Configuring CCF Security Extensions
CCF provides Security Extensions for the CCF Server to develop a CCF Infrastructure that allows inter-domain operability. Security Extensions are ideal for scenarios where agents are spread across domains, accessing a common CCF Server, and the domains do not have mutual trust. You must create profiles for agents from other domains (outside the CCF Server domain) using the Credential Mapping in the Admin Console, before the agents can access the CCF Server. For more information about Credential Mapping, see Managing Credential Mappings.
The image below shows the inter-operability of agent machines and CCF Server, when security extensions are deployed.
The CCF Security Extensions were developed to help ensure the security of data in different CCF deployment scenarios. If credentials are configured properly , the following steps occur:
- The agent starts the Integrated Desktop application.
- The Agent Desktop displays a logon dialog box.
- The agent enters his or her logon credentials.
- The corresponding CCF-AD (Active Directory) credentials are sent to the Agent Desktop application. This set of credentials is used for all further Web service communication.
In all further Web service calls from the Agent Desktop, the client credentials are overridden by the CCF-AD credentials. This is accomplished by the method
client.ClientCredentials.Windows.ClientCredential = AgentCredentialUtilities.GetCurrentCredential();
The method returns the CCF-AD credentials if the security extension feature is enabled. It returns the default credentials if the security extension feature is disabled. For any client created in public code, it is good practice to override the default credentials as described above.
- (Scenario 1) The CCF server and the Agent Desktop client are in the same domain, and authentication is done through Active Directory.
- (Scenario 2) The Agent Desktop client operates in one domain and the CCF server operates in another domain. Both use Active Directory, but they use separate Active Directory domains. The agent logs on to the Agent Desktop on the client computer, and his or her credentials are validated on a separate server.
- (Scenario 3) The Agent Desktop operates in its own domain and uses a different, third-party authentication protocol, such as Lightweight Directory Access Protocol (LDAP). The CCF server operates in another domain under Active Directory. Mappings between the third-party account and the CCF-AD account are stored separately. The agent enters his or her logon credentials, which are sent to the third-party protocol for authentication. When the third-party protocol successfully authenticates the user, it notifies the CCF server, and the corresponding CCF-AD credentials are stored in the Agent Desktop. CCF includes a tool to manage the mappings.
|In this scenario, you must make sure that users have permissions to write to log files.|