Configuring Windows Session Authentication

Commander allows you to configure Windows session authentication (Single Sign-On) using Active Directory. This is accomplished by creating a Service Principal Account (SPN), which acts as the Secure Token Service (STS) for token issuing.

In this topic:

Configure Commander

Access through:

Configuration > Identity and Access > Authentication tab

Available to:

Commander Role of Superuser

You must first integrate one or more Active Directory forests with Commander. While doing so, note the account used to query the directory, as you will specify it while configuring the SPN later. In the image below, the account is administrator@omega.pv.

Configure Active Directory

Each Active Directory user must be added to Commander individually, or as a member of an Active Directory group. A Commander or Service Portal role must be assigned to provide access.

Now you must enable the pass-through authentication:

  1. On the Authentication tab, in the Windows Session Authentication pane, click Edit and select whether you want to enable pass-through authentication for Commander, the Service Portal, or both.

    sso-win-wsa

    Note: If the checkboxes are disabled, SAML SSO is already enabled. It's not possible to use both SAML SSO and Windows Session Authentication.

Configure Active Directory

Next, an administrator must create the SPN on the domain controller.

  1. Sign in to the Domain Controller as administrator, and launch a command prompt as administrator.
  2. Issue the following command:

    setspn.exe -A HTTP/<domain name> [domain]\<user name>

    where

    <domain name> is the domain name, alias, or Commander host name. This is the name users enter in their browsers to access Commander or the Service Portal. If service access has been restricted to a certain network address, be sure to use the restricted address.

    Note: Where heightened security is important, use the exact host name of the Commander server instead of the domain name.

    [domain\]<user name> is the account used to integrate Active Directory with Commander, as noted in the previous section. Use the format <domain>\user if the account isn't in the same domain as the Active Directory server where you're issuing the setspn command (for example, omega.pv\administrator). Otherwise, enter just the user name (for example, administrator).

    For example:

    sso-win-cmd-prmpt

Repeat this procedure for each connected domain. You must run the setspn command for each network address that can be used to access Commander or the Service Portal (for example, acme.example.com, acmeportal.example.com, and acme).

Configure the browser

Finally, users' browsers must be configured to be compatible with the settings. This functionality works only on Windows, with our officially supported browsers: Firefox, Chrome, and Internet Explorer.

For each domain name or alias where pass-through authentication will be used:

  • Internet Explorer and Chrome: Add the domain name to the Local Intranet security zone. Both Internet Explorer and Chrome use the trusted sites list configured in Internet Explorer. In Internet Explorer, click Tools > Internet Options, and select the Security tab. Click Local intranet, then Sites. In the Local intranet dialog, click Advanced, then add the website to the zone.
  • Note: Where heightened security is important, use the exact host name of the Commander server instead of the domain name.

    Local Internet dialog

  • Internet Explorer and Chrome: Click Enable Integrated Windows Authentication. Both Internet Explorer and Chrome use the Internet Options in the Windows Control Panel. This setting requires a computer restart.

    Iternet Options

  • Firefox: Navigate to the page about:config. Acknowledge the warranty warning. Double-click network.negotiate-auth.trusted-uris. Add the domain name. Use commas to separate multiple values.

    Note: When heightened security is important, use the exact host name of the Commander server instead of the domain name.

    about:config

What do users see at sign in?

Users may sign in to Commander and the Service Portal with the standard sign in page forms, or they may enable Use Windows session authentication instead.

Troubleshooting

If a user enables Windows session authentication when Active Directory and/or the browser isn't configured correctly, the message "Unable to sign in using Windows session authentication" is displayed, and users are prompted to enter their Windows credentials. Verify that Active Directory is configured properly, and that the browser is configured as detailed Configure the browser.