Web Products (WCM, Web Client and Webdrawer)
cancel

Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

SOLVED
Go to solution
Highlighted
JOHN ADAMS_9
Collector

Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

The TRIM thin client appears to be a browser-based interface to TRIM that relies on Windows Authentication like an intranet app (similar to the way the TRIM desktop "thick client" relies on credentials of the logged on user).

 

Can the web client for TRIM 7.1 be configured to support remote (anonymous) users by requiring a prompt for Logon (sometimes called "Forms authentication")?

 

NOTE: My boss asked me to post this question because our TRIM administrator is currently on vacation leave and we'd like to know this for our planning (I don't have access to the documentation now).

 

Thanks for your time.

 

12 REPLIES
TRIMGuru
Honored Contributor
Solution

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

TRIM v7 web client can be configured to require a login name and password :smileyhappy:  Hope this helps.

JOHN ADAMS_9
Collector

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

Thanks. 

JOHN ADAMS_9
Collector

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

Sorry for this followup question (I cannot get to the documentation myself)...

 

My boss needs to know a bit more about this config setup to support remote/internet/anonymous users coming at TRIM content via the thin client using a browser:

 

  1. When prompted for LOGON with Username and Password, where are these credentials stored for authentication? Somewhere in TRIM itself? Or does the anonymous user need a Windows account on the machine hosting the TRIM webclient?
  2. Our question assumes the IIS machine that hosts the TRIM web client app must be configured so an anonymous user can access the site (i.e. "public-facing" and not blocked by corporate firewall). Can the TRIM server itself be a different machine protected by our firewall - or does the TRIM server need to be on the same machine as the IIS host of the TRIM web client site?

Thanks for your help. :smileyhappy:

JOHN ADAMS_9
Collector

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

Please see followup post which seeks a bit more on this setup....

Grundy
Honored Contributor

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?


jjamjatra wrote:
  1. When prompted for LOGON with Username and Password, where are these credentials stored for authentication? Somewhere in TRIM itself? Or does the anonymous user need a Windows account on the machine hosting the TRIM webclient?


Each 'Location' in TRIM has a Username value stored against it.

TRIM will authenticate a user against the domain credentials, e.g. Windows network username and password.

 

An anonymous user would need to be entering a Username and Password for a specific Active Directory user, which authenticates in the Windows domain.

The Username would then need to match up with the Username value on a Location in TRIM.

In this scenario, you should make a 'WebClient Anonymous' Location. (Name it whatever you want)

 


jjamjatra wrote:
2. Our question assumes the IIS machine that hosts the TRIM web client app must be configured so an anonymous user can access the site (i.e. "public-facing" and not blocked by corporate firewall). Can the TRIM server itself be a different machine protected by our firewall - or does the TRIM server need to be on the same machine as the IIS host of the TRIM web client site?


The WebClient/IIS connection to TRIM is a Client-Server connection just as if you were using a full TRIM Client.

So the client-server PORT needs to be open from the IIS server to the TRIM Workgroup Server that it is using.

By default this is 1137, but can be configured in the TES.

If you had a TRIM Workgroup Service installed locally on the IIS machine, then you would need to open the required ports for the WG Service to connect to the database.

 



::::::::::::::::::::::
NOT A HP EMPLOYEE
::::::::::::::::::::::

INFORMOTION.com.au
samd_1
Senior Member

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

Grundy or anyone else..

 

So therefore what if you have the Web Components installed on an IIS server, thereby having to install the workgroup server there as it's a requirement, but the Web Components connect to a remote Trim Workgroup Server where the Document Store is. Meaning the Trim workgroup server installed on the same "box" where the Web Components live does nothing in terms of providing access to a dataset.

 

Now in this scenario let's say you run the Web Components using Basic Authentication with SSL as Windows Authentication ain't happening over the Internet correct? Now where do you need to have users created for Trim to be able to work? Would you need to create local operating system users (Trim works with local operating system users , it doesn't need Active Directory from what I've seen) on the Web Components/IIS server or on the remote Trim server? I would think the remote Trim server. If so will the Web Components just pass the username/password on to the remote Trim server's operating system to be authenticated?

 

How does this work? Will it work?

