Network Security

Version 11.0.0

Network Security

OnBase 11.0.0

COPYRIGHT
Information in this document is subject to change without notice. The OnBase Information Management System
software described in this document is furnished only under a separate license agreement and may be used or copied only
according to the terms of such agreement. It is against the law to copy the software except as specifically allowed in the
license agreement, or without the expressed written consent of Hyland Software, Inc. If Hyland Software, Inc. and you have
entered into a nondisclosure agreement, then this document or accompanying materials provided by Hyland Software, Inc.
contains certain information which is confidential information of Hyland Software, Inc. and which may be used or copied
only according to the terms of such nondisclosure agreement. All data, names, and formats used in this documents
examples are fictitious unless noted otherwise. Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise),
or for any purpose, without the express written permission of Hyland Software, Inc.

2011 Hyland Software, Inc. All rights reserved.

Depending on the modules licensed, The OnBase Information Management System software may contain portions of:
Imaging technology, Copyright Snowbound Software Corporation; CD-R technology, Copyright Sonic Solutions; CD-R
technology, Copyright Rimage Corporation; OCR technology, Copyright Nuance Corporation; Mail interface
technology, Copyright Intuitive Data Solutions; Electronic signature technology, Copyright Silanis Technology, Inc.;
Full text search technology, Office core assembly, ASP.NET extensions, application blocks, smart client architecture, Object
Builder, and WPF controls, Copyright Microsoft Corporation; Full Text Indexing technology, Copyright Verity, Inc.;
SYBASE Adaptive Server Anywhere Desktop Runtime, Copyright SYBASE, Inc., portions Copyright Rational Systems,
Inc.; ISIS technology, Copyright EMC Corporation; JLex technology, Copyright 1996-2003 by Elliot Joel Berk and C.
Scott Ananian; A2iA CheckReader, Copyright A2iA; Terminal emulation technology, Copyright Attachmate; User
interface controls, Copyright Infragistics; Terminal emulation technology, Copyright NetManage; CAD document
technology, Copyright Open Text Corporation; ISIS scanning interface, Copyright Pegasus Imaging Corporation; CD/
DVD burner technology, Copyright Prassi Software Incorporated; Code obfuscation technology, Copyright
PreEmptive Solutions; Icon library, Copyright Professional Icons; OSA dlls, Copyright Sharp Electronics Corp.; JAVA
components, Copyright Sun Microsystems; Signature pad technology, Copyright Topaz Systems Incorporated; and User
interface tools, Copyright Xceed Software, Incorporated.
Portions of the OnBase software modules may be covered by one or more of the following U.S. Patents: 7,644,091 and
7,765,271. Portions contained within OnBase are licensed by U.S. Patent Nos. 6,094,505; 5,768,416; 5,625,465 and
5,258,855.
Hyland Software and OnBase are registered trademarks of Hyland Software, Inc. Application Enabler is an
unregistered trademark of Hyland Software, Inc. EMC Centera is a registered trademark of EMC Corporation. All other
trademarks, service marks, trade names and products of other companies are the property of their respective owners.

Attribute

Detail

Document Name

Network Security

Department/Group

Documentation

Revision Number

11.0.0

Part Number

CORM-11.0.0- -OB

2009 Hyland Software, Inc.

ii

OnBase 11.0.0

Network Security

2009 Hyland Software, Inc.

iii

Network Security

OnBase 11.0.0

2009 Hyland Software, Inc.

iv

Network Security

Table of Contents

Exposure
OVERVIEW .................................................................................................................1

Usage
USAGE ...................................................................................................................... 3
Opening Multiple Web Client Sessions.............................................................................................3

Configuration
CONFIGURATION ..................................................................................................... 6
Source of Security Information ..........................................................................................................6

Normal System Security .........................................................................................7

Windows NT Security ............................................................................................8
NT API Authentication Settings .........................................................................................10

Novell Security ..................................................................................................... 12

LDAP Security ...................................................................................................... 13
LDAP General Server Settings ............................................................................................15
Server Bind Method ..............................................................................................................16
User Mapping .........................................................................................................................17
Group Mapping .....................................................................................................................18
User/Group Association ......................................................................................................19
Configuring Multiple LDAP Servers ..................................................................................20
Windows Integration and Trusted Domains .....................................................................23
Additional Settings for NT and LDAP Authentication............................................................... 24

Interactive User Authentication ........................................................................... 25

Active Directory Username Mapping Attribute .................................................. 26
Additional Considerations for LDAP Security .................................................................26

Synchronize User Attributes on Auto-Logon ...................................................... 27

Authentication Only on Auto-Logon ................................................................... 27
Integrating OnBase User Groups with Domain User Groups................................................... 28
Adding Users to OnBase with LDAP and NT Authentication.................................................. 29

ENABLING AUTOLOGON ........................................................................................ 29

OnBase Client..................................................................................................................................... 29
Web Client .......................................................................................................................................... 29

Multiple Sites Configuration ................................................................................ 30

Java Web Client .................................................................................................... 30
Desktop ............................................................................................................................................... 31

INTEGRATION FOR SINGLE SIGN ON WITH NT OR LDAP AUTHENTICATION ... 32

EnableAutoLogin............................................................................................................................... 32

2011 Hyland Software, Inc.

v

Table of Contents

Network Security
forceSSOAutoLoginOverDomain .................................................................................................. 32

ADDITIONAL SETTINGS FOR THE ONBASE WEB SERVER ..................................... 33

Setting Access to the Application Pools......................................................................................... 34
Adding the Web Server as a Trusted Site....................................................................................... 35
Setting Automatic Logon in Internet Explorer............................................................................. 36

Installation
REQUIREMENTS ..................................................................................................... 39
LDAP Directory Service................................................................................................................... 39
About Virtual Environments ........................................................................................................... 39
64-Bit Support Statement ................................................................................................................. 40
Windows User Account Control Statement .................................................................................. 40
Data Execution Prevention (DEP) ................................................................................................. 41

Determining DEP Settings .................................................................................. 41

Configuring Exceptions to DEP Settings ............................................................ 42
INI File................................................................................................................................................ 43

Previous File Location/File Name ...................................................................... 44

Location ............................................................................................................... 44
INI Considerations in a Citrix and Microsoft Windows Remote Desktop Environment ...................................................................................................................... 45
Editing the INI File ............................................................................................. 46
TROUBLESHOOTING .............................................................................................. 46
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials..................... 46
(Autologin) No matching usergroups were found, access denied.............................................. 46

CONTACTING SUPPORT.......................................................................................... 46

2011

Hyland Software, Inc.

