| Applies To | |||
| Product(s): | eB Web, eB Director | ||
| Version(s): | ALL | ||
| Environment: | N/A | ||
| Area: | Installation | ||
| Subarea: | N/A | ||
| Original Author: | Rich Thomas, Bentley Technical Support Group | ||
I am installing eB, and I want to be confident that eB is secure.
What logon options exist?
eB users are specified within eB itself, and there is a 'User Account Information' topic associated to the eB Person Object. To be able to log on you can either be assigned a username and password (eB Authentication), or be given the option to link your Windows account to the eB Person (Windows Authentication).
There is no requirement to specify the eB users as database users. eB uses service accounts ( either sql server, or windows) to authenticate to the database. This is for obvious performance reasons such as connection pooling etc. When Windows authentication is used, the identity connecting to the database is the identity set on the eB COM object, in combination with the identity running the eB Index Listener Service (typically the same user). The ability to alter content within the database will be related to eB Users permissions specified within eB Director’s system admin section.
What Authentication Methods does eB use?
eB does not talk directly to AD to validate users, eB simply trusts secure tokens issues by the Windows Infrastructure (either NTLM or Kerberos).
So, if all servers are on the domain:
(screenshot to follow)
Then Kerberos will be used. Then the (deliberately simplified) process works like this:
- The user logs on to the Client PC, by pressing CTL-ALT-DEL and logs onto windows.
- Authentication is confirmed by connecting to AD and the authentication and ticket granting services.
- An encrypted session key is created and send to the client PC.
- The user then connects to the eB web site, and send through the session key.
- eB takes the key, extracts the authenticated WindowsPrinciple (i.e. windows user) from it.
- eB trusts windows, so it matches the principle with accounts in eB and if the user exists, logs on.
(screenshot to follow)
If the client is coming in from outside of your environment, then NTLM authentication would be used.
(screenshot to follow)
- When the Client logs onto Windows, there is no AD available to validate credentials.
- But when the client connects to the web server, the server would prompt the user for their logon credentials.
- These credentials are verified with AD, and as before, as eB trusts windows, eB matches the principle with accounts in eB and if the user exists, logs on.