Authentication Methods

User authentication settings control the process of verifying an identity claimed by a user for accessing Archer.

A new installation of Archer is secure by Default (HTTPS protocol enabled) with anonymous authentication. Anonymous authentication is sufficient for most environments. For those environments where it is not sufficient, more sophisticated authentication methods are necessary. Configuring authentication methods requires changes to multiple server-side components, some of which are outside the scope of Archer.

Important: Before making any of the authentication configuration changes below, be sure to back up the Archer web.config file, the Configuration database, and the IIS settings.

Note: An incorrectly configured authentication method can prevent the entire Archer from being accessible.

The following are supported protocol methods.

On this page

HTTPS/SSL protocol

The certificate for SSL must be available in the Server Certificates component (Machine Name > Server Certificates) within IIS. When the certificate is available, an https Binding which uses the SSL certificate must be added for the RSA web site.

Use the following tasks to configure IIS, the web.config files, and the Archer Control Panel for HTTPS/SSL.

Note: If you need to restore HTTP after configuring for HTTPS/SSL protocol, implement the process by undoing all the HTTPS/SSL steps.

Configure IIS for HTTPS/SSL protocol

  1. Select the Platform web site in the Connections pane.
  2. In the Actions pane, click Bindings.
  3. Click Add.
  4. In the Type list, select the https option.
  5. In the SSL certification list, select the applicable certificate.
  6. Click OK.
  7. Do one of the following:
    • To continue without removing the HTTP Site Binding, go to the next step.
    • To remove the HTTP Site Binding, do the following:
      1. Select the HTTP Site Binding.
      2. Click Remove.
      3. Click Yes.
  8. Click Close.
  9. Perform an IIS reset.

Configure Platform web.config file for HTTPS/SSL protocol

Archer must be configured to run either in HTTP or HTTPS, not both. Edit the Archer web.config in the base Archer web site directory.

  1. Find the expression <!-- for HTTPS, and then do each of the following:
    • Replace httpGetEnabled with httpsGetEnabled="false".
    • Uncomment the line <security mode="Transport" />.
    • Replace the httpTransport attribute with httpsTransport.
  2. Find the expression <customHeaders>, and then add each of the following configurations in a separate new line within the custom headers section:
    • <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
    • <add name="X-Content-Security-Policy" value="default-src 'self';" />
    • <add name="X-XSS-Protection" value="1; mode=block"/>
  3. Click Save.
  4. Perform an IIS reset.

Configure REST API web.config file for HTTPS/SSL protocol

The REST API child API IIS application inherits properties from the parent Archer application. Similar to the Platform web.config, Archer must be configured to run either in HTTP or HTTPS, not both. Edit the REST API web.config in the api directory within the base Archer web site directory.

  1. Find the expression <!-- for HTTPS.
  2. Replace httpGetEnabled with httpsGetEnabled="false".
  3. Uncomment the line <security mode="Transport" />.
  4. Replace the httpTransport attribute with httpsTransport.
  5. Click Save.
  6. Perfor's m an IIS reset.

Configure Archer Control Panel for HTTPS/SSL

All URLs in the Archer Control Panel must include HTTPS.

  1. Open the Archer Control Panel.
  2. In Instance Management, double-click the instance you want to configure.
  3. Click the Web tab.
  4. Change all applicable Platform Web site URLs to include HTTPS.
  5. Repeat steps 2 – 4 for all other instances.
  6. Click Save All.

Windows Authentication

The authentication mode must be set to Windows Authentication in IIS; if Windows Authentication is not available for selection, it must be installed. All other authentication modes must be disabled.

Important: The REST API does not support Windows Authentication. Windows Authentication must be disabled for the child API IIS application, and Anonymous Authentication enabled again.

Use the following tasks to configure IIS and the web.config file for Windows HTTP or HTTPS protocols.

Configure IIS for Windows Authentication

  1. Select the Platform Web site in the Connections pane.
  2. Select the Authentication feature.
  3. Set Windows Authentication to Enabled.
  4. Disable all other authentication modes, for example, Anonymous.
  5. Perform an IIS reset.

Configure Platform web.config file for Windows Authentication - HTTP

Edit the Archer web.config file in the base Archer web site directory.