vi

EXPOSURE

OVERVIEW
The Network Security module allows for tighter security controls and a more streamlined
user experience when accessing OnBase by integrating with existing NT Authentication
and LDAP (Active Directory and NDS) Authentication schemes.
NT and LDAP Authentication have the added security benefit that users need only
remember one password, making it less likely that they will write their passwords down
where someone can find them. You can also choose whether you want users to be
prompted for login credentials when accessing OnBase or if users are logged in to
OnBase automatically based on the NT/LDAP credentials supplied when they logged on
to their workstation.
This manual provides information regarding how to integrate OnBase with NT or LDAP
Authentication, but it is not intended to be a comprehensive overview of these
authentication schemes. This manual is written on the assumption that the System
Administrator has the necessary knowledge regarding the companys network
authentication schemes, and understands how they work.
Caution: These options provide the ability to implement global security changes to your OnBase

system and should never be made available to the non-administrative user. If configured
incorrectly, your OnBase system may be made more vulnerable and users can be locked out of
OnBase.

2011 Hyland Software, Inc.

1

Network Security

OnBase 11.0.0

2011 Hyland Software, Inc.

2

USAGE
USAGE
If auto logon is enabled, users are automatically logged in to OnBase without having to
provide credentials.
Note: User accounts configured as Service Accounts in OnBase cannot log in to OnBase

using auto logon.

If Interactive User Authentication is also enabled, or if auto logon is not enabled, users
are prompted for their network authentication credentials when logging in to OnBase.

Opening Multiple Web Client Sessions

If Internet Explorer is set to reuse windows for launching shortcuts, and you have only
one window open with the OnBase Web Client, then relauching the Web Client from a
shortcut automatically disconnects you from your current session and a new connection
is established in your current window.
If you are already logged in to the OnBase Web Client and attempt to initiate another
session in a new browser window, then the Another OnBase session is currently active
dialog is displayed.

Select Close this session and continue using the active session to close the new
session and leave the existing session open.
Select Close the active session and continue logging in here to close the active
session and continue with the new session. If auto logon is enabled, the user is
logged in automatically.

2011 Hyland Software, Inc.

3

Network Security

OnBase 11.0.0

2011 Hyland Software, Inc.

4

CONFIGURATION

Network Security options are configured in the Network Security dialog box. In order to
access the Network Security dialog you must launch the Configuration module with the
ROMANZO switch applied.
Caution: Before using features enabled by the -ROMANZO switch, ensure that you understand the

implications of any changes to your system. Contact your service provider with any questions
regarding these features. Features enabled by the -ROMANZO switch should not be made available
to the casual user. Remove the -ROMANZO switch after completing necessary actions.

2011 Hyland Software, Inc.

5

Network Security

OnBase 11.0.0

CONFIGURATION
To access the Network Security dialog, select Network Security from the Utils menu in the
Configuration module. The Network Security dialog is displayed. The options available in this
dialog are described in the sections below.

Source of Security Information

The options under Source of Security Information define how OnBase authenticates users.

2011 Hyland Software, Inc.

6

OnBase 11.0.0

Network Security

Normal System Security

Normal System Security is the default authentication method and is enabled for all OnBase
systems, unless it has been modified by accessing the Network Security dialog. With normal
System Security, users are authenticated using OnBase credentials and they are prompted for
their credentials each time they log in.

2011 Hyland Software, Inc.

7

Network Security

OnBase 11.0.0

Windows NT Security
To authenticate users using Windows NT Security, select Windows NT Security then click the
Settings button. The NT Security dialog is displayed.
Caution: Setting your OnBase system to use NT Authentication cannot be undone.

1. For added security, select Challenge Logon Domain and enter a User and Password to
authenticate against the domain the user is currently logging in from.
This feature ensures that the domain the user attempts to log in to OnBase from is a valid
domain that you want accessing your system. For example, if a user creates a duplicate
domain in an attempt to gain access to OnBase (a practice known as spoofing), the
Challenge Logon Domain feature fails to authenticate against the spoofed domain because
the user/password provided do not exist in the spoofed domain, thereby causing the log
in to OnBase to fail.

2011 Hyland Software, Inc.

8

OnBase 11.0.0

Network Security

Note: This is true even if All Domains or Specified Domains is selected for group discovery

because the Challenge Logon Domain user is only authenticated against the domain the
OnBase user is currently logging in from.
2. Under Find Groups in, select the domains you want to search for user records:

Logon Domain Only

All Domains

searches only the current domain;

searches all available domains;

Caution: If All Domains is selected, all available domains are searched to locate every instance of a user

record. Depending on the number of domains to search, this process could be time-consuming and
may result in a time-out.

Specified Domains searches all the domains you enter in the field provided. Separate
each domain with a comma.

Note: When using Windows NT Authentication in a multiple domain environment the

domains must have a two-way trust between them.

Select Failover to Interactive Mode to display the interactive login dialog box if a user
is attempting to authenticate via autologon from a domain that is not listed in the
Specified Domains field. The Domain field in the interactive login is populated with
the first domain listed in the Specified Domains field. The user must still be able to
authenticate against one of the Specified Domains configured in order to log in
successfully, even if they are not currently logged in to one of those domains.
Note: The Failover to Interactive Mode setting is currently only supported in the OnBase
Client; it is not currently supported if OnBase is accessed via the Core. The Interactive User
Authentication settings configured on the Network Security dialog are still respected even
with the Failover to Interactive Mode option selected.

3. Select a Group Discovery Strategy from the drop-downselect list:

Select First-level Groups if all of your users belong to a single security group (i.e., if
your top-level security group contains no subgroups);
Select Nested Security Groups if your users belong to different security groups (i.e., if
your top-level security group contains subgroups).

2011 Hyland Software, Inc.

9

Network Security

OnBase 11.0.0

NT API AUTHENTICATION SETTINGS

After your system has been configured to use Windows NT Security, the NT API
Authentication Settings option is available under the Utils menu. These settings allow system
administrators to prevent the OnBase API (mzNTSecurityConnect) being used for brute-force
password discovery attacks.

1.

Configure the settings in the NT API Authentication Settings dialog:

Option

Description
Security Level

2011 Hyland Software, Inc.

10

OnBase 11.0.0

Network Security

Option

Description

Active

Incorrect login attempts are tracked and further login attempts

are prevented if the failure threshhold is reached.

Inactive

Incorrect login attempts are not tracked and no failure

threshhold is enforced.

