Authentication Security
Authentication Security
Version 11.0.0
Network Security
OnBase 11.0.0
COPYRIGHT
Information in this document is subject to change without notice. The OnBase Information Management System
software described in this document is furnished only under a separate license agreement and may be used or copied only
according to the terms of such agreement. It is against the law to copy the software except as specifically allowed in the
license agreement, or without the expressed written consent of Hyland Software, Inc. If Hyland Software, Inc. and you have
entered into a nondisclosure agreement, then this document or accompanying materials provided by Hyland Software, Inc.
contains certain information which is confidential information of Hyland Software, Inc. and which may be used or copied
only according to the terms of such nondisclosure agreement. All data, names, and formats used in this documents
examples are fictitious unless noted otherwise. Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise),
or for any purpose, without the express written permission of Hyland Software, Inc.
Depending on the modules licensed, The OnBase Information Management System software may contain portions of:
Imaging technology, Copyright Snowbound Software Corporation; CD-R technology, Copyright Sonic Solutions; CD-R
technology, Copyright Rimage Corporation; OCR technology, Copyright Nuance Corporation; Mail interface
technology, Copyright Intuitive Data Solutions; Electronic signature technology, Copyright Silanis Technology, Inc.;
Full text search technology, Office core assembly, ASP.NET extensions, application blocks, smart client architecture, Object
Builder, and WPF controls, Copyright Microsoft Corporation; Full Text Indexing technology, Copyright Verity, Inc.;
SYBASE Adaptive Server Anywhere Desktop Runtime, Copyright SYBASE, Inc., portions Copyright Rational Systems,
Inc.; ISIS technology, Copyright EMC Corporation; JLex technology, Copyright 1996-2003 by Elliot Joel Berk and C.
Scott Ananian; A2iA CheckReader, Copyright A2iA; Terminal emulation technology, Copyright Attachmate; User
interface controls, Copyright Infragistics; Terminal emulation technology, Copyright NetManage; CAD document
technology, Copyright Open Text Corporation; ISIS scanning interface, Copyright Pegasus Imaging Corporation; CD/
DVD burner technology, Copyright Prassi Software Incorporated; Code obfuscation technology, Copyright
PreEmptive Solutions; Icon library, Copyright Professional Icons; OSA dlls, Copyright Sharp Electronics Corp.; JAVA
components, Copyright Sun Microsystems; Signature pad technology, Copyright Topaz Systems Incorporated; and User
interface tools, Copyright Xceed Software, Incorporated.
Portions of the OnBase software modules may be covered by one or more of the following U.S. Patents: 7,644,091 and
7,765,271. Portions contained within OnBase are licensed by U.S. Patent Nos. 6,094,505; 5,768,416; 5,625,465 and
5,258,855.
Hyland Software and OnBase are registered trademarks of Hyland Software, Inc. Application Enabler is an
unregistered trademark of Hyland Software, Inc. EMC Centera is a registered trademark of EMC Corporation. All other
trademarks, service marks, trade names and products of other companies are the property of their respective owners.
Attribute
Detail
Document Name
Network Security
Department/Group
Documentation
Revision Number
11.0.0
Part Number
CORM-11.0.0- -OB
OnBase 11.0.0
Network Security
Network Security
OnBase 11.0.0
Network Security
Table of Contents
Exposure
OVERVIEW .................................................................................................................1
Usage
USAGE ...................................................................................................................... 3
Opening Multiple Web Client Sessions.............................................................................................3
Configuration
CONFIGURATION ..................................................................................................... 6
Source of Security Information ..........................................................................................................6
Table of Contents
Network Security
forceSSOAutoLoginOverDomain .................................................................................................. 32
Installation
REQUIREMENTS ..................................................................................................... 39
LDAP Directory Service................................................................................................................... 39
About Virtual Environments ........................................................................................................... 39
64-Bit Support Statement ................................................................................................................. 40
Windows User Account Control Statement .................................................................................. 40
Data Execution Prevention (DEP) ................................................................................................. 41
CONTACTING SUPPORT.......................................................................................... 46
2011
EXPOSURE
OVERVIEW
The Network Security module allows for tighter security controls and a more streamlined
user experience when accessing OnBase by integrating with existing NT Authentication
and LDAP (Active Directory and NDS) Authentication schemes.
