Video Screencast Help

Authenticate Workflow

Created: 19 Jul 2012 | 6 comments

I built a client build wizard in workflow to help our help desk out with building client machines. Right now anyone with the URL can launch it. I would like it to only work if the domain users are members of a couple of AD security groups. The goal is it to have it pass through the authentication creds or challange with a web form if the local creds are wrong or don't exist.

Comments 6 CommentsJump to latest comment

reecardo's picture

I'd use the Get Users in Group method in the ActiveDirectory library (not loaded by default). If the users exist, then hooray; if not, the flow aborts.

You should be able to pull the user logged in from the Get Current User comp.

b3tts32's picture

I've always used IIS and authorization rules for this pointing them to an AD security group. Only bad part is when you republish a workflow this gets reset to Allow All again. I've been meaning to create a workflow that will call scripts to change these settings but hadn't got around to it. I believe powershell has a few cmdlets to do the job.

DanGordon's picture

This is the authorization method I use and it means that I don't have to build it into the workflow itself. Although, if you want to handle unauthorised access attempts more gracefully (instead of having a browser credentials box pop up), in-workflow authentication / validation might be more appropriate.

The settings shouldn't reset every time you publish. All you need to do it modify the authorization section in the web.config file inside the root of your project folder. When the workflow is published, the web.config file is published along with all the other files and your changes should be reflected on the workflow server. I've seen cases where only the web.config file is changed in the WorkflowDeploy folder after it's published - in this case yes the settings will reset as the file in the project differs.

In the web.config file you can also specify the authentication mode (which needs to be Windows in this case) - I've never had success setting this in the project properties tab.

If you use this method, you can use the Get Current User component (HttpContext) to identify the authorised user accessing the application for auditing purposes.

b3tts32's picture

Didn't even think about that. Thanks for the tip!

noodleNT's picture

I was playing with the Process Manager Login component last night. It got me close to what I wanted, but it wouldn't passthrough the current authenticated user. I had enter creds in the form and then click save password.

reecardo's picture

Process Manager Login should validate the login to Process Manager... it won't do any verificateion of membership in any AD groups, however. Unsure how this component behaves with AD users... have you tried using <domain>\<AD user> as the emailaddress for the login component?