Setting up BMD Web Windows Authentication

In BMD NTCS, the BMD NTCS users must be linked to their respective operating system user and single login must be activated: 

The web server has to be in the domain. 

In case that the web server is separated by a DMZ firewall, the following ports to the domain controllers need to be enabled:  

• 88 TCP/UDP – Kerberos
• 389 TCP/UDP – LDAP 
• 636 TCP – LDAP SSL
• 135 TCP – RPC Endpoint Mapper
• 53 TCP/UDP – DNS
• 123 TCP/UDP – NTP 
• 445 TCP/UDP – CIFS/SMB
• 3268 TCP – LDAP Global Catalog
• 3269 TCP – LDAP Global Catalog SSL
• 49152 -65535/TCP - RPC dynamic High Ports (LSA, SAM, Netlogon, FRS)

Please refer to: 

• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts 
• https://docs.microsoft.com/de-de/archive/blogs/luistog/restricting-ad-replication-traffic-between-dcs-to-only-a-few-ports
• https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/restrict-ad-rpc-traffic-to-specific-port

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 
  DCTcpipPort (REG_DWORD) 
  Value data: 49256 (This value needs to be specified in decimal format)

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  TCP/IP Port (REG_DWORD)
  Value data: 49257 (This value needs to be specified in decimal format)

Subsequently, we assume that the BMD Web application is already fully set up and operating smoothly. 

Please refer to: 

https://www.bmd.com/en/technical-documentation/setting-up-bmd-web-applications-2.html

Via server manager:

Manage - Add roles and Features - Web Server (IIS) - Role Services - Security - Windows Authentication

In the IIS Manager in the application under Authentication

Disable anonymous authentication

Enable Windows authentication

After logging out of a BMD Web session, you are immediately linked back to the login page. If Windows authentication is enabled, the mechanism will log you back in immediately. 

Solution

There is a new parameter in the BMD Web settings where you can enter a logout URL in order to avoid this issue. 

• Internet Explorer and Edge should now already work "out of the box". 
• For Firefox, you have to search for "network.automatic" in about:config. 
  Either add the respective URL to "network.automatic-ntlm-auth.trusted-uris" or set "network.automatic-ntlm-auth.allow-non-fqdn" to true and do not fill in "network.automatic-ntlm-auth.trusted-uris".
• Chrome (and its branches like Opera & Vivaldi) access the IE settings. 
  In case that it still does not work in Chrome, you may have to remove the "Negotiate" provider. 

• In Edge and Firefox, Windows authentication does not work in private mode. 
  However, in Internet Explorer and Chrome it does. 
• If the client, from which the web page is launched, is not part of the domain, a query window opens demanding user + password. 
  → After entering the domain credentials you are permitted access. 

In case that the system does not assign the URL to BMD Web correctly, please proceed as follows:

• Add the URL of BMD Web to "Trusted sites" in Internet Explorer.
• Set user authentication to "Automatic logon with current user name and password".