Enabling Integrated Windows Authentication

By default, Directory Update and Directory Manager use forms-based authentication but both applications support the use of Integrated Windows Authentication (IWA). This is also sometimes called single signon or pass-through authentication. When Windows Authentication is enabled, the user is automatically logged on to the web site they are visiting as soon as they visit the site. Their web browser uses the credentials of their current Windows session.

Integrated Windows Authentication Requirements

In order for IWA to work properly, the following requirements must be met.

  • The Windows workstation must be a member of domain that is part of the same Active Directory forest as the Directory Update server
  • The user must be logged on with their domain user account
  • The user must be using a web brows er that supports IWA, such as Internet Explorer
  • The URL of the Directory Update site must be in the browser's "trusted zone" or "local intranet zone" sites list or equivalent and the browser must be configured to allow IWA for that "zone".

For more information, see the following sites and articles:

Note that administrators may see an issue with Directory Update when they have a connection (such as a mapped drive) to the IIS server using alternate credentials such as an administrative account.


Enabling IWA for Directory Update and Directory Manager

Enabling IWA for Directory Update and Directory Manager is a simple matter of editing the application's Web.Config file. The Web.Config file is found in the root folder of the application such as c:\inetpub\wwwroot\directoryupdate or c:\inetpub\wwwroot\directorymanager. Open the Web.Config file in any text editor and locate the authentication tag.

<authentication mode="Forms">
  <forms name="AppNameAuth" path="/" loginUrl="Login.aspx" protection="All" timeout="60"/>
</authentication>

Change the "Forms" option to "Windows" to switch to IWA. A restart of IIS should not be necessary but sometimes that helps to flush all code out of memory.

<authentication mode="Windows">
  <forms name="AppNameAuth" path="/" loginUrl="Login.aspx" protection="All" timeout="60"/>
</authentication>

Confirm that Integrated Windows Authentication is enabled on the Web site

In some cases, IWA is not enabled at the root of the Web site in IIS. This is required even if you don't use it on all virtual directories or applications.

  1. Logon to the console of the IIS server
  2. Launch Internet Information Services (IIS) Manager
  3. Navigate to the Web site that you are using (usually Default Web Site) and click on it
  4. In the Details window, locate the "Authentication" icon and double click it
  5. Validate that Windows Authentication is Enabled
    Validating that Windows Authentication is enabled in IIS
  6. If Windows Authentication is not enabled, right click on Windows Authentication and choose Enable
  7. Run IISRESET.EXE

Google Chrome and Firefox using Integrated Windows Authentication

Cut us open and check.... we do bleed Microsoft blue... or red... or green... or whatever colors they are are currently using. But, from the perspective of a Web software development, Internet Explorer has been a solid disappointment.

Fortunately, both Chrome and Firefox do support IWA, though maybe not as well from an enterprise software perspective

Last Review: 17 Dec 2016