Laserfiche Directory Server 10.2 and later supports installing multiple instances of the Directory Server Security Token Service (STS) on separate machines from the Laserfiche Directory Server service.
This allows administrators to install an instance of the Security Token Service in the DMZ while allowing the Directory Server to remain within the internal network.
Configuring Laserfiche Directory Server and STS on Different Machines using Integrated Windows Authentication
Configuring Binding Information
- Configuring Directory Server
- Run the Directory Server's endpoint configuration utility XmlEndpointUtility.exe. The utility is located in the Directory Server installation folder (e.g., C:\Program Files\Laserfiche\Directory Server\).
- In the General Configuration section, verify the Directory Server host name, service user, and listening port for the Directory Server instance. The fully qualified domain name must match the actual machine host name.
Note: Administrators can use Windows PowerShell to verify the Directory Server host name. Launch Windows PowerShell on the Directory Server machine and run the following command:
[System.Net.DNS]::GetHostEntry('localhost') - In the HTTPS Configuration section, configure the TLS certificate and HTTPS port for Directory Server.
- Select the Use alternate service checkbox to configure authentication between Directory Server and the STS. Select the appropriate trusted certificate to use for communication between the STS and Directory Server. The selected certificate must be permitted for Server Authentication and Client Authentication purposes. In addition, the Directory Server service user account must have Read permissions to the certificate's private key.
- If you are using Laserfiche user accounts for authentication and want the STS to be able to send password reset email notifications, you must configure the Laserfiche User Password Reset Configuration section. In the Primary security token service option, specify the host name of the STS that is handling authentication of your users. In the Approved security token services option, specify each STS (one per line) that is allowed to send password reset notifications. This list must also include the STS specified in the Primary security token service option.
- Configuring each STS
- Run the Security Token Service's endpoint configuration utility STSEndpointUtility.exe. The utility is located in the Web\WebSTS subfolder of the installation folder (e.g., C:\Program Files\Laserfiche\Directory Server\Web\WebSTS).
- In the Laserfiche Directory Server Address section, verify the Directory Server host name, service user, and listening port for the Directory Server instance.
Note: The service user must match the Directory Server service user.
- In the HTTPS Configuration section, verify that the HTTPS Port matches the port configured for Directory Server.
- Select the Use alternate service checkbox to configure the communication channel between Directory Server and the STS. Select the appropriate trusted certificate to use for authentication between the STS and Directory Server. The selected certificate must be permitted for Server Authentication and Client Authentication purposes. In addition, the LicenseManagerSTSAppPool IIS application pool must have Read permissions to the certificate's private key
Note: To restrict redirects from after user sign in to approved domains, see Allowlisting for WebSTS Redirect.
- Configuring the client Laserfiche Rio application
- Run the client application's endpoint configuration utility EndpointUtility.exe or use the client application's configuration page. For example, the web client 10.2.1 installation and the Forms 10.2.1 installation each include a version of the endpoint configuration utility. In contrast, use the Laserfiche Mobile server configuration page to configure the necessary options. Read on for more information on each product.
Important: Directory Server and the STS do not need to use the same certificate. However, the certificate for the STS must be authorized by the same issuer that issued the certificate used by Directory Server.