Laserfiche Directory Server Security Token Service (STS) 10.4.3 requires HTTP communication with Laserfiche Directory Server (LFDS). STS versions prior to 10.4.3 require WCF communication.
End applications still using WCF will require configuration if alternate service is enabled for them. For applications using HTTP, alternate service is no longer relevant.
HTTPS Configuration
Laserfiche Directory Server 10.4.3 no longer relies on WCF for encryption and communication with STS instances and end applications using HTTP to reach LFDS. HTTPS configuration is recommended to maintain the same security as in older versions of LFDS. It is also recommended to configure a valid HTTP binding on your IIS website hosting Laserfiche Directory Server.
- Run the Directory Server endpoint configuration utility called XmlEndpointUtility.exe to configure endpoint binding information for the Directory Server service. By default, this utility is located in the Directory Server installation folder.
- Use the HTTPS configuration section to configure the HTTPS certificate binding for secure communication between Directory Server and STS as well as any Laserfiche applications using HTTP.
Note: To learn more about HTTPS configuration, navigate to Configuring the Directory Server and STS Endpoints.
- Bind a TLS certificate to your chosen secure LFDS port. By default, the HTTPS port is 5049.
Note: On initial installation or upgrade, the selected certificate will be bound upon closing the utility. Reopening the utility will show a Configure Port Binding button. To bind a different certificate, click Delete Current Binding, select a new certificate from the list, and click Configure Port Binding to bind the new TLS certificate to the specified port.
Note: To learn more about binding a certificate to the HTTPS port in XMLEndpointUtility, navigate to Certificate Requirements.
- Configure STS as follows:
- Run the Security Token Service's endpoint configuration utility called STSEndpointUtility.exe. By default, this utility is located in the Web/WebSTS subfolder of the Directory Server installation folder.
- Verify the fully qualified domain name for the Directory Server instance.
- Select the Use TLS checkbox. If using custom ports in XMLEndpointUtility, make sure that the port is included in the fully qualified domain name (FQDN) field in the format: host.domain.com:PortValue, for example, machinename.sampledomain.com:5049.
WCF Configuration
If separating LFDS and end applications using WCF across domains without trust, alternate service will be necessary for communication between them. When turning on alternate service, the configuration utility prompts for a certificate. This certificate does not have to be the same as the certificate used for IIS TLS bindings. The certificate for alternate service is used for authenticating the machines on untrusted domains.
- Run the Directory Server endpoint configuration utility called XmlEndpointUtility.exe. By default, this utility is located in the Directory Server installation folder.
- Confirm that the Laserfiche Directory Server machine's fully qualified domain name (FQDN) and the Laserfiche Directory Server service user's principal name (UPN) are correct.
- Select the Enable alternate service checkbox to add an alternate service certificate binding.
- Select the appropriate trusted certificate to use for communication between Laserfiche Directory Server and the end application.
- Configure each client application using WCF by opening the application's respective endpoint utility. Then, verify the LFDS FQDN and enable the alternate service.
Note: To learn more about certificates used for alternate service, navigate to Certificate Requirements.
Note: To learn more about configuring Laserfiche web products, navigate to Configuring Single Sign-On for Laserfiche Web Products.