Skip to content

Windows AuthN

On supported platforms, you can use our security services to authenticate users using Windows Authentication (e.g. against Active Directory).

The Windows authentication is triggered at the login page when the user clicks on the Windows icon or automatically if this is the single provider enabled.

Important note: for Windows Authentication to work, the application must be installed on a server within the same domain as the user, so that the Security application can consult the Windows AD and get the information of the user signing in. For example, if we are using an AWS instance to host the Security application but we are trying to use the Windows SSO functionality with our SBS user then it won't work as the AWS instance will most probably not be incldued in the SBS domain, therefore Security will try to retrieve the user information from the Windows AD of it's AWS instance, and of course it won't be there, because the SBS user information will be in the Windows AD of the SBS domain.

Basic configuration

Windows Authentication can be configured at appsettings.json in the authentication service: LoginSettings.IdentityProvidersSettings.Windows:

  • Enabled for enabling this provider. Please, check installation guide as there are some requirements in the server and IIS configuration for supporting this provider.
  • IncludeGroups for including groups of the user as claims in the generated token (by default false).

User matching

For being able to login into our system is required that the authenticated Windows user exists in our system. The user matching is done using below user's properties and in this order:

  1. Match by SsoUsername.
  2. Match by Username.

We recommend to store the sAMAccountName in the SsoUsername and the user name without domain or the UserPrincipalName as the username. Users can be synchronized with the Windows Active Directory associated using the active directory sync feature.

Browser configuration

It's also worth mentioning that in Windows we can set when the browser asks for our credentials when using this feature. In _Internet Options \ Security tab \ Security level for this zone \ Custom level... \ User Authentication \ Logon_, here we have 4 options:

  • Anonymous login
  • Automatic logon only in Intranet zone
  • Automatic logon with current user name and password
  • Prompt for user name and password

We recommend using the third or fourth option when using Windows Authentication in production, as the third will automatically log you in with your current Windows credentials if it can, and the fourth will simply prompt you to always manually introduce them yourself when signing in.