Forbid NT Authentication

Any login attempt using the API NT connection method

automatically fails.
Destination

Internal Mail

The OnBase user account that receives NT API Authentication

Security notifications via internal mail.

External Mail

The external e-mail address that receives NT API Authentication

Security notifications.
Notification

Failed Login Notification

Select how to report notices of failed login attempts. They can

be logged in the Event Log and sent to the Internal Mail or
External Mail addresses.

Account Lockout
Notification

Select how to report notices of users locked out of their

accounts. They can be logged in the Event Log and sent to the
Internal Mail or External Mail addresses.

System Lockout Notification

Select how to report a notice of the system locking out all

attempted connections using the API. It can be logged in the
Event Log and sent to the Internal Mail or External Mail
addresses.
Lockouts

System Lockout

If the configured threshhold of failed logins is reached, all future

attempts to login using the API fail.
Interval: The amount of time in minutes that must elapse
between failed login attempts.
Number of Failures: The number of failed login attempts
that can occur in the Interval configured.
Number of Timed Lockouts: The number of System
Timed Lockouts that can occur before all logins using the
API are locked out.

2011 Hyland Software, Inc.

11

Network Security

OnBase 11.0.0

Option

Description

System Timed Lockout

If the configured threshhold of failed logins is reached, the

system is locked out from using the API to login for the length of
time configured.
Interval: The amount of time in minutes that must elapse
between failed login attempts.
Number of Failures: The number of failed login attempts
that can occur in the Interval configured before API
connection attempts are locked out.
Duration: .The amount of time in minutes that API
connection attempts are locked out.

Account Lockout

If the configured threshhold of failed logins is reached, all future

attempts by that user to login using the API fail.
Interval: The amount of time in minutes that must elapse
between failed login attempts.
Number of Failures: The number of failed login attempts
that can occur in the Interval configured before API
connection attempts are locked out.
Number of Timed Lockouts: The number of Account
Timed Lockouts that can occur before all logins by that
user using the API are locked out.

Account Timed Lockout

If the configured threshhold of failed logins is reached, that user

is locked out from using the API to login for the length of time
configured.
Interval: The amount of time in minutes that must elapse
between failed login attempts.
Number of Failures: The number of failed login attempts
that can occur in the Interval configured before API
connection attempts are locked out.
Duration: .The amount of time in minutes that API
connection attempts are locked out.

2. Click Apply.
Novell Security
Caution: Novell Security is not currently supported. Security must be configured using Normal
System Security, Windows NT Security,

or LDAP Security.

2011 Hyland Software, Inc.

12

OnBase 11.0.0

Network Security

LDAP Security
To authenticate users using LDAP Authentication, select LDAP Security then click the
Settings button. The LDAP Servers dialog is displayed.
Caution: Setting your OnBase system to use LDAP Authentication cannot be undone.

To delete a server, select it in the LDAP pane and click Delete.

2011 Hyland Software, Inc.

13

Network Security

OnBase 11.0.0

To configure a new server to authenticate against, click Add. To edit a servers configuration,
select it in the LDAP pane and click Edit. The LDAP Server Settings dialog is displayed.

The options available in this dialog are described below. Once the LDAP Server Settings have
been configured, click Save.
Tip: See also Configuring Multiple LDAP Servers on page 20 for details on configuring more

than one LDAP server.

2011 Hyland Software, Inc.

14

OnBase 11.0.0

Network Security

LDAP GENERAL SERVER SETTINGS

These settings are used to locate the LDAP server on the network.

Setting

Function

Name

Assign a name to this LDAP Server configuration. Multiple

configurations may be stored so this name should be unique.

Enable

Select Enable to enable the server or deselect it to disable a

server. Disabled servers are not used for authentication. Servers
can also be enabled/disabled from the right-click menu options.

Host

The fully qualified domain name or IP address of the LDAP server.

Port

The port used by the LDAP server (the default value is 389). Port
numbers can be up to 6 digits long.

Use SSL

Select Use SSL to use SSL between the client and the LDAP
server. The server must be configured to support SSL and the
correct Port assigned (the SSL port is usually 636).

Search Root Distinguished

Name

Enter the name of the sub-tree directory to search for users and
groups on the LDAP server. Users and groups are expected to be
unique within the specified sub-tree, as identified by the OnBase
Group Name Attribute and OnBase User Name Attribute.

2011 Hyland Software, Inc.

15

Network Security

OnBase 11.0.0

SERVER BIND METHOD

LDAP requires some form of authentication (server bind) in order to perform searches. Some
LDAP servers allow an anonymous bind, while others require user authentication. OnBase
access must be configured to perform searches on the LDAP server.

3
Setting

Function

Anonymous

This is the recommended setting if the server supports searches with

an anonymous bind.

Current User Credentials

Authenticates against the currently logged in user. This only works

with Active Directory.

Proxy User

Authenticate against a specific user account. The user need only have
sufficient rights to performs searches and read entries. Enter the
users distinguished name in the User DN field and supply the
Password. Passwords up to 50 characters are supported.

Pre-6.2 version
compatibility

Select this option to store the password in the database as plain text
for compatibility with pre-6.2 versions. If this option is not selected the
password is encrypted when stored in the database.

2011 Hyland Software, Inc.

16

OnBase 11.0.0

Network Security

USER MAPPING
Configure how a user entry is stored on the LDAP in order to allow OnBase to locate a
particular user and its associated groups on the server.

Setting

Description

LDAP Class Name

The name of the objectClass within the directory that is used to

represent a user entry. This value varies, depending on how the
network is set up. The suggested values are user for Active
Directory and inetOrgPerson for NDS.

OnBase User Name

Attribute

The name of the attribute within the user entry objectClass that
corresponds to the user name within OnBase. The suggested values
are samAccountname for Active Directory and uid for NDS.
Note: Many

configuration settings depend on how your

network and directory service are set up. For example, if a
login uses first and last names, the matching LDAP attribute
for the OnBase User Name Attribute field is Common Name
or cn.
Fullname attribute

The name of the attribute within the user entry objectClass that
corresponds to the users full name. This setting is optional and is
used to populate the Users Real Name field in OnBase when a
user account is automatically created in OnBase using LDAP user
data (see Synchronize User Attributes on Auto-Logon on page 27).
The suggested values are name for Active Directory and
givenname for Netware eDirectory.

2011 Hyland Software, Inc.

17

Network Security

OnBase 11.0.0

Setting

Description

E-mail Address attribute

The name of the attribute within the user entry objectClass that
corresponds to the users e-mail address. This setting is optional and
is used to populate the Users E-mail field in OnBase when a user
account is automatically created in OnBase using LDAP user data
(see Synchronize User Attributes on Auto-Logon on page 27).
Both Active Directory and Netware use mail for the E-mail Address
attribute value.

