In eFlow 18.104.22.168 or earlier versions, the same approach is working fine but at eFlow 22.214.171.124, I am getting error e.g. for WebScan (refer to the screen shot).
In eFlow 126.96.36.199 or earlier versions, there is no issue. However you could encounter the error as shown in the screen shot above when using default Application Identity for your eFlow Web Host. This is due to the changes on the major fix on STS. Please refer to the solution section.
When you are using default Application Identity for the eFlow Web Host (e.g. WebScan, WebFrontOffice) and you intended to use Direct Web Station access when using Form Authentication, then you will have to do some setting changes.
Note: As per tested in eFlow 188.8.131.52 installation against both SQL authentication and Windows authentication.
- For SQL authentication, user can use the allowDirectLogInToStation without any changes to installation.
- For Windows authentication, the following suggested workarounds (see below) are valid and can be considered
Method 1 - Replace the default Application Identity with Local System.
- There is "NT Authority\System" in DomainSecurity.xml so that will work.
Method 2 - Replace the default Application Identity with Domain Service ID (i.e. domain ID used to run app pool where password never expire).
- Using Domain Service ID, one should have already set the correct permission at DomainSecurity.xml so that will work.
Method 3 - Continue to use Default Application Identity but add this App Pool into DomainSecurity.xml
- The installed WebScan and WebFrontOffice, they are having AppPool as "TiSWebScanAppPool" and "TiSWebFrontOfficeAppPool" respectively.
- Default Application Identity was used after installation and you will get the error for the direct web station access.
- You can add the "IIS APPPOOL\TiSWebScanAppPool" and "IISAPPPOOL\TiSWebFrontOfficeAppPool" to the DomainSecurity.xml, both to have the same Administrator role - refer to how the default "NT Authority\System" example in DomainSecurity.xml.
- These IDs need to be at AppName="System" and AppName="", having Administrator role
For all methods,
- After editing and saving the changes, reset IIS.
- Wait for some seconds (~10sec) so as to ensure that the "eFlow security audit updater" windows service gets the changes from DomainSecurity.xml to update into the DB (RolesManager).
- Clear the browser cache.
- Then retry again with direct station access URL, now it should work.
Level of Complexity