There are 6 kinds of authentication:

1. "Windows" authentication should be used if you want to use windows accounts for authentication in HTTP Commander (either local or Active Directory accounts). Account database: SAM database of the web server machine or Active Directory (server must be joined to domain).
   See Active Directory parameters and Active Directory, ADFS integrations manuals.
2. "Forms" authentication is used if you want to manage accounts by yourself. Account database: custom XML file (Data\Accounts.xml).
3. "Forms for Windows users" authentication relies on the same account database as "Windows" authentication, but, unlike the former, users enter their credentials in a web form. See WindowsUsersWithFormAuth parameter.
4. "Novell EDirectory" authentication works with Novell EDirectory accounts. Account database: Novell EDirectory. When you select this authentication type, then you should specify the following parameters: EDirectory set to true, EDirectoryBindUserDN, EDirectoryBindUserPassword, LDAPContainer.
5. "Shibboleth" should be used if you deployed Shibboleth system to manage access to HTTP Commander application. The file manager relies on Shibboleth system to perform authentication, HTTP Commander determines the current logged in user to decide the type of access to provide to application: what folders to map, whether Admin Panel will be available, and so on.
   For more info see Shibboleth integration manual and Shibboleth parameters.
6. "Auth0" SSO & Token Based Authentication service. For more info see Auth0 integration manual, Auth0 parameters section and Auth0 site.

Note! Don't set Forms Authentication for Windows accounts and vice-versa.

See Manual configuration of authentication mode for instructions about changing authentication mode.

Note! This manual is for the Windows version only! If you need Forms authentication version, then at least download its User Manual. "Forms authentication" version download

• "None" - disable 2-factor authentication and use regular 1 step authentication process.
• "Google" - use Google authenticator for second step. It is free and no additional configuration required.
• "Duo" - use DUO security as 2-factor authentication provider.
  To correctly configure Duo 2-factor authentication you will need to :
  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Web SDK in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname.
     You will need to put these values into appropriate settings of HTTP Commander: TwoFactorDuoIntegrationKey, TwoFactorDuoSecretKey, TwoFactorDuoAPIHostname,
     More info on DUO Getting started guide.

Note! 2-factor authentication setting applied for all users. There is no way to enable it for each user individually.

Note 2. 2-factor authentication would not be used for WebDAV and MSOFBA authentication processes. However WebDAV and "Edit in Office" feature will work as it does without 2-factor authentication enabled.
Also second step would not be displayed on native android application: user will be authenticated with one step as usual.

• See FAQ: How do I protect configuration files
• Or you can disable "read" permissions in IIS for this folder.
  In the IIS console select Data node inside "HTCOMNET" node and click Handler mappings in the right tab. Select StaticFile in the list and click Edit Feature Permissions link in the right tab. In the next dialog window, uncheck Read permissions.
  Screenshot
  
• Or move this folder outside of the web site root. Copy the "Data" folder to a new path, like c:\, and set "c:\Data" value. Check NTFS permissions for new Data folder location.

Events is a comma-separated list of events, for which notification emails will be sent.
Available events: Upload,Modify,Download,Create,Delete,CreatePublic

When is a one of the OnSessionEnd or Immediate values, setting when notification emails about actions with files will go.

Emails is a comma-separated list of e-mail addresses that will get notification about events with files.

Users is a comma-separated list of users to monitor.

Groups is a comma-separated list of groups to monitor.

The application is monitoring events (upload/modify/download/create/delete) activity of a user if its name is listed in the user list or if a group it is a member of is listed in the groups list. If both users and groups lists are empty, then all users are monitored.

Path specify what folders and files to monitor.
Note: Path should be specified in HTTP Commander notation, not physical folder/file path.

There two types of paths: plain and regex. For plain paths you may specify either file or folder. To distinguish folder path from file path, a folder path should end with a backslash. When you specify file, for example, "share\dir1\file.txt", then monitor only that particular file. When you specify folder, for example, "share\", then monitor all files in that folder and all its subfolders. For regex paths, that path parameter should contain regular expression to match against file path. For example, "^share\\.*\.txt$" matches all file with ".txt extension in "share" folder and all its subfolders. For monitor of all folders you can add a path "^.*$" with Regex type.