NT and LDAP Authentication have the added security benefit that users need only
remember one password, making it less likely that they will write their passwords down
where someone can find them. You can also choose whether you want users to be
prompted for login credentials when accessing OnBase or if users are logged in to
OnBase automatically based on the NT/LDAP credentials supplied when they logged on
to their workstation.
This manual provides information regarding how to integrate OnBase with NT or LDAP
Authentication, but it is not intended to be a comprehensive overview of these
authentication schemes. This manual is written on the assumption that the System
Administrator has the necessary knowledge regarding the companys network
authentication schemes, and understands how they work.
Caution: These options provide the ability to implement global security changes to your OnBase
system and should never be made available to the non-administrative user. If configured
incorrectly, your OnBase system may be made more vulnerable and users can be locked out of
OnBase.
Network Security
OnBase 11.0.0
USAGE
USAGE
If auto logon is enabled, users are automatically logged in to OnBase without having to
provide credentials.
Note: User accounts configured as Service Accounts in OnBase cannot log in to OnBase
Select Close this session and continue using the active session to close the new
session and leave the existing session open.
Select Close the active session and continue logging in here to close the active
session and continue with the new session. If auto logon is enabled, the user is
logged in automatically.
Network Security
OnBase 11.0.0
CONFIGURATION
Network Security options are configured in the Network Security dialog box. In order to
access the Network Security dialog you must launch the Configuration module with the
ROMANZO switch applied.
Caution: Before using features enabled by the -ROMANZO switch, ensure that you understand the
implications of any changes to your system. Contact your service provider with any questions
regarding these features. Features enabled by the -ROMANZO switch should not be made available
to the casual user. Remove the -ROMANZO switch after completing necessary actions.
Network Security
OnBase 11.0.0
CONFIGURATION
To access the Network Security dialog, select Network Security from the Utils menu in the
Configuration module. The Network Security dialog is displayed. The options available in this
dialog are described in the sections below.
OnBase 11.0.0
Network Security
Network Security
OnBase 11.0.0
Windows NT Security
To authenticate users using Windows NT Security, select Windows NT Security then click the
Settings button. The NT Security dialog is displayed.
Caution: Setting your OnBase system to use NT Authentication cannot be undone.
1. For added security, select Challenge Logon Domain and enter a User and Password to
authenticate against the domain the user is currently logging in from.
This feature ensures that the domain the user attempts to log in to OnBase from is a valid
domain that you want accessing your system. For example, if a user creates a duplicate
domain in an attempt to gain access to OnBase (a practice known as spoofing), the
Challenge Logon Domain feature fails to authenticate against the spoofed domain because
the user/password provided do not exist in the spoofed domain, thereby causing the log
in to OnBase to fail.
OnBase 11.0.0
Network Security
Note: This is true even if All Domains or Specified Domains is selected for group discovery
because the Challenge Logon Domain user is only authenticated against the domain the
OnBase user is currently logging in from.
2. Under Find Groups in, select the domains you want to search for user records:
All Domains
Caution: If All Domains is selected, all available domains are searched to locate every instance of a user
record. Depending on the number of domains to search, this process could be time-consuming and
may result in a time-out.
Specified Domains searches all the domains you enter in the field provided. Separate
each domain with a comma.
Select First-level Groups if all of your users belong to a single security group (i.e., if
your top-level security group contains no subgroups);
Select Nested Security Groups if your users belong to different security groups (i.e., if
your top-level security group contains subgroups).
Network Security
OnBase 11.0.0
1.
Option
Description
Security Level
OnBase 11.0.0
Network Security
Option
Description
Active
Inactive
Forbid NT Authentication
Internal Mail
External Mail
Account Lockout
Notification
System Lockout
Network Security
OnBase 11.0.0
Option
Description
Account Lockout
2. Click Apply.
Novell Security
Caution: Novell Security is not currently supported. Security must be configured using Normal
System Security, Windows NT Security,
or LDAP Security.
