Windows Authenticator App

Prev Next

The Windows Client Authenticator App for Maverics allows Windows/IIS users to validate their identity to Maverics Orchestrator using their Windows desktop credentials. The Windows Client Authenticator app must be installed on the IIS server. The app can be downloaded from an Environment.

Requirements

To install the Windows Client Authenticator App, you will need:

  • IIS with web server features enabled

  • .NET 7 or 8 Windows Server Hosting bundle (the installer will install the bundle for you if not already installed)

  • Administrator privileges

  • Windows Server 2008 R2 or later

Installation

  1. Run the installer file WindowsClientAuthenticatorAppforMaverics.exe.

  2. Accept the license terms and click Install. The installer will check for a compatible .NET Windows Server Hosting bundle (7.0.13 or later). If the bundle is not already installed, it will install version 8.0.11 automatically. When the hosting bundle dialog appears, accept the installation or repair the system.

  3. Open Internet Information Systems (IIS) Manager.

  4. From the IIS Manager console, go to Connections and select Windows Client Authenticator App for Maverics.

  5. Under Windows Client AUthenticator App for Maverics Home > IIS, double click Authentication and ensure it is configured as such:

  • Anonymous Authentication is Enabled

  • Windows Authentication is Enabled 

    Authentication settings showing enabled options for Anonymous and Windows Authentication.

  1. Under Actions (in the far right of the IIS Manager window), click Providers.

  • In the modal under Enabled Providers, select Negotiate and click Remove.

  • Ensure NTLM is the only enabled provider: 
    Configuration window showing enabled and available providers for authentication settings.

  • Click OK.

  • Action > Advanced Settings is optional.

  1. By default, the Windows Client Authenticator runs on port 80. Strata recommends editing the site binding to use https instead for tighter security. To do this:

  • From Windows Client Authenticator App for Maverics Home > Actions > Edit Site, click Bindings.

  • From Site Bindings, enable HTTPS and change the port (optional). Then click OK.

  1. Add a DNS record for the Windows Client Authenticator App website binding to your Domain Controller. (Optional if using public DNS)

Upgrading from previous versions

Upgrading to a more recent version of the Windows Client Authenticator will preserve your previously configured settings.

If you are upgrading from a version prior to version 2.x, you will need to enable anonymous authentication to utilize the status endpoint. Note that this will only allow anonymous authentication for the /status endpoint - the main root endpoint will continue to challenge via NTLM.

  1. Open Internet Information Systems (IIS) Manager.

  2. From the IIS Manager console, go to Connections and select Windows Client Authenticator App for Maverics.

  3. Under Windows Client AUthenticator App for Maverics Home > IIS, double click Authentication.

  4. Right click on Anonymous Authentication.

  5. Select Enable.
    Settings for authentication showing disabled anonymous authentication and enabled Windows authentication.

Configuration with Maverics

To configure Windows Client Authenticator with Maverics, you'll need to provide a friendly name for the configuration, and the URL of the hostname binding. Optionally, you can provide the path to your certificate authority.

Testing the installation

  1. From your browser, enter the URL of the Windows Client Authenticator App hostname binding.

  2. At the prompt, enter your Windows credentials for the domain account.

  3. The landing page should reflect your user name.

Configuration with Windows NT LAN Manager (NTLM)

Windows Client Authenticator can be configured to use seamless NTLM authentication so that users only need to enter their credentials once.

Microsoft Edge and Google Chrome

  1. Go to Internet Settings > Local Intranet > Advanced.

  2. Under Add this website to the zone:, add both the Windows Client Authenticator site URL and app URL.

Firefox

  1. Open a new tab and navigate to about:config.

  2. Search for the following parameters and add both the Windows Client Authenticator site URL and app URL (separated by a comma) to all three of them:
    network.automatic-ntlm-auth.trusted-uris
    network.negotiate-auth.delegation-uris
    network.negotiate-auth.trusted-uris

  3. Search for the parameter, signon.autologin.proxy, and change it to true.

High Availability Deployments

If you wish to deploy the Windows Client Authenticator in an HA environment with multiple IIS servers, a network (layer 4) load balancer that forwards TCP connections is required. Please ensure the load balancer is configured to use source IP, destination IP and port tuple affinity.

The Windows Client Authenticator includes a status endpoint available on <configured hostname>/status which returns OK with 200 HTTP return code if the Windows Client Authenticator is available.

Application (layer 7) load balancers should not be used to front an HA deployment of the Windows Client Authenticator.

Diagram illustrating the flow from client machines to IIS servers via orchestrators.