Web GUI configuration (EoL)
In accordance with our lifecycle policy, the Web GUI is no longer supported. The Thinkwise Platform version 2023.3 is the last version to support the Web GUI. The Universal GUI is the Web GUI's successor. It matches the Web GUI's functionality and more. For more information, see the blog post on the Thinkwise Community.
Introduction to Web GUI configuration
After the Web GUI has been applied to IIS, it can be set up by modifying the configuration file.
That way, the GUI will know where the meta model must be loaded from and where the data of the customer has been saved.
The configuration file is in the root of the GUI folder and is called settings.ini.
After changing the settings, it is necessary to restart the Application Pool.
Authentication
The Web GUI offers various possibilities in the field of authentication and password management for which extra settings are needed. This concerns:
- IAM authentication
- Logging in with an e-mail address
- Changing and setting a password
To make these functions possible from the Web GUI, the GUI needs to have a database service account with which the user can be validated to log in.
This service account needs full access to all the databases present in IAM, including the IAM database itself. None of the end users accessing the applications require any physical permissions on any database. Users using RDBMS authentication do need to be created since they will be authenticated by attempting to open a connection to the meta-database.
The service account can be configured in the web.config file of the application, the settings.ini file or to use the Application Pool Identity.
Service account in web.config
Add the following line to the connectionStrings section in the web.config or machine.config:
<add name="TsfGlobalUser" connectionString="User ID=myUser;password=myUserPassword" />
Sensitive information in the web.config file, like connection strings and passwords, can be encrypted using
Protected Configuration.
This way, only the Web GUI will be able to decrypt the information in the web.config file.
To encrypt a configuration section of the web.config file, use the aspnet_regiis.exe tool with the -pe option and the name of the configuration element to
be encrypted.
- Open an administrator command window in the
inetpub\wwwrootfolder. - Execute the following command to encrypt the
connectionStringssection of theweb.configfile:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/myApplication"
Service account in settings.ini
The GlobalUser and GlobalUserPassword parameters in settings.ini.
This means of storage is not secure because the account details are saved as plain text on the web server. Only use this for testing purposes.
Service account in Application Pool
The Application Pool Identity of the application in IIS (with regard to Windows authentication) is used.
IAM Authentication
IAM authentication is meant to simplify the management of large numbers of IAM users. IAM Authentication users are only registered in IAM and not on the database. When logging in, the account details are validated with IAM.
The Web GUI uses the provided IAM account to connect the end product databases for all
IAM Authentication users. Therefor, always use the provided tsf_user() function to retrieve the username from within SQL logic,
instead of the functions provided by the RDBMS.
Passwords in IAM
An initial password for IAM authenticated users can be set using the Change password task in IAM. There is also the option
of letting the users set up a password themselves upon logging in for the first time, by redirecting the user to
the following link: https://[url]/[application]/ResetPassword.aspx.
To change the password for RDBMS user, the service account must have alter login rights on the database server.
In order to set the password, the GUI uses email functionality to ensure that the user who wants to set up the password is the valid user. During this procedure, a Validation code is sent to the user's e-mail address. The e-mail address can be registered to the user in IAM. Ideally, choose an e-mail address that no other users have access to.
SMTP
The GUI will send e-mails via an SMTP (Simple Mail Transport Protocol) server. Which SMTP server must be used can be specified via the settings.ini or IAM extended properties.
This concerns the following settings:
- SmtpServer
- SmtpPort (default port 25)
- SmtpEnableSsl (default is No)
- SmtpFrom (the from e-mail address)
- SmtpUser (optional)
- SmtpPassword (optional)
The account details for the SMTP server can also be stored encrypted in the web.config so that that account
details are not stored as plain text on the web server. See here for information about this.
The content of the e-mail is displayed in the language of the user. The translations can be overwritten per client model with the translations in the SF.
| Translation object | Default translation (English) | Parameter |
|---|---|---|
set_password_mail_subject | Set password: 0 | {0} - Title of the application. |
set_password_mail_body | We received a request that you want to set your password. In this mail we send you a code which you need to set a password. <br/><br/> <hr>0<hr/><br/> Copy this code to the '<i>Validation code</i>' field in the application where you requested a new password. If you have closed the application already you need to request another code.<br/><br/> A <strong>strong password</strong> contains a minimum of 8 characters, numbers, lower and upper case letters, special characters and does not include any part of your username. | {0} - Validation code |
Logging in with e-mail
Users can also log in with an e-mail address in the Web GUI. The e-mail address of the user is registered in IAM. The GUI needs a general IAM account in order to connect the e-mail address to a user in IAM to log in.
ADFS
Using ADFS (Active Directory Federation Services) it is possible to make an AD domain controller available in a secure way outside your own network. A web environment, in which the Web GUI has been made available, is made available on the internet via the DMZ. More information about this (as well as the setting up of it) is available here.
Integrated Security
The Web GUI supports Integrated Security. Domain users can log in on the Web GUI with it without entering credentials. How this has to be set up is explained here.
Google Maps API key
If a Google Maps control is used in the application, it is necessary to request a Google Maps API code from Google in order to correctly display the map. This code can be requested for the URL from the application. A Google account is needed to make such a request.
To request a key, go to https://console.developers.google.com/apis and log in with your Google account. The gmapapikey parameter can be used to set up the requested API Key for the Web GUI. The same code can also be used for any other application on this URL.
Captcha
Hackers can use a brute force attack to guess a user's password. In order to prevent them from trying various passwords back-to-back, a captcha can be used at log in so that the log in process is delayed.
Captcha
Use the LoginCaptchaNoise and ResetPasswordCaptchaNoise extended properties to enable the Captcha for login and password reset.
Session timeout
The Web GUI has a mechanism that tells the web server every five minutes whether the user is still active (as long as the tab is open). With this, the Session timeout of IIS is unnecessary.
This interval can be configured for the Web GUI via the KeepAliveSession extended property. A value of 0 or lower will deactivate this function.
More information about the setting up of the Session Timeout of IIS can be found here.
Server/Database information
Within the application, standard information is displayed to the user about which model is connected and on which server. This happens, for example, on the log-in page and on the start tab of the ribbon.
This information can be hidden via the ShowLoginInfo extended property.