When Conquest III is installed, the Web Site uses ‘Application User (pass-through authentication)’ by default. This form of authentication uses the Kerberos protocol and is recommended by Conquest Solutions because it:
•Improves security of the data used by Conquest III inside the network
•Meets the requirements of Customers using third party applications needing individual User Accounts to identify data from Conquest
•Has advantages as follows:
•It is a newer technology than NT LAN Manager (NTLM)
•Is Faster than NTLM
•Uses Mutual Authentication – client to service/service to client
•Is Open Standard
•Uses Delegated Services to decrease the opportunity for misuse/mischief.
•Is Smart card logon capable, which protects passwords
Before installing Conquest III for the first time, set up the servers hosting it, to use Kerberos Authentication. Although the initial set up in Active Directory is complex, once done it will rarely need changing. See the Active Directory section for details.
Once Kerberos Authentication is set up, it will persist and will allow future Conquest III versions to be installed and run “out of the box” on the same Web Server, with no further configuration, until such time as the Active Directory Servers involved with Conquest III are significantly reconfigured.
The Active Directory administrator must be able to configure the following:
•Active Directory for Application User (Pass-through authentication)
•The Public Firewall, if Conquest III is to have public access. See Publishing Conquest III on Forefront TMG for details
•IIS
•SQL Server connection
•SQL Server Reporting Services
If Application User Pass-through authentication is not required then Service Account Authentication must be used