Hexagon Geospatial
MENU

Developer Discussions

Discuss topics with other Hexagon Geospatial Power Portfolio developers and experts to get the most out of our products.
Showing results for 
Search instead for 
Do you mean 
Reply
Occasional Contributor
Posts: 18
Registered: ‎11-07-2016

Is It Possible to Setup WFS-T With SQL Server Integrated Security?

Hi

 

Is it possible to configure a WFS-T feature so that windows integrated security is used to determine whether the user has sufficient privileges to edit the database? Tried to configure the SQL Server connection in Publisher Administrator as Read-Write with Trusted_Connection=Yes and the IIS Application Directory has Windows Authentication enabled. No luck so far. Am I missing something?

 

Thanks

Super Contributor
Posts: 389
Registered: ‎10-12-2015

Re: Is It Possible to Setup WFS-T With SQL Server Integrated Security?

It is the 'GeoMedia WebMap' local windows service that is connecting to SQL Server warehouse, not the IIS user.

The 'GeoMedia WebMap' local windows service runs under a single predefined account for all WebMap requests to source warehouses.

WebMapServiceuser.png

So if you wanted to use Trusted_Connection=Yes you would have to change the 'GeoMedia WebMap' from local system account to a domain user account as the local system account is unlikely to have login privilages to SQL Server. You may also need to update the dcom configuration for it to work - see 

GeoMedia WebMap Installation Guide > Setting Default COM Security

https://hexagongeospatial.fluidtopics.net/reader/3~6sX0YO5yn7AE5Ptvf6tQ/vJ0eVdGvtrk5mdtgmGakHw .

 

All users accessing the WFS-t service effectively connect as the 'GeoMedia WebMap' login account. The IIS user connecting makes no difference except to determine if the user has access to the WFS service in the first place.

 

Some options (others might have more)

  • Setup one WFS service with read-only access and one WFS-t service with read-write access. You then control which WFS is accessable via IIS configuration and windows groups.
  • See if the addtional 'geospatial SDI' product would work for you. https://www.hexagongeospatial.com/technical-documents/product-descriptions-2016/geospatial-sdi-2016-.... I have not used it so can't comment further.
    "
    SECURITY AND AUTHENTICATION METHODS
    Geospatial SDI enables controlled access to the OGC-compliant services. The access permissions can begranted to:
     Service instance Dataset, feature class (in case of WFS service) or layer (in case of WMS service) Spatial area.  
    In addition, the access permissions may be granted to the user for the limited time (e.g. time period, the weekday, time of the day) and IP address.
    "

 

 

Occasional Contributor
Posts: 18
Registered: ‎11-07-2016

Re: Is It Possible to Setup WFS-T With SQL Server Integrated Security?

Hit the wall with trying to set up a WFS-T with access permissions defined by an active directory group. It seems I can't access the WFS-T service without including Anonymous Authentication enabled. Once I establish a connection I try to use ".NET Authorization Rules" to set an allow rule for a specific user or an AD group with no success. Is there a specific set of instructions available for setting this up?

Highlighted
Super Contributor
Posts: 389
Registered: ‎10-12-2015

Re: Is It Possible to Setup WFS-T With SQL Server Integrated Security?

Following is for basic authentication. You will likely need to tweak depending on type of authentication and SSL settings etc.

I also noticed this is in the developer forums - should probably be in the general discussions forums.

 

  • Launch IIS Manager
    • Locate service
    • Right click, explore
      File explorer will open with service location
      • Open Web.config in a text editor (will need to be running in administrator context)
      • Search for ‘If you wish to run the service over HTTPS transport change the mode from None to Transport’
        • In section change clientCredentialType from None to Basic
        • Repeat search and apply again in following section

webconfig.png

webconfig.png

  • Search for ‘If you plan on using SSL, please switch httpsGetEnabled below to true’
    • Change httpsGetEnabled to true
      (Should already be true)

webconfigssl.png

  • Back in IIS Manager
    • Expand ‘Authentication’
    • Disable ‘Anonymous Authentication’ and enable ‘Basic Authentication’

iisauth.png

  • Expand ‘SSL Settings’
    • Check ‘Require SSL’
    • Set Client certificates to ignore

iis_ssl2.png


Most of the above is not specific to Hexagon Geospatial WMS/WFS etc - you can google some of the above keywords to get variations to the settings.

.

Occasional Contributor
Posts: 18
Registered: ‎11-07-2016

Re: Is It Possible to Setup WFS-T With SQL Server Integrated Security?

Thank you for the response. I should have stated that I'm only interested in Windows Authentication without SSL because this is an Intranet application. Is it possible to run a WFS-T server under Windows Authentication? I am having no luck at all unless Anonymous is allowed.

Super Contributor
Posts: 389
Registered: ‎10-12-2015

Re: Is It Possible to Setup WFS-T With SQL Server Integrated Security?

I have not run up windows authentication for quite a while and don't have operational notes readily availalbe.

Googling iis windows authentication web.config webHttpBinding gives some options.

e.g.

 

      <security mode="TransportCredentialOnly">

        <transport clientCredentialType="Windows" />

 

Occasional Contributor
Posts: 18
Registered: ‎11-07-2016

Re: Is It Possible to Setup WFS-T With SQL Server Integrated Security?

Hi

 

Well that seemed to work. Now I get a logon screen everytime I want to connect to the service. Shouldn't integrated security do this automatically? That's kind of the point of it :-)

 

 

Do you need immediate support?
Please submit a Ticket through our
Development Ticket Portal.