OnBase 11.0.0
Network Security
LDAP Security
To authenticate users using LDAP Authentication, select LDAP Security then click the
Settings button. The LDAP Servers dialog is displayed.
Caution: Setting your OnBase system to use LDAP Authentication cannot be undone.
Network Security
OnBase 11.0.0
To configure a new server to authenticate against, click Add. To edit a servers configuration,
select it in the LDAP pane and click Edit. The LDAP Server Settings dialog is displayed.
The options available in this dialog are described below. Once the LDAP Server Settings have
been configured, click Save.
Tip: See also Configuring Multiple LDAP Servers on page 20 for details on configuring more
OnBase 11.0.0
Network Security
Setting
Function
Name
Enable
Host
Port
The port used by the LDAP server (the default value is 389). Port
numbers can be up to 6 digits long.
Use SSL
Select Use SSL to use SSL between the client and the LDAP
server. The server must be configured to support SSL and the
correct Port assigned (the SSL port is usually 636).
Enter the name of the sub-tree directory to search for users and
groups on the LDAP server. Users and groups are expected to be
unique within the specified sub-tree, as identified by the OnBase
Group Name Attribute and OnBase User Name Attribute.
Network Security
OnBase 11.0.0
3
Setting
Function
Anonymous
Proxy User
Authenticate against a specific user account. The user need only have
sufficient rights to performs searches and read entries. Enter the
users distinguished name in the User DN field and supply the
Password. Passwords up to 50 characters are supported.
Pre-6.2 version
compatibility
Select this option to store the password in the database as plain text
for compatibility with pre-6.2 versions. If this option is not selected the
password is encrypted when stored in the database.
OnBase 11.0.0
Network Security
USER MAPPING
Configure how a user entry is stored on the LDAP in order to allow OnBase to locate a
particular user and its associated groups on the server.
Setting
Description
The name of the attribute within the user entry objectClass that
corresponds to the user name within OnBase. The suggested values
are samAccountname for Active Directory and uid for NDS.
Note: Many
The name of the attribute within the user entry objectClass that
corresponds to the users full name. This setting is optional and is
used to populate the Users Real Name field in OnBase when a
user account is automatically created in OnBase using LDAP user
data (see Synchronize User Attributes on Auto-Logon on page 27).
The suggested values are name for Active Directory and
givenname for Netware eDirectory.
Network Security
OnBase 11.0.0
Setting
Description
The name of the attribute within the user entry objectClass that
corresponds to the users e-mail address. This setting is optional and
is used to populate the Users E-mail field in OnBase when a user
account is automatically created in OnBase using LDAP user data
(see Synchronize User Attributes on Auto-Logon on page 27).
Both Active Directory and Netware use mail for the E-mail Address
attribute value.
GROUP MAPPING
Configure how a group entry is stored on the LDAP server in order to allow OnBase to
locate the user groups a user belongs to.
Setting
Description
The name of the attribute within the group entry objectClass that
corresponds to the group name within OnBase. The suggested values
are samAccountname for Active Directory and uid for NDS. It is also
possible to use dn, but not all LDAP servers have an attribute that
matches dn.
OnBase 11.0.0
Network Security
USER/GROUP ASSOCIATION
Configure how users and groups are associated on the LDAP server. Either the user entry
contains the list of associated user groups, or the group entry contains the list of associated
users. Each attribute value within the list is expected to match the distinguished name of the
related entry.
3
Setting
Description
Association Type
Attribute
Network Security
OnBase 11.0.0
If more than one LDAP server is configured the first server in the list is used for
authentication. If that server fails or is disabled, the next server in the list is tried and the
process continues until a valid server is found or the list is exhausted.
Note: The next server in the list is only tried if the current server cannot be used. If a server is
valid but the login fails due to an invalid user name or password, no further authentication
attempts are made on the other servers.
Primary, Backup, and Disabled Servers
A server that is set as Primary marks the start of a new server group. Each server listed after a
primary server is considered a backup to that server, until the next primary server is
encountered, which marks the start of a new server group.
