Windows Client Authenticator App for Maverics
The Windows Client Authenticator App for Maverics allows Windows/IIS users to validate their identity to Maverics Orchestrator using their Windows desktop credentials. The Windows Client Authenticator app must be installed on the IIS server. The app can be downloaded from an Environment.
Requirements
To install the Windows Client Authenticator App, you will need:
- IIS with web server features enabled
- .NET 7.0.13 Windows Server Hosting bundle (the installer will install the bundle for you if not already installed)
- Administrator privileges
- Windows Server 2008 R2 or later
Installation
- Run the installer file
WindowsClientAuthenticatorAppforMaverics.exe
. - Accept the license terms and click Install. The installer will check for the .NET 7.0.13 Windows Server Hosting bundle. If the bundle is not already installed, it will install it for you. When the hosting bundle dialog appears, accept the installation or repair the system.
- Open Internet Information Systems (IIS) Manager.
- From the IIS Manager console, go to Connections and select Windows Client Authenticator App for Maverics.
- Under Windows Client AUthenticator App for Maverics Home > IIS, double click Authentication and complete the following:
- disable Anonymous Authentication
- enable Windows Authentication
- Under Actions (in the far right of the IIS Manager window), click Providers.
- In the modal under Enabled Providers, select Negotiate and click Remove.
- Ensure NTLM is the only enabled provider.
- Click OK.
- Action > Advanced Settings is optional.
- By default, the Windows Client Authenticator runs on port 80. Strata recommends editing the site binding to use https instead for tighter security. To do this:
- From Windows Client Authenticator App for Maverics Home > Actions > Edit Site, click Bindings.
- From Site Bindings, enable HTTPS and change the port (optional). Then click OK.
- Add a DNS record for the Windows Client Authenticator App website binding to your Domain Controller. (Optional if using public DNS)
Configuration with Maverics
To configure Windows Client Authenticator with Maverics, you’ll need to provide a friendly name for the configuration, and the URL of the hostname binding. Optionally, you can provide the path to your certificate authority.
See the Windows Client Authenticator Connector for more details on how to configure Maverics to authenticate against the Windows Client Authenticator App.
Testing the installation
- From your browser, enter the URL of the Windows Client Authenticator App hostname binding.
- At the prompt, enter your Windows credentials for the domain account.
- The landing page should reflect your user name.
Configuration with Windows NT LAN Manager (NTLM)
Windows Client Authenticator can be configured to use seamless NTLM authentication so that users only need to enter their credentials once.
Microsoft Edge and Google Chrome
- Go to Internet Settings > Local Intranet > Advanced.
- Under Add this website to the zone:, add both the Windows Client Authenticator site URL and app URL.
Firefox
- Open a new tab and navigate to
about:config
. - Search for the following parameters and add both the Windows Client Authenticator site URL and app URL (separated by a comma) to all three of them:
network.automatic-ntlm-auth.trusted-uris network.negotiate-auth.delegation-uris network.negotiate-auth.trusted-uris
- Search for the parameter,
signon.autologin.proxy
, and change it totrue
.
High Availablity Deployments
If you wish to deploy the Windows Client Authenticator in an HA environment with multiple IIS servers, a network (layer 4) load balancer that forwards TCP connections is required. Please ensure the load balancer is configured to use source IP, destination IP and port tuple affinity.