GROUP MAPPING

Configure how a group entry is stored on the LDAP server in order to allow OnBase to
locate the user groups a user belongs to.

Setting

Description

LDAP Class Name

The name of the objectClass that corresponds to a group entry. The

suggested values are group for Active Directory and groupOfNames
for NDS.

OnBase Group Name

Attribute

The name of the attribute within the group entry objectClass that
corresponds to the group name within OnBase. The suggested values
are samAccountname for Active Directory and uid for NDS. It is also
possible to use dn, but not all LDAP servers have an attribute that
matches dn.

2011 Hyland Software, Inc.

18

OnBase 11.0.0

Network Security

USER/GROUP ASSOCIATION
Configure how users and groups are associated on the LDAP server. Either the user entry
contains the list of associated user groups, or the group entry contains the list of associated
users. Each attribute value within the list is expected to match the distinguished name of the
related entry.

3
Setting

Description

Association Type

Select the class that contains the list attribute.

Attribute

The name of the list attribute.

2011 Hyland Software, Inc.

19

Network Security

OnBase 11.0.0

CONFIGURING MULTIPLE LDAP SERVERS

Multiple LDAP servers can be configured for authentication. Once all the LDAP servers to
authenticate agianst have been added, they can be further organized into server groups with
Primary and Backup servers, using the options under the LDAP pane of the LDAP servers
dialog:

If more than one LDAP server is configured the first server in the list is used for
authentication. If that server fails or is disabled, the next server in the list is tried and the
process continues until a valid server is found or the list is exhausted.
Note: The next server in the list is only tried if the current server cannot be used. If a server is

valid but the login fails due to an invalid user name or password, no further authentication
attempts are made on the other servers.
Primary, Backup, and Disabled Servers

A server that is set as Primary marks the start of a new server group. Each server listed after a
primary server is considered a backup to that server, until the next primary server is
encountered, which marks the start of a new server group.

2011 Hyland Software, Inc.

20

OnBase 11.0.0

Network Security

When organizing servers as primary or backup servers, the order of the servers in the list is
important, as the list is used to define server groups. A primary server should be followed by
one or more backup servers before the next primary server, such that the primary server and
the backup servers that follow it are considered one server group. To move a server up or
down in the list, select the server to move and click Move Up or Move Down, as appropriate.
When OnBase attempts to authenticate against the servers listed, the backup servers are only
searched if a connection cannot be made to the primary server for that server group. If a user
cannot be authenticated in a server group, the next server group is used to attempt
authentication. If a server is disabled, it is not included in authentication attempts.
Once a successful connection is made and the user is authenticated, the remainder of the
server groups are not searched.

To make a server a primary server, select it from the list and right-click it. Select
Primary from the Type right-click menu options.

To make a server a backup server, select it from the list and right-click it. Select
Backup from the right-click menu options.

Note: The first server listed is always considered a primary server, even if its Type is set to
Backup.

To enable or disable a server, select it from the list and right-click it. Select Disabled
from the Status right-click menu options to disable it. Select Enabled to enable it.

Exhaustive Searches

When authenticating a user, OnBase does not search the remainder of the server groups once
the user is authenticated.

2011 Hyland Software, Inc.

21

Network Security

OnBase 11.0.0

To override this behavior and continue searching all server groups, in order to determine a
full list of the users user groups, select Exhaustive Search on the LDAP Servers dialog.

With this option selected, OnBase continues to search the server groups for the user even
after the user has been authenticated.

2011 Hyland Software, Inc.

22

OnBase 11.0.0

Network Security

Note: If a server is disabled, it is not searched for users even if Exhaustive Search is selected.

Whether a server is enabled or disabled is listed under the Status column. See Primary,
Backup, and Disabled Servers on page 20 to enable or disable a server.
WINDOWS INTEGRATION AND TRUSTED DOMAINS
You can add trusted domains to authenticate against in the Windows Integration pane of
LDAP Servers dialog.

2011 Hyland Software, Inc.

23

Network Security

OnBase 11.0.0

To add a trusted domain to the list, enter the domain name in the field at the bottom of the
Windows Integration pane and click Add. To delete a domain from the list, select it and click
Delete.
To allow autologons only for users in domains added to the trusted domains list, select
To allow authentication to all
available domains, deselect this option.

Restrict Autologon to Windows User in Trusted Domains.

Additional Settings for NT and LDAP Authentication

If you configure OnBase to use Windows NT Security or LDAP Security, the following options
are also available:

Interactive User Authentication

Active Directory Username Mapping Attribute

Synchronize User Attributes on Auto-Logon

2011 Hyland Software, Inc.

24

OnBase 11.0.0

Network Security

Authentication Only on Auto-Logon

Interactive User Authentication

Select the Interactive User Authentication option to prompt users for authentication
credentials in order to log in to OnBase. This can be useful in situations where multiple
OnBase users all use the same workstation under the same domain or Windows log in (for
example, a generic scanning workstation).

Select Thick Client to require a log in to the OnBase Client and Configuration
modules.
Select Core Services to require a log in to all Core-based modules.

2011 Hyland Software, Inc.

25

Network Security

OnBase 11.0.0

If Interactive User Authentication is not selected, external authentication schemes are treated
as autologons. This means that users are not prompted to log in to OnBase, and the domain
or Windows user account currently logged in is used to authenticate the user in OnBase.
Note: Anonymous access to the OnBase Web server and application server virtual directories

should be enabled when Interactive User Authentication is enabled.

Active Directory Username Mapping Attribute
The Active Directory Username Mapping Attribute option is only for use with Windows NT
or LDAP Security when auto-logon is also being used. The default value is
sAMAccountName, which is the Windows UserID attribute.

