12-09-2013 01:12 PM
I'm looking for some help understanding how Webdrawer authentication and authorization work. I've looked in the documentation and the forums, and I don't find much. Has anybody seen a good explanation, and especially for version 7? I have two issues I'm trying to address where a better understanding would help me; one is determining which records the Webdrawer will display, and the other is a performance issue where I suspect that the authentication may be taking too long.
Thanks for any help you can provide.
12-09-2013 08:15 PM
My direct knowledge is a little limited - Webdrawer will use Integrated Windows Authentication from browser to IIS and then pass that on to the TRIM Workgroup server.
I can get more details from our developers if required.
12-09-2013 08:21 PM - edited 12-09-2013 08:24 PM
Webdrawer is an ISAPI application installed into an IIS site. The method of authentication really depends on how you've configured that site/application. Most people use it as a public facing interace into TRIM. If that's what you're after, then you would set authentication to anonymous and specify an account used as credentials. When a user then loads the site, that credential is sent into TRIM and controls what they can see.
You can either create a user within TRIM or use the guest gateway. Either way, it's the security profile of that TRIM user which drives what gets displayed via webdrawer. Normally you'd set the security level to the lowest possible (for instance either "[No Security Level]" or "Public"), no security caveats, and no associations. Then the user would only get records back where there is no explicit security.
Pass-through authentication can also be enabled within IIS. Any user within your organization could visit the site and then be searching TRIM based on their existing TRIM security profile. This is a rare configuratoin though.
As for loading times, there are several posts in this forum which address slow loading for Webdrawer and WebClient. IIS has, by default, recycling of resources enabled so that it doesn't hold memory it doesn't need. The default is 20 minutes or something. You can increase load time by adjusting these settings. If you hit the site once when it's slow, try again in 5 minutes and it's faster, then you know it's something you can fix. Otherwise you'd need to dig further into what is actually happening (is it the TRIM connection, application pool, site configuration, etc.)
I hope this helps.
12-10-2013 04:20 PM
Thanks Erik. That's helpful, but I do have a couple of follow-ups:
'set authentication to anonymous and specify an account used as credentials' I see how to set authentication to anonymous, but where do I specify the account to be used?
What is the guest gateway, and is it documented anywhere?
12-10-2013 04:24 PM
For the anonymous authentication you'd set the identity of the application pool to the account which is configured within TRIM. You would also need to configure the file system credentials within the application/site configuration itself.
As for the guest gateway, it is configured from within the database properties in TES. The helpfile documentation has been pasted below for your review.
- Guest Login- optional - a HP TRIM user that will be used by anyone attempting to connect to this dataset who does not have an identified login of their own.
Type a guest login in this field to allow users with no login of their own to access HP TRIM with default Inquiry permissions.
Leave it blank to have no guest login facility.
HP TRIM logs events by the guest login under GUEST ACCOUNT.
Note: It is recommended that you do not use your own or another login that exists on the network. Instead, create a new login.
02-03-2014 03:38 PM
Thanks Erik. From experimenting around with these options, it looks like if I use the Guest Gateway, I can run the Webdrawer without using up a license, but then I'm limited to the default Security Level of [no security level]. Whereas if I want to select an actual security level, or otherwise change the profile from the default, I will need to use a licensed account to achieve that.
Is that your understanding?
02-03-2014 05:56 PM
A guest account maps to a Location.
The Location that is used for 'Guest' access can have any security/access applied and configured.
NOT A HP EMPLOYEE