Skip to Content

4.3.13. Authentication when accessing infobase data

   

4.3.13.1. General information

Before getting access to infobase data, the client application must specify who will access data and check whether this user is authenticated. You can use the 1C:Enterprise client application or any other software that can get access to data via external application interfaces as a client application. You can get access to data using the file infobase or the 1C:Enterprise server (over the TCP/IP protocol) or using the web server (over HTTP(s)). Client application can be authenticated as follows:

  1. With a username and password (authentication using 1C:Enterprise tools). With this authentication method, you can use two-factor authentication if it is set up on the 1C:Enterprise side.
  2. With operating system authentication.
  3. With OpenID and OpenID Connect protocols. OpenID providers can use various kinds of two-factor authentication. It depends on the provider settings.
  4. With a special access token.

Depending on how you access 1C:Enterprise data, you can use different authentication kinds.

In terms of authentication kinds and participating system components, the easiest way to access data is to directly access the file infobase or the 1C:Enterprise server cluster. In this case, access only the infobase without secondary servers.

During the direct connection, you can use the following authentication kinds:

  • OS authentication.
  • Authentication using 1C:Enterprise tools.

If you connect over HTTP(s), the following is used during the connection:

  • Proxy server. This is a server that acts as an intermediary between the client application and the target server. Let us assume that the proxy server is in computer networks of the client application.
  • Web server. This is a server that grants access to the infobase or the 1C:Enterprise server cluster over HTTP(s). Let us assume that the web server is located in the same computer network as the server cluster or infobase.

You can transfer data between the proxy server and the web server via the Intranet and Internet. The proxy server is optional for getting access.

It is also worth mentioning that HTTPS or secure connection is supported. This protocol is not directly related to authentication but, with secure connection, you can be sure that the client and the server are truly the subjects they pretend to be. In this section, you can find a brief description of secure connection. The secure connection is established between the client application and the web server where the 1C:Enterprise infobase is published and only if HTTPS is supported by the web server for the required infobase. To specify that the client application must use secure connection, do the following:

  • When you use the web client, all actions are performed by the browser. Install root certificates to the computer. With the certificates, you can check the web server certificate.
  • When you use the thin client, use the launcher to set up certificates. During the setup, you can specify how to check the web server certificate and which certificate will be used by the client application.
  • When you operate from 1C:Enterprise language, establish secure connection using the OpenSSLSecureConnection object. The parameters of this object are similar to the launcher settings.

So, the following items are involved in the authentication process: a client application located on a client device, a proxy server, a web server, and the 1C:Enterprise server cluster or the web server extension for the file infobase.

https://kb.1ci.com/bin/download/OnecInt/KB/1C_Enterprise_Platform/Guides/Administrator_Guides/1C_Enterprise_8.3.24_Administrator_Guide/Chapter_4._Running_system_components/4.3._Starting_client_application_or_Designer/WebHome/en_image023.png

  • Fig. 23. Authentication options

The figure shows the main authentication options. You can combine these options. For example, you can connect your device to the web server that operates with the file infobase. The client application initiates authentication process and ensures that all participants get data required to complete each step of the process. The following authentication options are numbered:

  1. Authentication on the proxy server.
    • For authentication, you can use:
      • Authentication using 1C:Enterprise tools.
      • OS authentication.
    • Specify the parameters for authentication on the proxy server:
      • In the settings to access the infobase in the launcher.
      • Using the /Proxy command-line option for the client application startup.
      • Using the InternetProxy object if you access data programmatically.
      • Using the inetcfg.xml configuration file.
  2. Authentication on the web server.
    • For authentication, you can use:
      • Authentication using 1C:Enterprise tools.
      • OS authentication.
    • Specify the parameters for authentication on the web server:
      • Using the /WSA, /WSN, and /WSP command-line options for the client application startup.
      • Using the InternetProxy object if you access data programmatically.
    • You can also use secure connection (HTTPS).
  3. Authentication in the infobase.
    • For authentication, you can use:
      • Access token.
      • OS authentication.
      • Authentication using various OpenID protocol options.
      • Username and password.
    • Specify authentication parameters for the infobase as follows:
      • Access token:
        • Using the /AccessToken command-line option for the client application startup.
        • Using the AccessToken parameter of the infobase connection string.
        • Using the Authorization: Bearer header of the HTTP infobase request.
      • OS authentication:
        • Using the /WA command-line option for the client application startup. You can enable or disable this authentication method.
        • Using the UseOSAuthentication parameter of the HTTPConnection or WSDefinitions object constructor.
      • Authentication using OpenID:
        • Using the /OIDA command-line option for the client application startup. You can enable or disable this authentication method. Authentication parameters are determined by the publication settings of the infobase you want to access.
        • Using the Authorization: Bearer header of the HTTP infobase request.
      • Using the username and password:
        • Using the /N and /P command-line options for the client application startup.
        • Using the parameters of the infobase connection string.
        • Using the Authorization: Basic header of the HTTP infobase request.