You may specify Path parameter a number of times. The application monitors a file if it matches at least one of the path filters specified. If you do not specify a path filter, then all files are monitored.

Description of the example described above: if the users admin and john or any another user of students and staff groups are uploading (or-and modifying, downloading) files into (from) the Demo folder 1 or a path to folder2\commonproject.doc file or into (from) the folder matching the regular expression "^Domain users demo folder\\folder1\\", the notifications will be sent to the following e-mail addresses: mike@mysite.com and jdoe@mysite.com.

You need also to configure Mail Settings parameters and type your mail server, port and user if authentication is needed.

...
<configuration>
    ...
    <system.web>
        ...
        <sessionState timeout="60" />
...

...
<configuration>
    ...
    <system.web>
        ...
        <compilation targetFramework="4.7.2" tempDirectory="d:\temp\" />
...

%WINDIR%\Microsoft.NET\Framework[64]\v4.0.30319\Temporary ASP.NET Files

• Disabled: the ability to search for files, folders is completely disabled;
• OnlyWindowsSearch: only the Windows Search service used to search files/folders
• NotUseWindowsSearch: use only the standard method (recursive listing subdirectories with a comparison pattern) to search files and fodlers. ;
• FirstTryWindowsSearchThanStandard (by default): use Windows Search Service firstly, and then if nothing is found, or found less than the expected value, the search is carried out by standard method (recursive listing subdirectories with a comparison pattern).

• AllFolders (default) - Search in root folders and in all subfolders
• RootOnly - Search in root folders only (without subfolders)
• RootWithOneNestedLevel - Search in top folders (root) and subfolders of the first level
• RootWithTwoNestedLevel - Search in top folders (root) and subfolders of the first and second level
• AllWithoutRoot - Search in all subfolders, except root folder
• WithoutRootAndOneNestedLevel - Search in subfolders of the first level, excluding the root folder
• WithoutRootAndTwoNestedLevel - Search in subfolders of the first and second level, excluding the root folder

<smtp deliveryMethod="Network" from="noreply@yoursite.com">
    <network defaultCredentials="false" host="mail.yoursite.com"
             port="25" userName="" password="" />
</smtp>

<mailSettings>
    <smtp deliveryMethod="Network" from="example@gmail.com">
        <network defaultCredentials="false" host="smtp.gmail.com"
                 userName="example" password="example"
                 port="587" enableSsl="true"/>
    </smtp>
</mailSettings>

• True - allows reading information from Active Directory.
  Application uses current user identity (logged in user) to connect to Active Directory.
• False - the groups and home directory info is not read. It makes the application work faster. But if you created folder for group or %HOME% folder then such folders won't be in the list.

When this parameter is false, HTTP Commander sends an LDAP or WinNT request to the specified server, depending on the value of LDAPContainer, to detect which groups the user is a member of. The LDAP provider returns both security and distribution groups from Active Directory. WinNT provider returns only security groups.

When Use­Universal­Way­To­Read­Groups parameter is set to true, the application uses the access token of the logged in user to detect which groups the user is a member of and does not send any additional requests. This method detects only security groups. The second method works considerably faster than the previous one since no supplementary requests are issued.

We recommend you enable this parameter unless you need distribution groups.

Note that you still need to assign the LDAPContainer parameter a correct value, to get the list of users, groups, detect users' home folders and so on.

If UseUniversalWayToReadGroups parameter is set to true, HTTP Commander uses other method to detect the user's groups, see UseUniversalWayToReadGroups for details.

Note! After changing this parameter, run Diagnostics ("Diagnostics.aspx" page) to check if groups and/or home folder are detected correctly.

