Article Rating

  • 0 Rating(s)
  • 0
  • 0
  • 0
  • 0
  • 0

Setting Up Integrated Windows Authentication

Integrated Windows Authentication will allow users to log into Secret Server automatically if they are logged into a workstation with their Active Directory credentials.  This will only work automatically for IE.  Other browsers will prompt for credentials before the page loads. Enabling this will prevent the mobile applications from being able to connect to Secret Server without additional configuration as detailed in this KB Article Using Mobile Devices with Windows Authentication enabled.

Note that Secure LDAP will only work with Integrated Windows Authentication in Server 2008 R2.

Setting Up Windows Authentication:

  1. Log into Secret Server as a User with Active Directory administration privileges.
  2. Click on Administration, then click on Active Directory, and click "Edit". Check the following boxes:
    1. Enable Active Directory Integration
    2. Enable Synchronization of Active Directory
    3. In 7.8, select any of the options from the Account Options drop downIn versions prior to 7.8 select the Automatically Enable and Disable Accounts during Synchronization checkbox.
    4. Enable Integrated Windows Authentication
  3. Choose a synchronization interval (this indicates how often Secret Server will pull in users from AD) and click Save.
  4. Click Edit Domains, then click Create New and enter the doman to use for Single Sign On and an account to use to pull users from AD. Then click Save and Validate.
  5. Go back to the Active Directory Configuration page and click Edit Synchronization. Move any groups whose users you want SSO to work for into the Synchronized Groups listbox and click Save.
  6. Click Synchronize Now. This will pull all the users of the specified groups into Secret Server
  7. Open IIS and Edit Authentication and access control under the site's Directory Security properties.
  8. Enable Integrated Windows Authentication and uncheck Enable anonymous access Make sure that Forms Authentication is still  enabled.  If Integrated Windows Authentication is not visible ensure that the Windows Authentication Role Service is installed under the Security section of the Web Server Role in the Server Manager.
  9. Browse to the Secret Server directory folder and open the file named web-identity.config.
  10. If you are using SQL authentication to access the database, you can skip this step. To enable Windows database authentication there are two options:
    1. Set the Application Pool identity to a Domain account
    2. For IIS 6.0: The web-identity.config file needs to be edited to allow for impersonation.

                                                            <!-- Uncomment Below For Impersonation -->

                                                            <!-- <identity impersonate=”true” /> -->

                                                                                                           

Should become :

                                                            <!-- Uncomment Below For Impersonation -->

                                                            <identity impersonate=”true” user="enter your user" password="user's password"/>

 

 

                                                                                                           

  1. On the Secret Server folder make sure that the users who will be logging in have the proper security settings. Since Secret Server will be impersonating those users, they require access to Secret Server files.
  2. Log in to the Secret Server site from an authenticated workstation.

Note that by default, the launcher will not work when off network using Integrated Windows Authentication. To fix this, you will need to run Secret Server on Server 2008 or Server 2008 R2. If you are running into this issue, follow these steps:

  1. Open IIS and browse to your Secret Server application
  2. Expand the application node and click on the "Launchers" folder
  3. Click on "Authentication", turn off "Windows Authentication" and turn on "Anonymous Authentication"
  4. Click on the "webservices" folder and follow the same steps to turn off Windows Authentication and turn on Anonymous Authentication

If you aren't automatically logged in to Secret Server after Integrated Windows Authentication is set up, IIS may not be handling the credentials correctly. To fix this, simply recreate the web site in IIS.

When testing Integrated Windows Authentication, keep in mind the requirements set forth in this article: http://support.microsoft.com/kb/258063

Note: You may not be able to log in using Integrated Windows Authentication on the server running Secret Server for Server 2008 and Server 2008 R2. This is due to security settings.

Logging in as a Local Account

After you have set up Integrated Windows Authentication, you may sometimes want to log in as a local admin account. For example, you can do this to configure Secret Server, perform an upgrade, or if AD is down. To log in as a local admin when Integrated Windows Authentication is enabled, do one of the following:

  • Log in to your computer as an Active Directory account that has read access to the Secret Server directory but is not enabled in Secret Server.
  • Browse to Secret Server using FireFox or Chrome.

Next, go to your Secret Server website. You may be prompted for your AD credentials. If you are, log in as a user with read access to the Secret Server directory that is not enabled in Secret Server. Afterer that, you should be redirected to the login page of Secret Server. Finally, select the local domain and enter the local username and password.

Article ID: 90, Created On: 3/29/2010, Modified: 3/30/2012