely you've got the domain included in the user profile within TRIM.  You can safely remove it.

 

To do this:

 

  1. Open TRIM
  2. Click Find Locations
  3. Enter the person's name (last name first)
  4. Double-click the location
  5. Go to the profile tab (must be an administrator typically to do this)
  6. In the "login name" field, remove the domain
Let us know if this works!
Cheers,
Erik

 

dw_2
Frequent Contributor.

Re: Trim v6 Authentication

Would it make sense to put in the domain and ID that they use on their workstation?  Is that communicated to the server via port 1137?

EWillsey
Acclaimed Contributor.

Re: Trim v6 Authentication

If you want to support multiple domains then just put in the user ID (without domain).  When you launch TRIM your Windows Token is authenticated and then your username is checked against the location structure.  So if you put in  "mydomain\erik" into the TRIM location profile then I must be on the "mydomain" with NT-account "erik".  If you just put in "erik" on the profile, I can come from any authenticated domain with NT-account "erik".

dw_2
Frequent Contributor.

Re: Trim v6 Authentication

Does the server need to be a member of the same domain or 'trusted' domain as the user and their machine?

EWillsey
Acclaimed Contributor.

Re: Trim v6 Authentication

As long as you have established a trust (usually a transitive bi-directional trust, but that's not required) you should be fine.

dw_2
Frequent Contributor.

Re: Trim v6 Authentication

That is where our problem lies - we will allow these users to communicate on our network (via firewall rules) but their domain is NOT trusted to our AD.  We were hoping to use the 'run as' statement to log into HP Trim with an AD account that we have established for them - but from a machine in their own domain.

 

Does this make sense?

EWillsey
Acclaimed Contributor.

Re: Trim v6 Authentication

As I mentioned before, the TRIM Application itself authenticates your Windows Token (much like every other application).  If authorized to launch the application it will then pass your full user name from the token (domain and nt-account) to the workgroup server.  The workgroup server then compares that to the locations in TRIM.  If the nt-account exists on an active location profile then it let's you in.

 

If your domains are not trusted at all then I'm not sure how you're going to right-click and execute something from an untrusted domain.  How is the local workstation going to get a valid windows token from a domain that isn't trusted?  Does it work for other applications?

 

Either way in TRIM, just put the nt-account name (not the domain) into the login name field.

dw_2
Frequent Contributor.

Re: Trim v6 Authentication

We are going to do some additional testing today - still trying to work through the issue.  Sure hoping we can get this to work.

 

dw_2
Frequent Contributor.

Re: Trim v6 Authentication

Our testing today did not produce the results I was hoping for.  I did learn that our workgroup servers were set to authenticate to a specific domain.  As I was told, there is the option to set it to check the domain for ALL users or individually for ALL users.   Our server guy is seeing that he possibly can create a different dataset that we could set that authentication differently.

 

Our other experts would REALLY like to talk with someone from HP Trim that understands how their authentication functions.  Does anyone have a suggestion on who that might be.  I believe we have a support contract.

 

Thanks much!