Security

The Active Directory Username Mapping Attribute option allows administrators to specify
which Active Directory attribute to use when looking for the corresponding OnBase user
account of the Active Directory user currently logged in. In other words, the attribute used to
perform the group lookup in Active Directory (i.e., the attribute under which the user is
logged in to Windows) may be different from the attribute used to create that users account
in OnBase.
For example, in OnBase, a users account user name is JSMITH, but in Windows the user logs
in as ahdme001 and has the Active Directory displayName attribute set to JSMITH. In order
for this user to successfully log in to OnBase using auto-logon, the Active Directory
Username Mapping Attribute must be set to displayName. With this configuration, the user
logs on to Windows as ahdme001 but is authenticated in OnBase under the JSMITH user
account.
Caution: When specifying an Active Directory Username Mapping Attribute, you must choose an

attribute that has a unique value for each user in Active Directory. If a non-unique attribute is chosen,
it is possible that multiple Active Directory users will be mapped to a single user account in OnBase.
ADDITIONAL CONSIDERATIONS FOR LDAP SECURITY
In order to use the Active Directory Username Mapping Attribute option with LDAP Security
you must also edit the LDAP server settings to change the attribute for the user class that
maps to the OnBase user so that the LDAP attribute corresponds to the Active Directory
attribute being used.
When using auto-logon with LDAP, OnBase determines the currently logged-in Windows
user and extracts the specified Active Directory Username Mapping Attribute value
(sAMAccountName by default), then uses that value to query the LDAP server for a matching
user.

2011 Hyland Software, Inc.

26

OnBase 11.0.0

Network Security

Synchronize User Attributes on Auto-Logon

Select the Synchronize User Attributes on Auto-Logon option to automatically update the
users OnBase account with changes made to the logged-in users real name or e-mail address
in NT or LDAP since the last login. The default behavior is to not update these attributes in
OnBase.
Note: If the users real name or e-mail is deleted, that attribute is not deleted from OnBase.

To use this feature with LDAP, the LDAP configuration must include values for the
Fullname and E-Mail Address attributes (see User Mapping on page 17).
Authentication Only on Auto-Logon
If this option is selected, NT and LDAP autologons do not perform any group membership
synchronization with the external system. The external system is only used to perform user
authentication. All group membership configuration must be completed in OnBase.
This means that OnBase no longer creates a new user account the first time a user logs in to
OnBase. In order to add the user to OnBase, an administrator must manually create the user
account.
Note: This setting should be selected for Institutional Databases. This setting does not affect

the behavior of the Synchronize User Attributes on Auto-Logon option.

2011 Hyland Software, Inc.

27

Network Security

OnBase 11.0.0

Integrating OnBase User Groups with Domain User Groups

To remove users from an OnBase User Group when they are removed from the
corresponding domain user group, in order to keep a one-to-one relationship between the
domain and OnBase User Groups, complete the following steps:
1. In the Configuration module, select User Groups/Rights from the Users menu. The User
Groups & Rights dialog box is displayed.
2. Select a user group from the list and click the Authentication Settings button. The
Authentication Settings dialog box is displayed.

3. Select Remove users from this group if no matching domain group found.
4. Click OK.
With this option enabled, theOnBase User Group is checked against the corresponding
domain user group at log in if autologon is also used. If the user logging in is a member of the
OnBase User Group but is not a member of the corresponding domain user group, the user
is removed from that OnBase User Group.
Caution: This option will remove users from OnBase User Groups if the user groups do not exist on

the domain. Make sure your OnBase User Groups have the same names as the corresponding domain
user groups. The group names do not need to have matching cases (for example, AdminUsers is
considered the same as adminusers or ADMINUSERS).

2011 Hyland Software, Inc.

28

OnBase 11.0.0

Network Security

Adding Users to OnBase with LDAP and NT Authentication

When logging in to OnBase with a user name that doesnt exist in OnBase, the user is
automatically added to OnBase as long as:

The user is authenticated on the LDAP server or NT domain

and the corresponding User Groups exist in OnBase.

Note: If your system uses Institutional Databases, users must always be manually created and

added to the correct Institution before the user can be authenticated using NT or LDAP. See
Authentication Only on Auto-Logon on page 27.
When a user account is created in this way, the users e-mail address and real name values are
populated in OnBase using the values from the domain. The user is also added to the OnBase
User Groups that correspond to the domain user groups that the user is a member of.
Note: If a User Template has been configured in OnBase, those user settings are applied to

new user accounts. See User Groups & Rights in the System Administration module reference
guide for details.

ENABLING AUTOLOGON
The OnBase Client, Web Client, Java Web Client, and Desktop can all be configured to enable
autologon.

OnBase Client
To enable autologon in the OnBase Client, append the -AL command line switch to the
OnBase Client.

Web Client
To enable the Web Client for NT or LDAP Authentication, you must set the
EnableAutoLogin key of the OnBase web servers Web.Config file to true:
<add key="EnableAutoLogin" value="true"/>

This attribute is automatically set to true if you installed the OnBase web server with NT/
LDAP Authentication enabled.
If this value is set to false, the Web Client and any modules that access OnBase via the
OnBase web server use standard OnBase authentication. User accounts must be configured
in OnBase for any users who have to log in in this way.

2011 Hyland Software, Inc.

29

Network Security

OnBase 11.0.0

Tip: See also, Additional Settings for the OnBase Web Server on page 33.

Multiple Sites Configuration

If you need some modules to use NT or LDAP Authentication and others to use standard
OnBase authentication to log in, two instances of the OnBase web server must be installed to
different virtual directories (e.g., http://web-server/AppNet1 and http://web-server/
AppNet2). One instance of the OnBase web server is then configured with the
EnableAutoLogin value set to true, meaning the NT or LDAP method configured for the data
source is used to log in, while the other has it set to false, meaning standard OnBase
authentication is used to log in, regardless of the NT/LDAP configuration.
Note: If this value is set to false, user accounts must be configured in OnBase for any users

who have to log in using standard OnBase authentication.

The modules are then configured to access OnBase using the appropriate OnBase web server
for the desired authentication method. Both OnBase web servers can still connect to the
same data source and will work together as one system.
Java Web Client
When NT authentication is used with the Java Web Client, the logon behavior varies
depending on the users browser and platform. The following table describes the expected
automatic logon behavior for each browser and platform when the user who logged on to the
computer has permission to access the Web Server virtual directory.
Internet Explorer

Firefox

Safari

Mac

N/A

The user is prompted twice for

credentials: once by the
browser, and once by the Java
Runtime Environment (JRE).

The user is prompted

once for credentials by
the Java Runtime
Environment (JRE).

Windows

Automatic and interactive

logon behave the same
as they do in the OnBase
Web Client.

The user is prompted once for

credentials by the browser.

