Application User (pass-through authentication)

When Conquest III is installed, the Web Site uses ‘Application User (pass-through authentication)’ by default. This form of authentication uses the Kerberos protocol and is recommended by Conquest Solutions because it:

      Improves security of the data used by Conquest III inside the network

      Meets the requirements of Customers using third party applications needing individual User Accounts to identify data from Conquest

      Has advantages as follows:

      It is a newer technology than NT LAN Manager (NTLM)

      Is Faster than NTLM

      Uses Mutual Authentication – client to service/service to client

      Is Open Standard

      Uses Delegated Services to decrease the opportunity for misuse/mischief.

      Is Smart card logon capable, which protects passwords

Before installing Conquest III for the first time, set up the servers hosting it, to use Kerberos Authentication. Although the initial set up in Active Directory is complex, once done it will rarely need changing. See the Active Directory section for details.

Once Kerberos Authentication is set up, it will persist and will allow future Conquest III versions to be installed and run “out of the box” on the same Web Server, with no further configuration, until such time as the Active Directory Servers involved with Conquest III are significantly reconfigured.

The Active Directory administrator must be able to configure the following:

      Active Directory for Application User (Pass-through authentication)

      The Public Firewall, if Conquest III is to have public access. See Publishing Conquest III on Forefront TMG for details

      IIS

      SQL Server connection

      SQL Server Reporting Services

If Application User Pass-through authentication is not required then Service Account Authentication must be used