The Windows Client Authenticator App for Maverics allows Windows/IIS users to validate their identity to Maverics Orchestrator using their Windows desktop credentials. The Windows Client Authenticator app must be installed on the IIS server. The app can be downloaded from an Environment.
Requirements
To install the Windows Client Authenticator App, you will need:
IIS with web server features enabled
.NET 7.0.13 Windows Server Hosting bundle (the installer will install the bundle for you if not already installed)
Administrator privileges
Windows Server 2008 R2 or later
Installation
Run the installer file
WindowsClientAuthenticatorAppforMaverics.exe
.Accept the license terms and click Install. The installer will check for the .NET 7.0.13 Windows Server Hosting bundle. If the bundle is not already installed, it will install it for you. When the hosting bundle dialog appears, accept the installation or repair the system.
Open Internet Information Systems (IIS) Manager.
From the IIS Manager console, go to Connections and select Windows Client Authenticator App for Maverics.
Under Windows Client AUthenticator App for Maverics Home > IIS, double click Authentication and complete the following:
disable Anonymous Authentication
enable Windows Authentication
Under Actions (in the far right of the IIS Manager window), click Providers.
In the modal under Enabled Providers, select Negotiate and click Remove.
Ensure NTLM is the only enabled provider.
Click OK.
Action > Advanced Settings is optional.
By default, the Windows Client Authenticator runs on port 80. Strata recommends editing the site binding to use https instead for tighter security. To do this:
From Windows Client Authenticator App for Maverics Home > Actions > Edit Site, click Bindings.
From Site Bindings, enable HTTPS and change the port (optional). Then click OK.
Add a DNS record for the Windows Client Authenticator App website binding to your Domain Controller. (Optional if using public DNS)
Configuration with Maverics
To configure Windows Client Authenticator with Maverics, you'll need to provide a friendly name for the configuration, and the URL of the hostname binding. Optionally, you can provide the path to your certificate authority.
See the Windows Client Authenticator Connector for more details on how to
configure Maverics to authenticate against the Windows Client Authenticator App.
Testing the installation
From your browser, enter the URL of the Windows Client Authenticator App hostname binding.
At the prompt, enter your Windows credentials for the domain account.
The landing page should reflect your user name.
Configuration with Windows NT LAN Manager (NTLM)
Windows Client Authenticator can be configured to use seamless NTLM authentication so that users only need to enter their credentials once.
Microsoft Edge and Google Chrome
Go to Internet Settings > Local Intranet > Advanced.
Under Add this website to the zone:, add both the Windows Client Authenticator site URL and app URL.
Firefox
Open a new tab and navigate to
about:config
.Search for the following parameters and add both the Windows Client Authenticator site URL and app URL (separated by a comma) to all three of them:
network.automatic-ntlm-auth.trusted-uris network.negotiate-auth.delegation-uris network.negotiate-auth.trusted-uris
Search for the parameter,
signon.autologin.proxy
, and change it totrue
.
High Availablity Deployments
If you wish to deploy the Windows Client Authenticator in an HA environment with multiple IIS servers, a network (layer 4) load balancer that forwards TCP connections is required. Please ensure the load balancer is configured to use source IP, destination IP and port tuple affinity.
Application (layer 7) load balancers should not be used to front an HA deployment of the Windows Client Authenticator.
Configuration options
The following values can be provided to the Windows Client Authenticator connector via the Maverics configuration file.
URL
url
of the Windows Client Authenticator App. This field is required.
Transport Layer Security (TLS)
tls
references the name of the TLS config defined in the tls
section. This tls
value configures the HTTP client TLS config for the login request initiated to the Windows Client Authenticator App. This field is optional.