• "" (empty string) - The application uses the WinNT provider for local accounts and the LDAP provider for domain accounts.
• "winnt" - The application uses the WinNT provider. This method does not support nested groups and global groups.
• "auto" - The application uses the LDAP provider. It uses the default naming context (value of the defaultNamingContext attribute of the root DSE object) as the starting point. If the LDAP search fails, the application falls back to WinNT provider.
• "ldap" - The application uses the LDAP provider. It uses the domain default-naming context (value of the defaultNamingContext attribute of the root DSE object) as the starting point.
• "root" - The application uses the LDAP provider. It uses the domain root-naming context (value of the rootDomainNamingContext attribute of the root DSE object) as the starting point.
• "custom LDAP path" - The application uses the LDAP provider. You can specify the domain name or the Domain Controller name where HTTP Commander will read the information from.

  Note. This is the only value type supported in Novell EDirectory authentication mode.

  Examples:

  • "LDAP://192.168.1.134" (192.168.1.134 is domain controller's IP address)
  • for domain "teachers.mycollege.edu" LDAP path is
    "LDAP://DC=teachers,DC=mycollege,DC=edu".
    You can limit access for users and groups only from one Organization Unit like:
    "LDAP://OU=staff,DC=HOMEELEMENT-IT,DC=COM"
    ("staff" OU of "homeelement-it.com" domain)
  • "LDAP://teachers.mycollege.edu"
  • "LDAPS://teachers.mycollege.edu" (only for Active Directory)
  To use SSL/TLS protocol to encrypt the network traffic with Active Directory server, use the LDAPS prefix. This option is available only for Active Directory, Novell eDirectory authentication mode always utilizes SSL/TLS protocol. When specifying this option, an SSL certificate must be installed and available in Active Directory. Make sure that the certificate is valid, trusted by the web server machine, and the server name specified in the LDAP path matches the subject of certificate, otherwise the LDAP connection will fail.
• Multi-domain value for supporting a number of domains. For example,
  "STAFFDOMAIN@LDAP://192.168.1.2­|­STUDENTSDOMAIN@LDAP://192.168.1.3­|­WEBSRV@WinNT://192.168.1.15­|­LDAP://192.168.1.18/OU=staff,DC=HOMEELEMENT-IT,DC=COM"

  This example specifies two domains, one local account database, and one domain controller. Value format is: LOGONDOMAINPREFIX1@LDAPPATH1­|­LOGONDOMAINPREFIX2@LDAPPATH2­|­LDAPPATH3­|­etc. Multi-domain value consists of a number of components separated with vertical bar ('|') character. Each component may be a Ldap or WinNT path or has "DOMAIN@LDAPPATH" form. The Ldap/WinNT path to use is selected based on the domain/machine name of the current user. When the current user is logged in with domain account, FQDN and NetBIOS name of the domain is used. When the current user is logged in with local machine account, NetBIOS name of the Web Server machine is used. When component has a form of Ldap/WinNT path, domain/machine name of the current user is matched against the server portion of the path. When the component has "DOMAIN@LDAPPATH" form, the domain/machine name of the current user is matched against "DOMAIN" part. In both cases, the comparison is case-insensitive.

  If the user logs into the application as "STAFFDOMAIN\Mike", the application uses "LDAP://192.168.1.2" as the provider path (Staff domain). If the user logs in as "STUDENTSDOMAIN\John", the application uses "LDAP://192.168.1.3" as the provider path (Students domain). If the user logs in with a web server local user name like "WEBSRV\Chris", "WinNT://192.168.1.15" is used as the provider.

• Application validates the user's credentials entered in the web form (in "Forms with Windows Users" authentication mode).
• HTTP Commander's administrator assigns folders to users and groups in the Admin Panel.
• Application reads the configuration files that include account names (in "Windows" and "Forms with Windows Users" authentication mode).

Available values

• Disabled - tree is disabled and hidden;
• Enabled - tree is enabled and autoexpandable;
• NotAutoExpandable - tree is enabled and not autoexpandable (default).

• AboveFolderName (default) - above the folder name;
• BelowFolderName - below the folder name;
• OnlyTooltip - folder description is displayed only in the tooltip.

Parameter format: comma-separated list of items. Each item specifies the metadata name followed by a boolean flag indicating singlevalued/multivalued metadata (singlevalued - false, multivalued - true).

"Custom" metadata allows using any metadata names. Otherwise users can only assign metadata listed in this parameter.

"" (empty string) - details feature is prohibited.