  1. Find the expression <!-- For Windows Authentication, change mode to 'Windows'.
  2. Replace <authentication mode="None" /> with <authentication mode="Windows" />.
  3. Find the expression <!-- For Windows Authentication, and uncomment the lines.
  4. Uncomment the lines related to <authorization><allow users="*" /></authorization>.
  5. Find the expression <!-- For Basic Authentication (without SSL), and uncomment the lines.
  6. Uncomment the lines related to security mode.
  7. Find the expression <!-- for Windows Integrated Authentication, and add authenticationScheme="Negotiate".
  8. As instructed, add authenticationScheme="Negotiate" /> to httpTransport or httpsTransport.
  9. Click Save.
  10. Perform an IIS reset.

Configure Platform web.config file for Windows Authentication - HTTPS

Edit the Archer web.config in the base Archer web site directory.

  1. Open the web.config file in a text editor.
  2. Locate the <authentication mode> tag and change the authentication mode from None to Windows.
  3. Locate the <authorization> and <allow users> tags and remove the comments.
  4. Locate the <serviceMetaData> tab and change the HTTP identifier to HTTPS.
  5. Locate the <webHttpBinding> section.
  6. Remove the comments in the <security mode> and <transport> tabs identified for Windows Authentication and change the security mode as follows:

    7. <security mode="Transport">

    <transport clientCredentialType="Windows" />

    </security>

  7. Locate the <httpTransport> tag for the binaryHttpBinding.
  8. Add the authenticationScheme="Negotiate" attribute to the tag and the HTTPS identifier.

    9. <httpTransport maxReceivedMessageSize="1024000000" maxBufferSize="1024000000" authenticationScheme="Negotiate" />

  9. Locate the <httpTransport> tag for the binaryHttpBindingStreaming binding.
  10. Add the authenticationScheme="Negotiate" attribute to the tag and the HTTPS identifier.

    11. <httpsTransport transferMode="StreamedRequest" maxReceivedMessageSize="1024000000" maxbufferSize="1024000000" authenticationScheme="Negotiate" />

  11. Locate the <location> tag and remove the comments.
  12. Save the web.config file
  13. Perform an IIS reset.

Enabling Kerberos Authentication

Use the following tasks to configure Windows authentication for single and multiple web hosts.

Configure Windows Authentication for Single Host

If it does not already exist, an HTTP service principal name (SPN) must first be registered with the domain by a domain administrator. The following is the command to do so:

Setspn -S HTTP/{ArcherURL} {App Pool Identity}

For example, Setspn -S HTTP/all.archer.local archer.local\Administrator is the command to inject a SPN add into the domain if the following were true:

  • Archer is installed into Default Web Site.
  • The Archer URL is https://all.archer.local.
  • The Archer Application Pool identity is: archer.local\Administrator.

If Archer is installed into the RSAArcher site—located inside of Default Web Site—the command to inject is Setspn -S HTTP/all.archer.local archer.local\Administrator.

  1. Open Microsoft IIS.
  2. Select the Archer site (default or otherwise).
  3. Select Authentication.
  4. Enable Windows Authentication.
  5. Select Advanced Settings.
  6. Unselect Enable Kernel-mode authentication and click OK.
  7. Select Providers.
  8. Select Negotiate: Kerberos from the Available Providers drop-down.
  9. Click Add.
  10. Move Negotiate Kerberos to the desired order under Enabled Providers and click OK. 

    11. Ensure that these steps have been completed for at least the Archer site. These steps may also need to be performed to the Default Web Site and Server level components in IIS depending on your own needs.

  11. Perform an IIS reset.

Configure Windows Authentication for Multiple Web Hosts in Load-Balanced Environment

When IIS is run in clustered or load-balanced environments, applications are accessed using the cluster name rather than a node name. This scenario includes network load balancing. In cluster technology, a node refers to one computer that is a member of the cluster.

To use Kerberos as the authentication protocol, the application pool identity on each IIS node must be configured to use the same domain user account. To configure each IIS node to use the same domain user account, use the following command:

Setspn –A HTTP/CLUSTER_NAME domain\username

For example, the command may resemble the following:

Setspn –A HTTP/www.myIISCluster.com mydomain\appPool1

  1. Open Microsoft IIS.
  2. Select the Archer site (default or otherwise).
  3. Select Authentication.
  4. Enable Windows Authentication.
  5. Select Advanced Settings.
  6. Unselect Enable Kernel-mode authentication and click OK.
  7. Select Providers.
  8. Select Negotiate: Kerberos from the Available Providers drop-down.
  9. Click Add.
  10. Move Negotiate Kerberos to the desired order under Enabled Providers and click OK. 

    11. Ensure that these steps have been completed for at least the Archer site. These steps may also need to be performed to the Default Web Site and Server level components in IIS depending on your own needs.

  11. Perform an IIS reset.