N/A

2011 Hyland Software, Inc.

30

OnBase 11.0.0

Network Security

Complete the following steps to prevent Firefox browsers from prompting users for
credentials on either Mac OS X or Windows. When using Firefox on Mac OS X, users will
still be prompted once for credentials by the JRE.
1. From an open Firefox window, type about:config into the address bar.
2. Locate the following settings: network.automatic-ntlm-auth.trusted-uris (for NTLM)
and network.negotiate-auth.trusted-uris (for Kerberos). To quickly locate these settings,
type auth in the Filter field provided.
3. Modify these settings by adding a comma-delimited list of trusted servers. When a user
accesses the Java Web Client on these servers, the browser will not prompt the user for
credentials.
4. Restart Firefox. If the user who logged on to the computer has permission to access the
Web Server virtual directory, the browser will not prompt the user for credentials.
To allow Mac users to log on using NT authentication, additional steps may be required. If
you encounter the error HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials, see the Microsoft KB article located at the following URL:
http://support.microsoft.com/kb/871179

Desktop
When using the Desktop, authentication credentials are encrypted before they are passed over
HTTP from the Desktop to the server.
NT or LDAP authentication is supported in the Desktop by selecting the Domain Security
installation option in the Hyland Client Components installer when the Desktop is installed.
No further configuration is needed.
Note: NT or LDAP Authentication must already be configured for the datasource before

installing the Desktop with the Domain Security option selected.

When connecting to OnBase using the Desktop on a computer that is not connected to a
domain, LDAP Authentication can be used to log in as long as it is configured to use
Interactive Authentication and the Restrict Autologon to Windows User in Trusted Domains
option is not selected. If the client machine is not connected to a domain, LDAP with
autologon is not supported. NT Authentication always requires that the client machine is
connected to a domain.
The Desktop also respects the Interactive User Authentication check box option for Core
Services (see, Interactive User Authentication on page 25). Select this option to prompt users
for authentication credentials in order to log in to the Desktop.

2011 Hyland Software, Inc.

31

Network Security

OnBase 11.0.0

If Interactive User Authentication is not selected, users are not prompted for authentication
credentials and are automatically logged in to the Desktop, as long as the following Windows
registry key exists and has the correct value:
HKEY_LOCAL_MACHINE\SOFTWARE\Hyland\DMDesktop\NTAuthenticationDatasource.

Note: For 64-bit systems, this registry key is:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Hyland\DMDesktop\NTAuthentication
Datasource

This registry key must be created manually. Set the type to String (REG_SZ) and set the value
to the ODBC datasource name for OnBase.

Caution: Changes to the Windows registry can damage your system if they are done incorrectly.
Ensure you add or update only this registry key when enabling autologons. Contact your first line of
support for further information or assistance.

See also, Additional Settings for the OnBase Web Server on page 33 for additional
configuration settings.

INTEGRATION FOR SINGLE SIGN ON WITH NT OR LDAP

AUTHENTICATION
Integration for Single Sign On can be used with NT or LDAP authentication. To use
Integration for Single Sign On with NR/LDAP, set both the EnableAutoLogin and
forceSSOAutoLoginOverDomain web.config settings to true. The settings are described below.

EnableAutoLogin
EnableAutoLogin - Set this value to true to use Windows NT Security, Novell Security, or
LDAP Security if one of these network security options is enabled in OnBase Configuration.
Set to true also when using Integration for Single Sign-On. Set this value to false to use
Normal System Security regardless of your network security option. When using Integration
for Single Sign-On, set this value to false if bypassing the Single Sign-On security is required.
When doing this, a user can log into OnBase using any valid username and password on any
workstation.

forceSSOAutoLoginOverDomain

2011 Hyland Software, Inc.

32

OnBase 11.0.0

Network Security

forceSSOAutoLoginOverDomain - works

with autologon when the database is configured for

NT/LDAP authentication but the desired configuration for the virtual directory is Single
Sign-On autologon, not NT/LDAP. The modules EnableAutoLogin setting must be set to
true.
Set forceSSOAutoLoginOverDomain to true to ignore the database domain authentication
settings and use OnBase authentication when logging in. The autologon (enabled by
EnableAutoLogin), combined with the use of OnBase authentication over domain
authentication, causes Single Sign-On to retrieve user credentials from the Single Sign-On
provider (SAP, PeopleSoft or SiteMinder, for example). This creates an autologon using
Single Sign-On.
This allows the virtual directory to ignore the NT/LDAP settings in the database and always
use OnBase authentication (username/password OR Single Sign-On). If Single Sign-On is
configured on the virtual directory and autologon is enabled, users will be able to
automatically log on to OnBase via Single Sign-On.
A separate virtual directory can be configured with forceSSOAutoLoginOverDomain set to
to log in users automatically via NT/LDAP.

false

Note: This setting is intended for VPN usage.

ADDITIONAL SETTINGS FOR THE ONBASE WEB SERVER

When using NT or LDAP Authentication with the OnBase web server, the
AllowNTAuthenticationOnForwarding attribute in the web.config file of the OnBase web
server must be set to TRUE. If NT/LDAP authentication is configured for the OnBase web
server during its installation, this attribute is already set to TRUE.
When using NT/LDAP Authentication with the Desktop or the Web Client you must make
sure anonymous access to the virtual directories for the OnBase web and application servers
is disabled. This is disabled by default when the servers are installed, if you select to use NT/
LDAP Authentication during installation.
When Anonymous Access is disabled, the servers must be added as trusted sites (see below).
Note: Anonymous access to the web server and application server virtual directories should

be enabled when Interactive User Authentication is enbaled.

2011 Hyland Software, Inc.

33

Network Security

OnBase 11.0.0

Setting Access to the Application Pools

To use NT Authentication, it is recommended that access to the application pools is set to use
the Network Service account and the applications running in the application pool are
configured to use impersonation. The impersonation account should be a member of the
Account Operators group (i.e., have the Account Operator right).
Note: Depending on the network configuration, the application pools need multiple rights to
get group information for a user from all relevant domains. In most situations the Account
Operators group has sufficient rights to perform this task. Your network administrator can
determine a viable alternative to the Account Operators group if it lacks sufficient rights.

To assign a user to the application pools:

1. Click Start, then right-click My Computer and select Manage to enter the Computer
Management console.
2. Click the plus sign next to Services and Applications.
3. Click the plus sign next to Internet Information Services.
4. Click the plus sign next to Application Pools.
5. Select the Application Pool that the OnBase virtual directory you are configuring uses
(AppNet is the default virtual directory for the OnBase web server; AppServer is the
default virtual directory for the application server).
6. Right-click and select Properties.
7. Click the Identity tab.
8. Select the Configurable radio button.
9. Enter the User name and Password for the user you want this application pool to use.
10. Click OK.
11. Select File | Exit to exit Computer Management.
Repeat this process for both the OnBase web and application servers, if both servers are
installed.