OnBase 11.0.0
Network Security
When organizing servers as primary or backup servers, the order of the servers in the list is
important, as the list is used to define server groups. A primary server should be followed by
one or more backup servers before the next primary server, such that the primary server and
the backup servers that follow it are considered one server group. To move a server up or
down in the list, select the server to move and click Move Up or Move Down, as appropriate.
When OnBase attempts to authenticate against the servers listed, the backup servers are only
searched if a connection cannot be made to the primary server for that server group. If a user
cannot be authenticated in a server group, the next server group is used to attempt
authentication. If a server is disabled, it is not included in authentication attempts.
Once a successful connection is made and the user is authenticated, the remainder of the
server groups are not searched.
To make a server a primary server, select it from the list and right-click it. Select
Primary from the Type right-click menu options.
To make a server a backup server, select it from the list and right-click it. Select
Backup from the right-click menu options.
Note: The first server listed is always considered a primary server, even if its Type is set to
Backup.
To enable or disable a server, select it from the list and right-click it. Select Disabled
from the Status right-click menu options to disable it. Select Enabled to enable it.
Exhaustive Searches
When authenticating a user, OnBase does not search the remainder of the server groups once
the user is authenticated.
Network Security
OnBase 11.0.0
To override this behavior and continue searching all server groups, in order to determine a
full list of the users user groups, select Exhaustive Search on the LDAP Servers dialog.
With this option selected, OnBase continues to search the server groups for the user even
after the user has been authenticated.
OnBase 11.0.0
Network Security
Note: If a server is disabled, it is not searched for users even if Exhaustive Search is selected.
Whether a server is enabled or disabled is listed under the Status column. See Primary,
Backup, and Disabled Servers on page 20 to enable or disable a server.
WINDOWS INTEGRATION AND TRUSTED DOMAINS
You can add trusted domains to authenticate against in the Windows Integration pane of
LDAP Servers dialog.
Network Security
OnBase 11.0.0
To add a trusted domain to the list, enter the domain name in the field at the bottom of the
Windows Integration pane and click Add. To delete a domain from the list, select it and click
Delete.
To allow autologons only for users in domains added to the trusted domains list, select
To allow authentication to all
available domains, deselect this option.
OnBase 11.0.0
Network Security
Select Thick Client to require a log in to the OnBase Client and Configuration
modules.
Select Core Services to require a log in to all Core-based modules.
Network Security
OnBase 11.0.0
If Interactive User Authentication is not selected, external authentication schemes are treated
as autologons. This means that users are not prompted to log in to OnBase, and the domain
or Windows user account currently logged in is used to authenticate the user in OnBase.
Note: Anonymous access to the OnBase Web server and application server virtual directories
Security
The Active Directory Username Mapping Attribute option allows administrators to specify
which Active Directory attribute to use when looking for the corresponding OnBase user
account of the Active Directory user currently logged in. In other words, the attribute used to
perform the group lookup in Active Directory (i.e., the attribute under which the user is
logged in to Windows) may be different from the attribute used to create that users account
in OnBase.
For example, in OnBase, a users account user name is JSMITH, but in Windows the user logs
in as ahdme001 and has the Active Directory displayName attribute set to JSMITH. In order
for this user to successfully log in to OnBase using auto-logon, the Active Directory
Username Mapping Attribute must be set to displayName. With this configuration, the user
logs on to Windows as ahdme001 but is authenticated in OnBase under the JSMITH user
account.
Caution: When specifying an Active Directory Username Mapping Attribute, you must choose an
attribute that has a unique value for each user in Active Directory. If a non-unique attribute is chosen,
it is possible that multiple Active Directory users will be mapped to a single user account in OnBase.
ADDITIONAL CONSIDERATIONS FOR LDAP SECURITY
In order to use the Active Directory Username Mapping Attribute option with LDAP Security
you must also edit the LDAP server settings to change the attribute for the user class that
maps to the OnBase user so that the LDAP attribute corresponds to the Active Directory
attribute being used.
When using auto-logon with LDAP, OnBase determines the currently logged-in Windows
user and extracts the specified Active Directory Username Mapping Attribute value
(sAMAccountName by default), then uses that value to query the LDAP server for a matching
user.
