Integration Server 10.5 | Integration Server Administrator's Guide | Configuring a Central User Directory or LDAP | Overview of How Integration Server Works with Externally Defined Users and Groups | How Integration Server Authenticates Externally Defined Clients
 
How Integration Server Authenticates Externally Defined Clients
When authenticating clients using user names and passwords, Integration Server always looks for the user account internally before looking in an external directory, specifically:
1. When Integration Server finds an internally-defined user account for the supplied user name, Integration Server authenticates the client using the internally-defined information. If the supplied user name and password combination is correct, authentication succeeds and Integration Server proceeds with the request. If authentication fails and an external directory is not configured, Integration Server rejects the request with an "Invalid credentials" error.
2. If authentication fails and an external directory is configured (either a central user directory or LDAP), Integration Server requests that the external directory authenticate the client. If authentication succeeds, Integration Server proceeds with the request. If authentication fails, Integration Server rejects the request with an "Invalid credentials" error.
For example, if a user account is defined in the My webMethods Server user directory, Integration Server authenticates the client using the information defined in the My webMethods Server database. If the supplied password is correct, Integration Server proceeds with the request. If the supplied password is not correct, Integration Server rejects the request.
Note:
If the passwords are contained in an external authentication system other than Central Users or LDAP, you must create your own pluggable module to obtain this information. See Customizing Authentication Using JAAS for information about setting up a pluggable module.
3. If Integration Server cannot find either an internally or externally defined user account for the user, Integration Server rejects the request.
If the user does not supply a user name or password, the server uses the internally-defined Default user account. This account grants access to resources that allow anonymous access.
Note:
A local user can have the same name as a user in an external user directory. If the locally defined user and the externally defined user have the same password and the supplied password is correct, Integration Server authenticates the user with the privileges defined locally. This occurs because Integration Server checks its local user list first. If the passwords are different for the locally and externally defined user accounts, Integration Server treats the user accounts as two different users. An authentication request for the user that includes the externally defined password results in the external directory authenticating the user and granting the user the externally defined privileges.
Note:
The ability to have a locally defined user and an externally defined user with the same name is available after applying a fix that includes PIE-62998 (IS_10.5_Core_Fix5 and higher).