2011 Hyland Software, Inc.

34

OnBase 11.0.0

Network Security

Adding the Web Server as a Trusted Site

OnBase products that rely on the Web Server work best when the Web Server is added to
Internet Explorers Trusted Sites. To add your server as an Internet Explorer Trusted Site,
perform the following steps:
1. Go to Tools | Internet Options, and click on the Security tab.

2011 Hyland Software, Inc.

35

Network Security

OnBase 11.0.0

2. Click Trusted sites. Click the Sites button to display the Trusted sites dialog box.

3. Type the URL of your Web Server into the field labeled Add this Web site to the zone.
Click Add, and the Web Server address will show up in the list in the Web Sites window.
Certain features of OnBase will exhibit unusual behavior if your Web Server is not listed
under Trusted Sites. For example, when you create a new envelope, the header bar may
display VBScript instead of Create New Envelope, due to security restrictions imposed on sites
which are not in the list.

Setting Automatic Logon in Internet Explorer

1. From the Security tab in the Internet Options dialog, ensure that Trusted sites is the
selected web content zone.
2. Click the Custom Level... button in the Security level for this zone box to open the
Security Settings dialog.

2011 Hyland Software, Inc.

36

OnBase 11.0.0

Network Security

3. Scroll down to the bottom, and under User Authentication, ensure that Automatic logon
with current username and password is selected.

2011 Hyland Software, Inc.

37

Network Security

OnBase 11.0.0

2011 Hyland Software, Inc.

38

INSTALLATION

The Network Security module is natively available in OnBase. To access it, simply append
the -ROMANZO switch to the Configuration module executable before launching it.
Caution: Before using features enabled by the -ROMANZO switch, ensure that you understand the

feature and implications of any changes to your system. Contact your service provider with any
questions regarding these features. Features enabled by the -ROMANZO switch should not be made
available to the casual user. Remove the -ROMANZO switch after completing necessary actions.

REQUIREMENTS
LDAP Directory Service
For LDAP Authentication the directory service software must be compatible with LDAP
version 3.

About Virtual Environments

Hyland Software develops, tests, and supports the OnBase suite of products on specific
Operating Systems, not specific hardware configurations. When OnBase is operated in a
virtual environment (such as Citrix, VMware, Hyper-V, or Windows Remote Desktop)
there may be limitations or subtle differences imposed by the environment. The customer
and the virtual environment vendor are responsible for any interactions or issues that
arise at the Hardware or Operating System layer as a result of their use of a virtual
environment.
When it appears that an OnBase performance-related issue is either caused by (or is
unique to) the virtual environment, organizations may be asked to validate that the issue
occurs in a non-virtual environment. Hyland Software will make this request if there is
reason to believe that the virtual environment is a contributing factor to the issue.

2011 Hyland Software, Inc.

39

Network Security

OnBase 11.0.0

Each OnBase site is unique. Hyland Software depends on the customers who deploy OnBase
in virtual environments to do so only after careful design and adequate planning (that takes
into account the workloads of your organization), and in accordance with recommendations
provided by the virtual environments vendor. As with any implementation, Hyland Software
strongly recommends that any customer deploying an OnBase solution in a virtual
environment thoroughly test the solution before putting it into production.
For information about using OnBase in a Citrix and Microsoft Windows Remote Desktop
environment, please see the OnBase in a Citrix and Microsoft Windows Remote Desktop
Environment reference guide, available from your solution provider.

64-Bit Support Statement

The OnBase suite of products is tested on 64-bit systems and is capable of being deployed on
64-bit systems using the Windows 32-bit on Windows 64-bit Emulator (WOW64) layer.
However, OnBase modules that integrate with third-party applications may not be able to be
used with the 64-bit versions of these applications. For these modules, only the 32-bit
versions of these third-party applications are currently supported by the OnBase integrations.
Consult the module-specific requirements section in each module reference guide for
complete requirements details.

Supported database versions that are deployed on a 64-bit database server are also supported.
For more information, contact your solution provider.

Windows User Account Control Statement

Hyland Software is dedicated to ensuring that OnBase is compatible with Windows User
Account Control (UAC). UAC is a feature of Windows operating systems that was introduced
with Windows Vista. It limits the ability of standard users to make global system changes to a
workstation and prevents malicious software from making unauthorized changes to protected
areas.
For details on UAC, refer to your Microsoft support information or see http://
technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
You may encounter UAC in OnBase when:

Installing or uninstalling OnBase, an OnBase module, or OnBase ActiveX controls.

Copying, moving, or saving files to the Program Files directory, Windows directory, or
another protected location.

Modifying system-wide settings, such as the registry.

If Windows UAC is enabled, the above operations will prompt for administrator privileges,
even if an administrator is currently logged on.

2011 Hyland Software, Inc.

40

OnBase 11.0.0

Network Security

Data Execution Prevention (DEP)

Data Execution Prevention, or DEP, is a Windows feature that prevents execution of code
from places where it should not be executed. DEP was introduced with the release of SP1 for
Windows Server 2003 and SP2 for Windows XP. DEP is also included with Windows Vista,
Windows Server 2008, and Windows 7. Two kinds of DEP may be present on any system
running these operating systems: DEP software and hardware-based DEP. Each type of DEP
prevents a different type of undesired code execution. DEP software is contained in all
Windows operating systems (of the above-listed versions and later) by default. Hardwarebased DEP, or computer-hardware enforced protection, requires a processor that will support
hardware-based DEP. Processors that support hardware-based DEP do so through a set of
instructions on the processor that implement the hardware protection. Hardware-based DEP
is only used in Windows when such a processor is present.
If there is an issue with OnBase as a result of DEP, make sure an exception for OnBase has
been created in your DEP settings.
Determining DEP Settings
The following instructions will help you determine whether DEP settings need to be adjusted
on your system:
1. Log on to your operating system with administrator rights.
2. Click the Start button. Right-click on My Computer and select Properties. The System
Properties dialog box displays.
3. Select the Advanced tab.
4. Select the Settings button in the Performance section. The Performance Options dialog
box displays.
5. Select the Data Execution Prevention tab.
When configuring DEP, two options are present to choose from: Turn on DEP for
and Turn on DEP for all programs and
services except those I select. The first option is selected by default for Windows XP
and Vista operating systems. The second option is selected by default in Windows Server
2003 operating systems. When DEP is only turned on for essential Windows programs
and services, OnBase will perform normally. However, when Turn on DEP for all
programs and services except those I select has been chosen, and hardware-based DEP
is enabled, exceptions need to be configured to exempt OnBase from DEP.
essential Windows programs and services only

2011 Hyland Software, Inc.

41

Network Security

OnBase 11.0.0

Note: Text at the bottom of the Data Execution Prevention tab will indicate whether

hardware-based DEP is supported on your system.