Example:
Description:False,Comment:True,custom:True
(details with titles "Description", "Comment" and user's custom metadata are available. Comment and Custom are multivalued)

1. "Comment" - this field used to store comments for files/folders. If it is specified (by default), special text area will be rendered in details window for quick comments addition. Also count of comments will be displayed for each file in file list if ShowFileMarkWhenExistsDetails setting is enabled.
   
2. "_label_" - This field used to store information about file/folder label. This name is reserved and could not be used.

Parameter format: comma-separated list of items. Item format:

<column_name>[:<True|False>][:<column_width>]

size, labels, type, datemodified, datecreated, dateaccessed, downloads

• size, downloads — 70
• labels, type, datemodified, datecreated, dateaccessed — 140
• The width of each of the remaining columns (except column name) will be automatically calculated depending on the remaining space on the screen

Example: "size:True:100,type,datemodified:True,comment:True:300".

Note 1! Don't use too many columns because each column makes the list loading slower.

Note 2! Column downloads is available when EnableDownloadsCounting is "true". Also note that after downloading the file, the value in this column is not updated automatically, you need to update the contents (button "Refresh").

Orange label:#ffd800,

Green label:green

Download, Showmenu, View, Nothing, Choose

'view', 'djvu-view', 'ebook-read', 'download',
'preview', 'mso-edit', 'msoo-edit',
'office365-edit', 'ooo-edit', 'owa-view', 'google-edit', 'google-view',
'onlyoffice-edit', 'autodesk-view', 'sharecad-view', 'box-view', 'zoho-edit',
'play-video-js',
'play-audio-html5', 'video-convert', 'cloud-convert', 'edit'

• Disabled - "copy/move to.." mode is disabled. Items 'Copy to...', 'Move to...' are unavailable. 'Copy', 'Cut' items are displayed directly in context menu.
• InContextFirstLevelMenu - "copy/move to.." mode is enabled, corresponding menu items are displayed directly in context menu on the same level as the items 'Copy', 'Cut'.
• InContextSecondLevelMenu (by default) - "copy/move to.." mode is enabled. Corresponding menu items are displayed in second-level menu along with copy/cut to clipboard items.
  I.e. in context menu displayed Copy and Cut menu items which opens second-level menu.
• OnlyCopyMoveTo - copy/move to.." mode is enabled , while "copy/cut to clipboard" is disdabled. Menu items 'Copy to...', 'Move to...' displayed directly in the context menu.

• Disable - disable email feature
• LinksOnly - enable with link to file
• AttachmentsOnly - enable with attachments only
• Any - enable with both links and attachments

• "Disabled" - bulk mails sending is disabled;
• "DoNotShowUsers" - User can select only groups to send emails;
• "ShowUsersWithoutEmails" - User can select groups and/or individual users to send emails (emails are hidden);
• "ShowUsersWithEmails" - User can select groups and/or individual users to send emails (emails are shown).

• FromToolbarButtonsConfigs - icons on the toolbar buttons will be displayed, depending on what is set for each button in the ToolbarButtons1, ToolbarButtons2 settings (after the name of each button you can specify :icononly, :noicon respectively, if nothing is specified, both the icon and the button title are displayed)
• NoIcons - all the buttons of the toolbar will be displayed without icons, only the titles, and regardless of what is indicated in the ToolbarButtons1, ToolbarButtons2 settings for the buttons.
• OnlyIcons - for all toolbar buttons, only icons will be displayed, without titles, and regardless of what is specified in the ToolbarButtons1, ToolbarButtons2 settings for the buttons

• Enabled (by default) - show user names for all logged users;
• OnlyForAdmins - show only for administartors (with full privileges or those who have rights to manage users);
• Disabled - the names of users for locked files are not displayed.