Grundy
Honored Contributor

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

 


samd wrote:

Grundy or anyone else..

 

So therefore what if you have the Web Components installed on an IIS server, thereby having to install the workgroup server there as it's a requirement, but the Web Components connect to a remote Trim Workgroup Server where the Document Store is. Meaning the Trim workgroup server installed on the same "box" where the Web Components live does nothing in terms of providing access to a dataset.

 

Now in this scenario let's say you run the Web Components using Basic Authentication with SSL as Windows Authentication ain't happening over the Internet correct? Now where do you need to have users created for Trim to be able to work? Would you need to create local operating system users (Trim works with local operating system users , it doesn't need Active Directory from what I've seen) on the Web Components/IIS server or on the remote Trim server? I would think the remote Trim server. If so will the Web Components just pass the username/password on to the remote Trim server's operating system to be authenticated?

 

How does this work? Will it work?


For the Workgroup Server side, the WG components need to be installed locally simply so that the web application has the correct TRIM components to run the app.

During the configuration of the WebClient, you can point it to any Workgroup Server you want.

 

For authentication, there is no 'Basic' authentication method available with the WebClient.

If an un-authenticated user connected to the site outside of the domain where TRIM is running, it will pop-up with a Windows login box, where the DOMAIN\USERNAME and PASSWORD will be required.

The usernames/passwords are still authenticated against AD credentials in the domain where the webclient is running and these then still link up with the Locations stored in TRIM which have a 'network login' configured in their properties.

 

Since TRIM will require authentication from a network login that matches a Location, you will need either a domain user account or a local machine account that also has a matching username/password account on the WG server it is connected to. (I don't think having the local account on just the WebClient server will work, but you could test this)

 

 

 



::::::::::::::::::::::
NOT A HP EMPLOYEE
::::::::::::::::::::::

INFORMOTION.com.au
samd_1
Senior Member

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

I have to look more into the documentation but just to verify what you are saying. Is the Trim Webclient meant to be used for even Internet access to Trim and not just intranets? Meaning the Trim team made it so that in a simple setup Internet users can enter a username and password because they are prompted for them, and once entered, as long as they have a local operating system account even, on the Trim server(s) then Trim will let them in? This is going to get into delegation if I want a multiple server environment as IIS doesn't support double hops. The note in the installation about Webdrawer not supporting Kerberos. What does that exactly mean. I know, I think, what Kerberos is. But what does that mean Webdrawer can't do?
Grundy
Honored Contributor

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

The WebClient isn't designed to be an externally facing, anonymous or basic portal to TRIM.

Ideally you would always have the user logged in and authenticated on the company domain where they can then access the WebClient.

 

It is designed as a thin client for existing TRIM users who already have valid AD credentials and a matching TRIM location and makes it easier to deploy TRIM to users over a national/global company network.

 

If you want an externally facing portal with basic/anonymous authentication then WebDrawer would be the best way to go.



::::::::::::::::::::::
NOT A HP EMPLOYEE
::::::::::::::::::::::

INFORMOTION.com.au
samd_1
Senior Member

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

Even though the Webclient wasn't designed to be externally facing what would prevent it from working in a externally facing environment? Wouldn't the user get prompted for a login by IIS and that would work as long as you created a bunch of local users on the IIS machine? And what if IIS was connecting to the Trim server via that new trusted user you set up in Trim using the Network Service account and you created a bunch of locations in Trim mapped to operating system users that had the same name as the local users on the IIS server? Even if you had to create the local users again on the Trim server Wouldn't that work?

 

Webdrawer is read only and we're looking for read/write access and were thinking of the web interface.

Grundy
Honored Contributor

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

If you set it up as you've described, it should work.

 

Really the only thing stopping an externally connected user working in the WebClient would be the authentication.

If that person has valid credentials for a Windows account it should work.

 

Also understand that this isn't tested and therefore isn't an officially supported configuration by HP.



::::::::::::::::::::::
NOT A HP EMPLOYEE
::::::::::::::::::::::

INFORMOTION.com.au
samd_1
Senior Member

Re: Can TRIM "thin client" be configured to prompt for LOGON for the anonymous user?

Thanks. I'll give it a shot.
//Add this to "OnDomLoad" event