WEBfactory 2010 Login Procedures
Check out this article and learn more details about the three available WEbfactory 2010 Login Procedures.
In a WEBfactory 2010 system, the login procedure is structured in three levels: client, web services and server. Each level handles a different set of operations, thus securing the WEBfactory 2010 system and providing a simplified login procedure.
Client level
At this level, the login procedure is initiated by the user using either a Silverlight control (WFUserLogin1) or an HTML widget, component or extension.
There are three login scenarios supported by the clients:
WEBfactory 2010 login, supported by both Silverlight and HTML clients - using the username and password defined in WEBfactory 2010 User Manager and stored in the WEBfactory 2010 database.
Domain user login, supported by both Silverlight and HTML clients - using the username and password defined in Active Directory.
Windows user login, supported only by Silverlight clients - using the credentials of the user which is currently logged in Windows.
Web services level
At this level, the login is handled by the Security Service and NTLM Service. The login is either initiated by a client, as mentioned above, or programmatically, using the methods exposed by the services mentioned earlier.
While the Security Service handles the WEBfactory 2010 and Domain user login, using either the provided username/password or security token, the NTLM Service handles the Windows user login.
To be able to achieve this login, the NTLM Service forces the IIS to use only Windows Authentication, disabling the IIS Anonymous Authentication. Because of the Windows Authentication mode of IIS, when attempting a Windows user login for the first time, the IIS will ask the user to input the username and password of the Windows user, which are further used in the login procedure. The IIS prompt for Windows username and password can be set to remember the credentials, thus the next Windows user login attempts will no longer trigger the IIS request for username and password.
Server level
At this level the actual login is performed. The WEBfactory 2010 server handles the different login methods using different approaches:
For WEBfactory 2010 login attempts, the server validates the user's username and password against the credentials stored in the WEBfactory 2010 database. If the validation succeeds, the server applies the Authorization Groups available in the WEBfactory 2010 database for that user.
For Domain user login attempts, the server validates the username and password against the Active Directory. If the validation succeeds, the user's Authorization Groups from Active Directory are matched against the user's Authorization Groups from the WEBfactory 2010 database and the matching Authorization Groups are applied.
For Windows user login attempts, the server validates the user against Active Directory by checking inside Active Directory if the user is a member of the domain specified in WEBfactory 2010 Studio. If the validation succeeds, the user's Authorization Groups from Active Directory are matched against the user's Authorization Groups from the WEBfactory 2010 database and the matching Authorization Groups are applied.
When performing a Windows user login, after the validation succeeds, the user will be stored into the WEBfactory 2010 database as a valid domain user and will be visible in WEBfactory 2010 User Manager as a domain user.