Windows Client Authenticator

  • 3 minute(s) read
Prev Next

The Windows Client Authenticator App for Maverics allows Windows/IIS users to validate their identity to Maverics Orchestrator using their Windows desktop credentials. Once the user is logged into Windows, they will be logged into other downstream apps.

The Windows Client Authenticator app must be installed on the IIS server. The app can be downloaded from a deployment.

Requirements

To install the Windows Client Authenticator App, you will need:

  • IIS with web server features enabled

  • .NET 7.0.13 Windows Server Hosting bundle (the installer will install the bundle for you if not already installed)

  • Administrator privileges

  • Windows Server 2008 R2 or later

Installation

  1. Run the installer file WindowsClientAuthenticatorAppforMaverics.exe.

  2. Accept the license terms and click Install. The installer will check for the .NET 7.0.13 Windows Server Hosting bundle. If the bundle is not already installed, it will install it for you. When the hosting bundle dialog appears, accept the installation or repair the system.

  3. Open Internet Information Systems (IIS) Manager.

  4. From the IIS Manager console, go to Connections and select Windows Client Authenticator App for Maverics.

  5. Under Windows Client AUthenticator App for Maverics Home > IIS, double click Authentication and complete the following:

  • disable Anonymous Authentication

  • enable Windows Authentication
     

  1. Under Actions (in the far right of the IIS Manager window), click Providers.

  • In the modal under Enabled Providers, select Negotiate and click Remove.

  • Ensure NTLM is the only enabled provider.
     

  • Click OK.

  • Action > Advanced Settings is optional.

  1. By default, the Windows Client Authenticator runs on port 80. Strata recommends editing the site binding to use https instead for tighter security. To do this:

    • From Windows Client Authenticator App for Maverics Home > Actions > Edit Site, click Bindings.

    • From Site Bindings, enable HTTPS and change the port (optional). Then click OK.

  2. Add a DNS record for the Windows Client Authenticator App website binding to your Domain Controller. (Optional if using public DNS)

Configuration with Maverics

To configure Windows Client Authenticator with Maverics, you'll need to provide a friendly name for the configuration, and the URL of the hostname binding. Optionally, you can provide the path to your certificate authority.

See the Windows Client Authenticator Connector for more details on how to
configure Maverics to authenticate against the Windows Client Authenticator App.

Testing the installation

  1. From your browser, enter the URL of the Windows Client Authenticator App hostname binding.

  2. At the prompt, enter your Windows credentials for the domain account.

  3. The landing page should reflect your user name.

Configuration with Windows NT LAN Manager (NTLM)

Windows Client Authenticator can be configured to use seamless NTLM authentication so that users only need to enter their credentials once.

Microsoft Edge and Google Chrome

  1. Go to Internet Settings > Local Intranet > Advanced.

  2. Under Add this website to the zone:, add both the Windows Client Authenticator site URL and app URL.

Firefox

  1. Open a new tab and navigate to about:config.

  2. Search for the following parameters and add both the Windows Client Authenticator site URL and app URL (separated by a comma) to all three of them:

    network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris

  3. Search for the parameter, signon.autologin.proxy, and change it to true.

High Availablity Deployments

If you wish to deploy the Windows Client Authenticator in an HA environment with multiple IIS servers, a network (layer 4) load balancer that forwards TCP connections is required. Please ensure the load balancer is configured to use source IP, destination IP and port tuple affinity.

Application (layer 7) load balancers should not be used to front an HA deployment of the Windows Client Authenticator.

Configuration options

The following values can be provided to the Windows Client Authenticator connector via the Maverics configuration file.

URL

url of the Windows Client Authenticator App. This field is required.

Transport Layer Security (TLS)

tls references the name of the TLS config defined in the tls section. This tls value configures the HTTP client TLS config for the login request initiated to the Windows Client Authenticator App. This field is optional.

Related articles