See also:

  • Startup command-line options.
  • Authentication kinds in 1C:Enterprise.
  • Integration methods in 1C:Enterprise.

4.3.13.2. Interactive authentication

4.3.13.2.1. Authentication on the web server

When you access the infobase manually, authentication on the web server is performed as follows:

  • Thin client:
    • If the /WSA- parameter is specified, a web server requests a username and password for authentication.
    • If the correct /WSN and /WSP parameters are set, a specified user is authenticated on the web server.
    • If the /WSN parameter is not specified, OS authentication is performed. If authentication fails, a username and password are requested.
    • If the /WSN parameter is specified and the /WSP parameter is not set or is set incorrectly, a web server requests a username and password for authentication.
  • Web client:
    • The browser manages this process.

See also:

  • Startup command-line options.
  • Authentication kinds in 1C:Enterprise.
4.3.13.2.2. Authentication in the infobase

If you connect to the server/infobase (thin and thick clients) directly or if you connect to the infobase via the web server (thin client or web client), authentication in the infobase is as follows:

https://kb.1ci.com/bin/download/OnecInt/KB/1C_Enterprise_Platform/Guides/Administrator_Guides/1C_Enterprise_8.3.24_Administrator_Guide/Chapter_4._Running_system_components/4.3._Starting_client_application_or_Designer/WebHome/en_image024.png

  • Fig. 24. Interactive authentication

During the interactive authentication, the following takes place:

  1. If possible, authentication using the access token is performed.

    If authentication fails, other authentication methods cannot be used.

  2. If possible, OS authentication is performed.

    If authentication fails or the /WA- command is specified, further attempts to use other authentication methods are made.

  3. If possible, authentication using OpenID protocols is performed. Authentication is performed in the following order:
    • OpenID Connect authentication.
    • OpenID 2.0 authentication if the /OIDA- parameter is not specified.

      If authentication fails, other authentication methods cannot be used.

      If authentication using OpenID is not supported or it was disabled with the command line, further attempts to use other authentication methods are made.

  4. Authentication with a username and password is performed:
    • If the /N and /P parameters are set, a specified user is authenticated.
    • If the /N parameter is not set, a username and password are requested.
    • If the /P parameter is not set or is set incorrectly, an authentication attempt is made. If authentication fails, a username and password are requested (authentication window).

See also:

  • Startup command-line options.
  • Authentication kinds in 1C:Enterprise.

4.3.13.3. Authentication when accessing the infobase programmatically

4.3.13.3.1. Authentication on the web server

When you access the infobase programmatically, set up authentication on the web server using the HTTPConnection or WSDefinitions object depending on the service kind you use:

  • Authentication on the web server is determined by the UserName, Password, and UseOSAuthentication parameters of the HTTPConnection and WSDefinitions object constructors:
    • The UseOSAuthentication parameter is set to True:
      • OS authentication is enabled in the web server settings:
        • OS is authenticated.
        • If the UserName and Password parameters are specified, their values are used for authentication over NTLM and Kerberos protocols. Specify the UserName as DOMAIN\user or user@domain.
        • If the UserName and Password parameters are not specified, the parameters of a user on whose behalf the current session is running will be used.
      • OS authentication is disabled in the web server settings:
        • Authentication on the web server is not performed.
        • To access the infobase, UserName and Password will be used.
    • The UseOSAuthentication parameter is set to False:
      • If UserName and Password are specified, use the username and password for authentication.
      • Do not specify the infobase username and password that are specified in the infobase URL. In some cases, it can lead to errors that are hard to find.

See also:

  • Authentication kinds in 1C:Enterprise.
  • Integration methods in 1C:Enterprise.
4.3.13.3.2. Authentication in the infobase

Once you authenticate on the web server, the web server extension tries to authenticate in the infobase:

  • If the Authorization: Bearer HTTP request header is specified, an attempt to authenticate using an access token is made. If the attempt fails, you will not be able to access the infobase.
  • If the Authorization: Basic HTTP request header is specified, an attempt to authenticate using a username and password is made.
  • If standard headers are not used, the web server extension tries to get a username and password from the infobase connection string from the default.vrd file. If parameters are determined, internal request headers are used to transfer the parameters.
  • If a username and password are not determined, an attempt to use OS authentication is made. If OS authentication fails, you will not be able to access the infobase.

See also:

  • Authentication kinds in 1C:Enterprise.
  • Integration methods in 1C:Enterprise.

   

Icon/Social/001 Icon/Social/006 Icon/Social/005 Icon/Social/004 Icon/Social/002