Authentication Overview

Webspace provides two methods of authentication:

  • Standard Authentication (the default setting)
  • Integrated Windows Authentication

Webspace requires that at least either Standard authentication or Integrated Windows authentication be enabled. If both Standard authentication and Integrated Windows authentication are enabled, the Webspace Server attempts to log the user on in the following order:

  • Integrated Windows authentication.
  • Standard authentication, if Windows authentication fails.
Tip: For Webspace auto login to work, you must use the Integrated Windows Authentication option in the Host Options dialog box on Authentication tab. Additionally, in iFIX, you must add the SHOWIFIXLOGIN=0 line in the Fixuserpreferences.ini file in the iFIX Local folder under the WebspacePreferences section.

Standard Authentication

Standard Windows authentication is the default method for authenticating users on a Webspace Server. Standard authentication allows users to sign in to a Webspace Server from the Logon dialog box by supplying their user name and password. Once authenticated, users are added to the server's INTERACTIVE group and given the same access rights as if they had signed in to the Webspace at its console.

Users logging onto a Webspace Server with standard authentication are:

  • Added to the server's INTERACTIVE group.
  • Granted the same access rights that they have when logging onto the server at its console.
Important: In a Relay Server configuration, a user logs in to the Dependent Application Server, but the user credentials must also be authenticated at the Relay Server  to obtain a Webspace “license token."

Standard authentication includes logging on either with a user name and password supplied by any of the following:

  • Logon dialog·box
  • HTML parameters·
  • Command-line arguments

Optionally, when Standard Authentication is enabled, you can also enable Client-Side Password Caching to allow the user name and password to be saved locally on the client, if the Remember Me on this Computer check box was selected in the Logon dialog box on the previous login. With the Remember Me on this Computer option enabled, the Logon dialog box appears with the user name and password pre-populated.

Integrated Windows Authentication

Integrated Windows authentication allows users to connect to a Webspace Server and start a session without having to sign in to the server and re-enter their user name and password. When Integrated Windows authentication is the only option enabled, the user’s user name and password are never transmitted over the network. Instead, the Webspace simply runs the user’s session in the same security context as the Webspace Client. Users are added to the server's INTERACTIVE group, and passwords are cached on the server by default.

Important: Integrated Windows authentication is only available to users who sign in from Windows computers that are members of the same domain as the Webspace Server.
Note: When Integrated Windows authentication is the only option enabled, the user’s user name and password are never transmitted over the network. Instead, Webspace runs the user’s session in the same security context as the client.

To avoid these conditions, when Integrated Windows Authentication is enabled, Webspace automatically caches passwords on the server. Doing so allows users to sign in from Windows computers that are members of the same domain as the Webspace Server without having to enter their user name and password every time they connect. Users are prompted for a password when first connecting to the server or following a password change. Passwords are stored within their respective profiles and can only be decrypted from within their respective security contexts. With subsequent connections to Webspace, users are automatically signed in and added to the host's INTERACTIVE group. They are granted the same access rights had they signed in to the host at its console.

Webspace caches passwords on the host using the industry standard encryption algorithms provided by Microsoft’s Data Protection application programming interface (DPAPI). For more information about DPAPI search the MSDN Library (http://msdn.microsoft.com/library/default.asp) for “Windows Data Protection.”

Important: If User Account Control (UAC) is enabled on  the Webspace Server, be aware that if you first log in to the Webspace Server console and then try to start a Webspace session on a remote client by logging in under the same user, you may experience issues with the application not being able to start on the Webspace Server.  Log out of the Webspace Server console, and then log back in to the console to resolve this issue.