OnBase 11.0.0
Network Security
To use this feature with LDAP, the LDAP configuration must include values for the
Fullname and E-Mail Address attributes (see User Mapping on page 17).
Authentication Only on Auto-Logon
If this option is selected, NT and LDAP autologons do not perform any group membership
synchronization with the external system. The external system is only used to perform user
authentication. All group membership configuration must be completed in OnBase.
This means that OnBase no longer creates a new user account the first time a user logs in to
OnBase. In order to add the user to OnBase, an administrator must manually create the user
account.
Note: This setting should be selected for Institutional Databases. This setting does not affect
Network Security
OnBase 11.0.0
3. Select Remove users from this group if no matching domain group found.
4. Click OK.
With this option enabled, theOnBase User Group is checked against the corresponding
domain user group at log in if autologon is also used. If the user logging in is a member of the
OnBase User Group but is not a member of the corresponding domain user group, the user
is removed from that OnBase User Group.
Caution: This option will remove users from OnBase User Groups if the user groups do not exist on
the domain. Make sure your OnBase User Groups have the same names as the corresponding domain
user groups. The group names do not need to have matching cases (for example, AdminUsers is
considered the same as adminusers or ADMINUSERS).
OnBase 11.0.0
Network Security
Note: If your system uses Institutional Databases, users must always be manually created and
added to the correct Institution before the user can be authenticated using NT or LDAP. See
Authentication Only on Auto-Logon on page 27.
When a user account is created in this way, the users e-mail address and real name values are
populated in OnBase using the values from the domain. The user is also added to the OnBase
User Groups that correspond to the domain user groups that the user is a member of.
Note: If a User Template has been configured in OnBase, those user settings are applied to
new user accounts. See User Groups & Rights in the System Administration module reference
guide for details.
ENABLING AUTOLOGON
The OnBase Client, Web Client, Java Web Client, and Desktop can all be configured to enable
autologon.
OnBase Client
To enable autologon in the OnBase Client, append the -AL command line switch to the
OnBase Client.
Web Client
To enable the Web Client for NT or LDAP Authentication, you must set the
EnableAutoLogin key of the OnBase web servers Web.Config file to true:
<add key="EnableAutoLogin" value="true"/>
This attribute is automatically set to true if you installed the OnBase web server with NT/
LDAP Authentication enabled.
If this value is set to false, the Web Client and any modules that access OnBase via the
OnBase web server use standard OnBase authentication. User accounts must be configured
in OnBase for any users who have to log in in this way.
Network Security
OnBase 11.0.0
Tip: See also, Additional Settings for the OnBase Web Server on page 33.
If you need some modules to use NT or LDAP Authentication and others to use standard
OnBase authentication to log in, two instances of the OnBase web server must be installed to
different virtual directories (e.g., http://web-server/AppNet1 and http://web-server/
AppNet2). One instance of the OnBase web server is then configured with the
EnableAutoLogin value set to true, meaning the NT or LDAP method configured for the data
source is used to log in, while the other has it set to false, meaning standard OnBase
authentication is used to log in, regardless of the NT/LDAP configuration.
Note: If this value is set to false, user accounts must be configured in OnBase for any users
Firefox
Safari
Mac
N/A
Windows
N/A
OnBase 11.0.0
Network Security
Complete the following steps to prevent Firefox browsers from prompting users for
credentials on either Mac OS X or Windows. When using Firefox on Mac OS X, users will
still be prompted once for credentials by the JRE.
1. From an open Firefox window, type about:config into the address bar.
2. Locate the following settings: network.automatic-ntlm-auth.trusted-uris (for NTLM)
and network.negotiate-auth.trusted-uris (for Kerberos). To quickly locate these settings,
type auth in the Filter field provided.
3. Modify these settings by adding a comma-delimited list of trusted servers. When a user
accesses the Java Web Client on these servers, the browser will not prompt the user for
credentials.
4. Restart Firefox. If the user who logged on to the computer has permission to access the
Web Server virtual directory, the browser will not prompt the user for credentials.