• Off - AES is off (default), ZipCrypto is used.
• AES_128bits - 128-bit AES encryption is used (recommended).
• AES_256bits - 256-bit AES encryption is used.

name:type:required:description:values

• 'name' - name of form field. It is recommended to use the same name for field as in AvailableDetailsTitles setting.
• where value for 'type' could be any from following list: "text", "checkbox", "multiline", "select"
• 'required' - boolean flag determines if form field is required or not. If field is required, them upload would not start until field is filled with correct value.
• 'description' - description text displayed right above form field.
• values - is a semicolon separated list of possible values for a select input field. It could be omited for other input types

• Chrome 50+
• Firefox 45+
• Opera 37+
• Safari 9+
• Microsoft Edge 20+
• Internet Explorer 11

• ZohoEditorAPIKey
• ZohoNoExport
• ZohoNoPrint
• Zoho Writer: ZohoWriterServiceUrl, ZohoWriterAdditionalLangs, ZohoWriterAdditionalFormats.
• Zoho Sheet: ZohoSheetServiceUrl, ZohoSheetAdditionalLangs, ZohoSheetAdditionalFormats.
• Zoho Show: ZohoShowServiceUrl, ZohoShowAdditionalLangs, ZohoShowAdditionalFormats.

• Create the specified path (for example, "shared/files") in the HTCOMNET directory (including all nested subfolders, if any) and copy the index.ashx file into it from the public folder
  Screenshot
  
  
• In the Web.config file, find the string
  <location path="public">
  and replace the path "public" with the one specified in this parameter.
  If there is no such line, add the following settings to the web.config:

    <location path="shared/files">
      <system.web>
        <authorization>
          <allow users="*" />
        </authorization>
  
        <identity impersonate="true" />
  
      </system.web>
      <system.webServer>
        <defaultDocument>
          <files>
            <clear />
            <add value="index.ashx" />
          </files>
        </defaultDocument>
      </system.webServer>
    </location>

• Configure anonymous access to the specified path

• EnablePasswordPolicy - enable / disable password security policy settings for public links.
  If enabled, then configured password requirements will be checked when password is specified for the public link. Default false.
• MinLength - Minimum password length. Default 7.
• MaxLength - Maximum password length. Default 32.
• UpperCaseChars - The minimum number of uppercase characters that the password must contain. Default 1.
• LowerCaseChars - The minimum number of lowercase characters that the password must contain. Default 1.
• SpecialChars - The minimum number of special characters that the password must contain. Default 1.
  List of special characters (1st character is a space):

  ⌴!""#$%&'()*+,-./:;<=>?@[\]^_`{|}~

• NumericChars - The minimum number of digits that the password must contain. Default 1.
• ProhibitUsernameInPassword - Prohibit the use of the user name or part of the email (in whole or before/after @) in the password. Default true.

• empty (or Disabled) - file downloaded when link is opened;
• ViewInBrowser - link to file preview in browser if file type allows (see FileTypes.xml in root of HTTP Commander folder);
• ViewInGoogleDocs - link to file preview in Google Docs Viewer if file type allows and EnableGoogleDocumentsViewer=true;
• ViewInOWA - link to file preview in Microsoft Office Web Apps if file type allows and EnableOWADocumentsViewer=true.

• OnlyLongUrl - generate and view only long public url;
• OnlyShortUrl - view only short public url;
• BothLongAndShortUrls - generate and view both long and short public urls (default).

• ProvideChoiceWithDefaultIntoTrash -  (default) "Delete directly, without moving to the Trash" chebox is unchecked by default, i.e. files/folder will be moved to the Trash.
• ProvideChoiceWithDefaultDirectly - "Delete directly, without moving to the Trash" chebox is checked by default, i.e. files/folder deleted directly by default.
• DisableDeleteDirectly, then permanent deletion is forbidden and checkbox isn't displayed. Files/folders always moved to the Trash.

• Each item (file or folder) in the user's Trash, larger than UsersTrashLargeItemsSize megabytes (if > 0) is destroyed, if its shelf life from the date of the removal is more than UsersTrashLargeItemsShelfTime days.
• Each item (file or folder) in the user's Trash, is destroyed, if its shelf life from the date of the removal is more than UsersTrashSmallItemsShelfTime days.
• At the same time, if in the process of cleaning the user's Trash, it turns out that it exceeded the size (UsersTrashMaxSize megabytes, only if > 0), then all the other items are destroyed without the checks described above.