Authentication tab

 On the Authentication tab of the Properties window, you define whether logging on to CAS genesisWorld using Windows authentication is permitted.

In general, users have multiple options for logging on to CAS genesisWorld:

• The user name and the password of CAS genesisWorld are used.

• User: General tab

• The Windows user name and password are used.

Users accounts automatically allocated in CAS genesisWorld and Windows if you work with the Active Directory.

• User Management area: Active Directory integration

• The CAS Authentication Server offers another option for CAS genesisWorld Web and the mobile app.

The Use Windows authentication button is also displayed on the logon page of the CAS Authentication Server.

If a user clicks the button, the settings defined here on the Authentication tab apply. Thus, users can also log on using their Windows credentials when logging on via the CAS Authentication Server.

For users to be able to log on using their Windows credentials, you need to activate either the Support integrated Windows authentication or the Use Windows logon data option here on this tab. In addition, users must have logged on to CAS genesisWorld Web within the company network once before to use the Windows authentication outside the network.

• Server Manager: CAS Authentication Server

Active Directory

If the Active Directory is used, a mapping of CAS genesisWorld users and Windows users is created via a SID (Security Identifier).

With the settings on the Authentication tab, you can define whether you use the mapping via the SID (Security Identifier) not at all, partly, or entirely.

• If you use the mapping, the SID (Security Identifier) is locally saved when logging on in the internal network.
• When logging on without access to the internal network, the logon data is compared to the locally saved value. If both values match, the user can log on.
• As the SID (Security Identifier) is locally saved, logging on using the Windows logon data is also possible without access to the internal network, for example, with laptops and when deploying the replication.
• If the password has been changed, users need to log on again to the internal network before they can access from externally.

LDAP access

Users can also log on via a publicly accessible application server without accessing the Active Directory using a LDAP access.This LDAP access is set up for a user account in the Management Console.

• Defining LDAP access

In addition to the SID (Security Identifier), a hash value is created from the password of a user of CAS genesisWorld. The hash value is stored in the CAS genesisWorld database.

Users can log on without access to the internal network if they have previously logged on with access to the internal network and the hash value has been saved in the database. If the password has been changes, they need to log on to the network again.

<ntuser>

In the desktop client and CAS genesisWorld Web, you can enter <ntuser> or no value in the user name field to log on using the current Windows user. The current Windows user is identified by the client on the currently used computer. This authentication is stored locally, transferred encrypted via the SID (Security Identifier) when logging on to the client, and checked.

The same as before applies here: Users can log on without access to the internal network if they have previously logged on with access to the internal network and their password has not been changed.

You cannot log on to the mobile app using the <ntuser>. You can also not use this logon option if you use the CAS Authentication Server.

When does CAS genesisWorld require a password?

• Before exporting more than one data record from CAS genesisWorld, you can define that users need to enter their password.

• User management/Security settings

• Using programs that support LDAP, you can select and use addresses, users, or groups from CAS genesisWorld, for example, in Microsoft Outlook for e-mails. This requires the CAS genesisWorld user name and password.

You need to activate the LDAP service in the Server Manager and set up the LDAP access in the program that supports LDAP on the user's computer.

• Server Manager: Setting up LDAP

Benefits when using Windows credentials

• Users can now log on using the same user name and password for both Windows and CAS genesisWorld. Therefore, the users only have to remember one password and if the Windows password is changed, the changed password can also be used in CAS genesisWorld.
• If users do not enter a user name when logging on to the desktop client and click the Log on button, the system automatically attempt to log on using the current Windows user. In the process, the default database is accessed.
• A Windows account can be locked after several incorrect entries. The different logon options are checked in a specific order so that the automatic account lock is ideally not triggered by technical circumstances.

• Checking of logon trials

Options on the tab

The options have different results for users depending on the used client.

No Windows authentication

Support integrated Windows authentication

The user accounts and groups from the Active Directory are displayed. You change the automatic assignment with the Change assignment button. This assignment is necessary if you use the Windows logon data or the Windows authentication.

Support integrated Windows authentication and Allow only Windows authentication

If you activate the Allow only Windows authentication option, the mapping is used, which transfers the logon data of the Windows user to CAS genesisWorld.

We recommend that the Allow only Windows authentication option is only used in particular cases.

The option is automatically deactivated for all users of you activate the Enter the password again before exporting option in the Security settings folder.

• User management/Security settings

Use Windows logon data

The Use Windows logon data option is recommended for many cases.