To allow Mac users to log on using NT authentication, additional steps may be required. If
you encounter the error HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials, see the Microsoft KB article located at the following URL:
http://support.microsoft.com/kb/871179
Desktop
When using the Desktop, authentication credentials are encrypted before they are passed over
HTTP from the Desktop to the server.
NT or LDAP authentication is supported in the Desktop by selecting the Domain Security
installation option in the Hyland Client Components installer when the Desktop is installed.
No further configuration is needed.
Note: NT or LDAP Authentication must already be configured for the datasource before
Network Security
OnBase 11.0.0
If Interactive User Authentication is not selected, users are not prompted for authentication
credentials and are automatically logged in to the Desktop, as long as the following Windows
registry key exists and has the correct value:
HKEY_LOCAL_MACHINE\SOFTWARE\Hyland\DMDesktop\NTAuthenticationDatasource.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Hyland\DMDesktop\NTAuthentication
Datasource
This registry key must be created manually. Set the type to String (REG_SZ) and set the value
to the ODBC datasource name for OnBase.
Caution: Changes to the Windows registry can damage your system if they are done incorrectly.
Ensure you add or update only this registry key when enabling autologons. Contact your first line of
support for further information or assistance.
See also, Additional Settings for the OnBase Web Server on page 33 for additional
configuration settings.
EnableAutoLogin
EnableAutoLogin - Set this value to true to use Windows NT Security, Novell Security, or
LDAP Security if one of these network security options is enabled in OnBase Configuration.
Set to true also when using Integration for Single Sign-On. Set this value to false to use
Normal System Security regardless of your network security option. When using Integration
for Single Sign-On, set this value to false if bypassing the Single Sign-On security is required.
When doing this, a user can log into OnBase using any valid username and password on any
workstation.
forceSSOAutoLoginOverDomain
OnBase 11.0.0
Network Security
forceSSOAutoLoginOverDomain - works
false
Network Security
OnBase 11.0.0
OnBase 11.0.0
Network Security
Network Security
OnBase 11.0.0
2. Click Trusted sites. Click the Sites button to display the Trusted sites dialog box.
3. Type the URL of your Web Server into the field labeled Add this Web site to the zone.
Click Add, and the Web Server address will show up in the list in the Web Sites window.
Certain features of OnBase will exhibit unusual behavior if your Web Server is not listed
under Trusted Sites. For example, when you create a new envelope, the header bar may
display VBScript instead of Create New Envelope, due to security restrictions imposed on sites
which are not in the list.
OnBase 11.0.0
Network Security
3. Scroll down to the bottom, and under User Authentication, ensure that Automatic logon
with current username and password is selected.
Network Security
OnBase 11.0.0
INSTALLATION
The Network Security module is natively available in OnBase. To access it, simply append
the -ROMANZO switch to the Configuration module executable before launching it.
Caution: Before using features enabled by the -ROMANZO switch, ensure that you understand the
feature and implications of any changes to your system. Contact your service provider with any
questions regarding these features. Features enabled by the -ROMANZO switch should not be made
available to the casual user. Remove the -ROMANZO switch after completing necessary actions.
REQUIREMENTS
LDAP Directory Service
For LDAP Authentication the directory service software must be compatible with LDAP
version 3.
Network Security
OnBase 11.0.0
Each OnBase site is unique. Hyland Software depends on the customers who deploy OnBase
in virtual environments to do so only after careful design and adequate planning (that takes
into account the workloads of your organization), and in accordance with recommendations
provided by the virtual environments vendor. As with any implementation, Hyland Software
strongly recommends that any customer deploying an OnBase solution in a virtual
environment thoroughly test the solution before putting it into production.
For information about using OnBase in a Citrix and Microsoft Windows Remote Desktop
environment, please see the OnBase in a Citrix and Microsoft Windows Remote Desktop
Environment reference guide, available from your solution provider.
Supported database versions that are deployed on a 64-bit database server are also supported.
For more information, contact your solution provider.
Copying, moving, or saving files to the Program Files directory, Windows directory, or
another protected location.
