Advizor Server AE Configuration

Secure Access

To configure ADVIZOR Server AE for secure access (HTTPS with Windows Authentication) on Windows Server 2008 or 2012 with IIS 7 or later:

  1. Configure IIS to support HTTPS connections.
    1. Open the IIS Manager console and select Sites in the expanding left pane.
    2. Ensure that the list of Bindings for your web site includes "*:443 (https)":
    3. If HTTPS is not included, edit the Bindings to add it, once you have obtained a commercial SSL Server certificate (or created a self-signed one). (See the Server Certificates feature of your server in IIS Manager.)
  2. Edit the web.config file in the ADVIZOR Server AE installation directory.
    1. Using Notepad (right-click and "Run as administrator" on Windows Server 2008 or 2012 with User Account Control enabled) or an XML editor, open the web.config file (normally in C:\Program Files\ADVIZOR Solutions\ADVIZOR Server AE).
    2. In the &ltsystem.serviceModel&gt section, edit the &ltbindings&gt subsection to comment out the &ltwebHttpBinding&gt , &ltbasicHttpBinding&gt and &ltcustomBinding&gt subsections for “http protocol anonymous access” and uncomment them for "https protocol with Windows authentication access". This can be done by simply moving the " -->" sequence from the end of the "http protocol anonymous access" line down 18 lines to the end of the next &lt/customBinding&gt line, and moving the same sequence up 22 lines to the end of the "https protocol with Windows authentication access" line.
    3. Exit Notepad, saving the changed file.
  3. Configure the ADV web application to enable Windows authentication.
    1. Click on the ADV application (virtual directory) in the tree view pane of IIS Manager.
    2. In the Features View, double-click on the Authentication icon in the IIS section.
    3. Disable Anonymous Authentication and enable Windows Authentication.
  4. Specify the users and groups authorized to access the ADVIZOR Server AE web application.
    1. On Windows Server 2008 R2 (IIS 7.5) or Windows Server 2012 (IIS 8):
      1. Click on the ADV application in the IIS tree view.
      2. Double-click the .NET Authorization Rules icon (under ASP.NET).
      3. Add one or more Allow Rules, specifying the individual accounts or groups desired. (NOTE that this edits the web.config file, so be careful not to overwrite this change by re-saving the file from Notepad!)
      4. After you’ve added all your Allow Rules, add a Deny Rule to deny All Users access. (NOTE this is added after the local Allow Rules, so it denies access to all other users.)
    2. For Windows Server 2008 (R1—IIS 7.0), the .NET Authorization Rules icons are not available, so the web.config file must be edited manually, as in this example:

The ADVIZOR Server Project Directory page can then be accessed directly from any PC logged in with an authorized user account using any browser that supports Microsoft Silverlight, or from the ADVIZOR iPad app, at the address https://server.fqdn/adv. If the client PC login account is not in the list of authorized accounts, the browser will prompt the PC user for authorized credentials, as will the Advizor iPad app. Note that most browsers remember credentials for the life of the process, so subsequent connections to ADVIZOR Server AE will use the same credentials and not prompt, unless all windows of the browser are first closed. Note also that most trusted HTTPS certificates are specific to a fully-qualified domain name, so the full server name is usually required (e.g., advizor.mydomain.org). If the certificate is not trusted, Microsoft Internet Explorer will present a warning but allow you to connect anyway; other browsers may provide a way to proceed, but will not allow full communication with ADVIZOR Server AE, so the dashboard will not load. Please see the Troubleshooting section below for additional notes on using different browsers with Windows Authentication.

Non-Domain Environment

If you prefer to use Windows Basic Authentication (which transmits passwords unencrypted), you should use HTTPS protocol. (Note that the Basic Authentication role service needs to be installed for IIS before you can enable this Authentication method. Note also that the ADVIZOR iPad client does not support Basic authentication.) Add the following lines to the &ltbindings&gt section of the web.config file and comment out all other binding methods:

Publishing Projects

In order to use the Publishing Wizard in ADVIZOR Analyst and Analyst/X when ADVIZOR Server AE is configured to use Windows authentication, you must use an address that is recognized as a Local Intranet site by Internet Explorer. Such a site would be accessible in a browser without prompting for login credentials. Further, the site certificate must be fully trusted (i.e., not a self-signed certificate, ordinarily) in order to use HTTPS for publishing. Then projects can be published by setting the Server Address in ADVIZOR Analyst's Publish Dashboard dialog to http://server/adv or https://server/adv.

If you want ADVIZOR Server AE users to be able to export selected data from Data Sheets to text files, the project must be published with the Export Data option selected. However, in an environment with scheduled nightly updates, the project should be published initially with data not embedded, and the resulting ADV file in the Projects directory should be used as the master project file. The Adv2Advm utility will then preserve the setting of the Export Data option when the ADVM file is created.

Restrict Publishing Permissions

The list of users able to publish projects to ADVIZOR Server AE can be restricted when the Server is in Windows Authentication mode by changing the permissions for the file "AsiProjectInstaller.asmx" in the installation directory. Simply add Deny permission to the file for those that are not authorized to publish.

Credential-Based Filters

You can give different users restricted access to different segments of the data in a single project by editing an XML-format configuration file and linking it to the appropriate dimension when you publish. This feature is described in detail in the topic "Credential Based Filters" in the online Help. The basic technique is to list the Windows domain accounts of all the people who should have any access to the project and, for each, list the categories of some dimension that they should be able to see or not see. When the configuration file is in place and the project is published, the table and field containing the category values can be identified.

IMPORTANT!! Be sure that the data field you associate with the security strategy is NOT used in any Text Filter charts in the project! If it is, the credential-based filtering restriction could be overridden by end users changing Text Filter state from their browser or iPad session. A safe alternative is to create a copy of the field using the Expression Builder and use one in a Text Filter and the other for the credential-based filter.

Note that while there must be a "data security.config" file in the ADVIZOR Server AE Projects directory that defines all “Strategy Ids” and names, you may want to place the complete definition in a sub-folder to ensure that it is not removed or replaced in case of a software upgrade. Also, since the "strategy id" value is permanently stored in the published project, you should configure a value closely associated with the project(s) that will use it.

Controlling Access to Projects

Previous sections described how to configure ADVIZOR Server AE and IIS to control which Windows accounts have access to ADVIZOR Server AE and all projects published there (while using HTTPS protocol). If you'd like to further limit some users’ access to certain projects, you can use a simplified version of the Credential-based Filtering technique described just above. You can define a < Strategy > that simply lists user names that should be allowed access to the project; all other users will be denied access. For instance:

results matching ""

    No results matching ""