How to configure DocuWare with Kerberos authentication?

There is a difference between external and internal communication.

  • The external communication takes place via HTTP(S) between the client applications and the server components.
  • The internal communication usually takes place via TCP between the different server components.
It might be enough to change only the external communication to Kerberos authentication, since the internal communication takes place in the LAN. In this case the DocuWare Administraton should only be installed and used in the LAN!

Externe bzw. Interne Kommunikation
Configure Kerberos authentication for external HTTP(S) communication
To change external communication to Kerberos authentication, please adjust the following "web.config" files:

  • ...\DocuWare\Web\Settings\Web.config
    locate the value "value="NTLM"  within the file and change the value "NTLM" to "Negotiate:Kerberos"
    <windowsAuthentication enabled="true">
    <clear />
    <add value="Negotiate:Kerberos" />
  • ...\DocuWare\Web\Platform\Web.config
    also locate the value "value="NTLM"  within this file and change the value "NTLM" to  "Negotiate:Kerberos".
    Note that this value occurs more than once in this file, you have to adjust all of them.
    <windowsAuthentication enabled="true">
    <clear />
    <add value="Negotiate:Kerberos" />
  • With this adjustment the Windows login is done always via Kerberos authentication by IIS. If Kerberos authentication is not set up correctly in your network, the Windows login will fail!
    Note that Windows login via Kerberos authentication requires also special browser configuration:
  • Internet Explorer - Integrated Windows Authentication
  • Mozilla Firefox - network.negotiate-auth.trusted-uris 
  • Google Chrome - AuthServerWhitelist 
  • Configure Kerberos authentication for internal communication of DocuWare Server components
    The internal communication of the DocuWare components can be configured via the DocuWare Administration.
    For this start the DocuWare Administration and navigate to the area DocuWare System - Server.
    Adjust the communication channels, for incoming and outgoing communication, for all listed and installed servers as shown in the screenshot:

    Afterwards you have to restart all DocuWare Servers!
    This will change the settings also in the .settings files of the DocuWare Servers.
    By adapting the incoming communication channels to "Kerberos", all DocuWare Servers require this authentication method. For the outgoing communication channels, we recommend to use the "Negotiate" authentication method ("Kerberos" or "NTLM"). It is also possible to set the outgoing communication channels to "Kerberos" only.
    However, internal communication will be done via "Kerberos" anyway, because of the specified incoming communication channels.


Comments (0)