If Windows UAC is enabled, the above operations will prompt for administrator privileges,
even if an administrator is currently logged on.
OnBase 11.0.0
Network Security
Network Security
OnBase 11.0.0
Note: Text at the bottom of the Data Execution Prevention tab will indicate whether
DEP security level, which could potentially cause issues with other applications on your system.
2. Click Add...
3. Browse out to the location of your OnBase Configuration and/or Client executable files.
Click Open.
Note: The location of the executables must be full paths.
OnBase 11.0.0
Network Security
INI File
Network Security
OnBase 11.0.0
INI files (initialization files) are plain-text files that contain configuration information. These
files are used by Windows and Windows-based applications to save and access information
about your preferences and operating environment. OnBase uses an initialization file named
onbase32.ini. If a user does not have rights to access the onbase32.ini file, that user will be
unable to use the Client or Configuration modules.
The onbase32.ini file is primarily used to store settings specified in the Client or
Configuration module. For example, when a user selects a default data source in the OnBase
Clients Workstation Options dialog box, this selection is saved to the onbase32.ini file. The
onbase32.ini file is also used to make modifications to OnBase modules that cannot be made
through the modules interface.
Previous File Location/File Name
Every version of the OnBase Client prior to 8.2.0 used an INI file named OnBase.ini. In
OnBase 8.2.0 and subsequent versions, the INI file was moved to a new location to be
consistent with changes Microsoft has made to Windows. Since the location has changed, the
name of the file has also been changed to alleviate some confusion between the needs of
OnBase 8.2.0 and installations of older executables. The new file name is onbase32.ini.
Location
The table below shows the default location of the onbase32.ini for supported operating
systems.
Operating System
Default Location
Windows XP
Windows Vista
C:\ProgramData\Hyland Software
C:\ProgramData\Hyland Software
C:\ProgramData\Hyland Software
Windows 7
C:\ProgramData\Hyland Software
OnBase 11.0.0
Network Security
Note: To maintain backwards compatibility with previous versions of OnBase, OnBase will
check the workstations C:\Windows folder for the OnBase INI file if it is not found in the
folder specified above. If the OnBase INI file is found in the C:\Windows folder, OnBase will
copy the file to the new location. The previously-existing version of the OnBase INI file will
remain in the C:\Windows folder, but will no longer be used by OnBase.
Your onbase32.ini file may reside in a different location, if that location is specified by the
following command line switch on the OnBase Client shortcut target.
-INIFILE= "full path\filename",
environment.
To ensure that the INI file is accessible by OnBase and unique to each user in a remote
desktop environment, the -INIFILE command line switch must be applied to the OnBase
Client shortcut and be set to a unique location for the INI file.
Note: Additional details regarding the deployment of OnBase in a remote desktop
environment is discussed in detail in the OnBase in a Citrix and Microsoft Windows Remote
Desktop Environment module reference guide, available from your first line of support.
Network Security
OnBase 11.0.0
TROUBLESHOOTING
LDAP/NT authentication errors and messages are written to the LDAP/NT Authetication tab
of the Diagnostics Console. See the Diagnostics Service and Diagnostics Console module
reference guide for details on using the Diagnostics Console.
The following sections describe common problems and the solutions to them.
This is a known issue when using IIS 6.0. See Microsoft technical article 871179 at http://
support.microsoft.com/kb/871179 for more information.
CONTACTING SUPPORT
When contacting your solution provider, please provide the following information:
The OnBase version and build (Example: 11.0.0.571) and/or the Core Services
version and build (Example: 11.0.0.6).
OnBase 11.0.0
Network Security
The type and version of the connected database, such as Microsoft SQL Server 2008
or Oracle 11g, and any Service Packs that have been installed.
The operating system that the workstation is running on, such as Windows XP or
Windows Server 2008, and any Service Packs that have been installed. Check the
supported operating systems for this module to ensure that the operating system is
supported.
The version of Internet Explorer, and any Service Packs that have been installed, if
applicable.
Supplied with the above information, your solution provider can better assist you in
correcting the issue.
Network Security
OnBase 11.0.0