Configuring Exceptions to DEP Settings
To configure exceptions to DEP settings:
1. In the Data Execution Prevention tab, the Turn on DEP for all programs and services
except those I select option should be already selected.
Caution: Do NOT select this option if it is not already selected. Selecting this option enables a higher

DEP security level, which could potentially cause issues with other applications on your system.
2. Click Add...
3. Browse out to the location of your OnBase Configuration and/or Client executable files.
Click Open.
Note: The location of the executables must be full paths.

2011 Hyland Software, Inc.

42

OnBase 11.0.0

Network Security

4. Selected applications will display in the exceptions list.

If you continue to experience problems, consult your service provider.

INI File

2011 Hyland Software, Inc.

43

Network Security

OnBase 11.0.0

INI files (initialization files) are plain-text files that contain configuration information. These
files are used by Windows and Windows-based applications to save and access information
about your preferences and operating environment. OnBase uses an initialization file named
onbase32.ini. If a user does not have rights to access the onbase32.ini file, that user will be
unable to use the Client or Configuration modules.
The onbase32.ini file is primarily used to store settings specified in the Client or
Configuration module. For example, when a user selects a default data source in the OnBase
Clients Workstation Options dialog box, this selection is saved to the onbase32.ini file. The
onbase32.ini file is also used to make modifications to OnBase modules that cannot be made
through the modules interface.
Previous File Location/File Name
Every version of the OnBase Client prior to 8.2.0 used an INI file named OnBase.ini. In
OnBase 8.2.0 and subsequent versions, the INI file was moved to a new location to be
consistent with changes Microsoft has made to Windows. Since the location has changed, the
name of the file has also been changed to alleviate some confusion between the needs of
OnBase 8.2.0 and installations of older executables. The new file name is onbase32.ini.
Location

The table below shows the default location of the onbase32.ini for supported operating
systems.
Operating System

Default Location

Windows XP

C:\Documents and Settings\All Users\Application Data\Hyland

Software

Windows Server 2003

C:\Documents and Settings\All Users\Application Data\Hyland

Software

Windows Vista

C:\ProgramData\Hyland Software

Windows Server 2008

C:\ProgramData\Hyland Software

Windows Server 2008 R2

C:\ProgramData\Hyland Software

Windows 7

C:\ProgramData\Hyland Software

2011 Hyland Software, Inc.

44

OnBase 11.0.0

Network Security

Note: To maintain backwards compatibility with previous versions of OnBase, OnBase will
check the workstations C:\Windows folder for the OnBase INI file if it is not found in the
folder specified above. If the OnBase INI file is found in the C:\Windows folder, OnBase will
copy the file to the new location. The previously-existing version of the OnBase INI file will
remain in the C:\Windows folder, but will no longer be used by OnBase.

Your onbase32.ini file may reside in a different location, if that location is specified by the
following command line switch on the OnBase Client shortcut target.
-INIFILE= "full path\filename",

where full path and filename are replaced by the specific

path and file name.

If this command line switch is not used and you move or rename your onbase32.ini file,
OnBase will recreate the file in the default folder and ignore the newly created file.
INI Considerations in a Citrix and Microsoft Windows Remote Desktop
Environment
In remote desktop environments, a remote session is established in which the user is running
applications that are not installed locally. This presents a challenge when an application, such
as OnBase, requires a user-specific INI file to establish unique settings. In a remote desktop
environment, you must ensure that each user has a single, unique INI file to make sure any
user-specific settings are consistent for that user.
Note: The default location of the OnBase INI file is not unique in a remote desktop

environment.
To ensure that the INI file is accessible by OnBase and unique to each user in a remote
desktop environment, the -INIFILE command line switch must be applied to the OnBase
Client shortcut and be set to a unique location for the INI file.
Note: Additional details regarding the deployment of OnBase in a remote desktop
environment is discussed in detail in the OnBase in a Citrix and Microsoft Windows Remote
Desktop Environment module reference guide, available from your first line of support.

2011 Hyland Software, Inc.

45

Network Security

OnBase 11.0.0

Editing the INI File

Users with the Configuration Product Right can open the onbase32.ini file from the OnBase
Client by selecting Admin | Utilities | Edit INI File. When multiple onbase32.ini files exist,
opening the onbase32.ini file from the OnBase Client ensures that a user is editing the correct
onbase32.ini file instance. In most cases, this will be the onbase32.ini file residing in the
default directory described above. If an alternate location for the onbase32.ini file is specified
by the -INIFILE command line switch, the file in the specified location will be opened.

TROUBLESHOOTING
LDAP/NT authentication errors and messages are written to the LDAP/NT Authetication tab
of the Diagnostics Console. See the Diagnostics Service and Diagnostics Console module
reference guide for details on using the Diagnostics Console.
The following sections describe common problems and the solutions to them.

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid

credentials

This is a known issue when using IIS 6.0. See Microsoft technical article 871179 at http://
support.microsoft.com/kb/871179 for more information.

(Autologin) No matching usergroups were found, access denied

This error message may be displayed when attempting to automatically log on to the OnBase
Client using LDAP authentication with Microsoft Active Directory. The cause is usually
incorrect settings in Configuration for the User and User Group mappings.
It is a best practice to use the suggested values for the mappings, as outlined in Configuration
under User Mapping on page 17 and Group Mapping on page 18. If your system is already
configured with the suggested values and this error is still encountered, please contact your
first line of support for additional assistance.

CONTACTING SUPPORT
When contacting your solution provider, please provide the following information:

The OnBase module where the issue was encountered.

The OnBase version and build (Example: 11.0.0.571) and/or the Core Services
version and build (Example: 11.0.0.6).

2011 Hyland Software, Inc.

46

OnBase 11.0.0

Network Security

The type and version of the connected database, such as Microsoft SQL Server 2008
or Oracle 11g, and any Service Packs that have been installed.

The operating system that the workstation is running on, such as Windows XP or
Windows Server 2008, and any Service Packs that have been installed. Check the
supported operating systems for this module to ensure that the operating system is
supported.

The name and version of any application related to the issue.

The version of Internet Explorer, and any Service Packs that have been installed, if
applicable.

A complete description of the problem, including actions leading up to the issue.

Screenshots of any error messages.

Supplied with the above information, your solution provider can better assist you in
correcting the issue.

2011 Hyland Software, Inc.

47

Network Security

OnBase 11.0.0

2011 Hyland Software, Inc.

48