Skip to main content

Integrated Windows authentication

Introduction

If you select Windows as the authentication type for a user, they have to enter their Windows credentials when signing in. You can use Integrated Windows authentication (IWA) to enable users to sign in automatically when their machine is already connected to the Windows domain. For this authentication type, additional configuration is required, which is described in this chapter.

For more information about authentication types and how to select one, see Authentication.

Set up IWA

Enable IWA

The option Windows Authentication is not installed by default in IIS. You can install it in the IIS Manager or through the Windows Features dialog.

To install Windows authentication through the Windows Features dialog:

  1. In Windows, look for Turn Windows features on or off.

  2. In the Windows Features dialog, expand Internet Information Services.

  3. Expand World Wide Web Services.

  4. Expand Security.

  5. Select the checkbox Windows Authentication.

  6. Click OK.

  7. Restart the server.

    Enable Windows Authentication in Windows Features

Configure IWA in IIS

Now that Windows Authentication is installed, you need to configure it in the IIS Manager:

  1. Open the IIS Manager, go to the Indicium web application, and double-click the Authentication section.

    Select the Authentication section in IIS

    In the Authentication section, you should see all supported authentication methods, including Windows Authentication. If you just enabled Windows Authentication, you may need to restart the server before it appears here.

  2. Disable the Anonymous Authentication method and enable the Windows Authentication method.

    Enable Windows Authentication in IIS

  3. Go back to the overview of the Indicium web application in the IIS Manager and double-click the Configuration Editor.

    Open the Configuration Editor in IIS

  4. In the Configuration Editor, use the dropdown menu on the top left side to go to the section system.webServer/aspNetCore.

  5. Set the configuration option forwardWindowsAuthToken to True.

    Set the configuration option forwardWindowsAuthToken to True

Grant user permissions

All users that are required to log in using IWA must have Read permissions on the web application folder of Indicium. To grant these permissions:

  1. In the IIS Manager, right-click the Indicium web application and select Edit Permissions.

    Select Edit Permissions in IIS

  2. In the Properties dialog, go to the Security tab.

  3. Select Edit.

  4. Select the user or group of users that need to log in using Windows Authentication.

  5. Select Add.

  6. Select the checkbox Allow for the Read permission.

  7. Select OK.

    Edit user permissions in IIS

Check the login screen

After following the previous steps successfully, your Indicium web application has been configured to support Windows authentication. The login page should show the button Sign in with Windows.

If you do not see this login page right away, but instead get the standard browser login prompt, additional configuration is required. See No Sign in with Windows button.

Login page with Windows authentication

Troubleshooting IWA

No 'Sign in with Windows' button

If you do not see the Sign in with Windows button on the login page, but instead get the default browser login prompt, you need to whitelist the hostname in your browser settings.

The reason is that, for security reasons, browsers only facilitate Windows authentication for trusted websites. Chrome and Microsoft Edge by default consider all hostnames without a period (.) to be local (intranet) and will trust these addresses. If your hostname is something like https://mysite.mycompany.com, you must whitelist this address first. Firefox supports a similar whitelist.

tip

A system administrator can whitelist the site in a group policy to apply it to all computers in the domain. Note that Firefox does not support group policies for the whitelist.

To whitelist a hostname:

  1. Open the Windows Internet Options.

  2. Go to the Security tab.

  3. Select Local intranet.

    Open the Local intranet settings in Internet Options

  4. Select Sites.

  5. Select Advanced.

  6. Add the website (up to and including the hostname).

  7. Clear your browser’s cookies and login information and try again. You should now see the Sign in with Windows button without being asked for credentials.

Was this article helpful?