Configure Windows Session Authentication

Commander allows you to configure Windows session authentication (Single Sign-On) using Active Directory. This is accomplished by creating a Service Principal Account (SPN), which acts as the Secure Token Service (STS) for token issuing.

Configure Commander

Access:

Configuration > Identity and Access > Authentication tab

Available to:

Commander Role of Superuser

You must first integrate one or more Active Directory forests with Commander. While doing so, note the account used to query the directory, as you will specify it while configuring the SPN later. In the image below, the account is administrator@omega.pv.

Configure Active Directory

Each Active Directory user must be added to Commander individually, or as a member of an Active Directory group. A Commander or Service Portal role must be assigned to provide access.

Now you must enable the pass-through authentication:

  1. On the Authentication tab, in the Windows Session Authentication pane, click Edit and select whether you want to enable pass-through authentication for Commander, the Service Portal, or both.

    sso-win-wsa

    If the checkboxes are disabled, SAML SSO is already enabled. It's not possible to use both SAML SSO and Windows Session Authentication.

Configure Active Directory

Next, an administrator must create the SPN on the domain controller.

  1. Sign in to the Domain Controller as administrator, and launch a command prompt as administrator.
  2. Issue the following command:

    setspn.exe -A HTTP/<domain name> [domain]\<user name>

    where

    <domain name> is the domain name, alias, or Commander host name. This is the name users enter in their browsers to access Commander or the Service Portal. If service access has been restricted to a certain network address, be sure to use the restricted address.

    Where heightened security is important, use the exact host name of the Commander server (the fully qualified domain name).

    [domain\]<user name> is the account used to integrate Active Directory with Commander, as noted in the previous section. Use the format <domain>\user if the account isn't in the same domain as the Active Directory server where you're issuing the setspn command (for example, omega.pv\administrator). Otherwise, enter just the user name (for example, administrator).

    For example:

    sso-win-cmd-prmpt

Repeat this procedure for each connected domain. You must run the setspn command for each network address that can be used to access Commander or the Service Portal (for example, acme.example.com, acmeportal.example.com, and acme).

Configure the browser

Users' browsers must be configured to be compatible with the settings. This functionality works only on Windows, with our officially supported browsers: Edge, Firefox, and Chrome.

For each domain name or alias where pass-through authentication will be used:

Edge and Chrome

Add the domain name to the Local Intranet security zone. These browsers use the trusted sites list configured in Windows using the Internet Properties dialog.

To add a website to the zone:

  1. Press the Windows Key + S and enter internet options in the search.
  2. Select Internet Options from the resulting list.
  3. In the Internet Properties dialog, go to the Security tab.
  4. Select Local intranet.
  5. Click Sites.
  6. In the Local intranet dialog, click Advanced.
  7. In the advanced Local intranet dialog, add the website to the zone and click Close.

    Where heightened security is important, use the exact host name of the Commander server (the fully qualified domain name).

    Local Internet dialog

  8. Back in the Internet Properties dialog, go to the Advanced tab.
  9. In the Settings Security section, Select Enable Integrated Windows Authentication. Edge and Chrome use the Internet Options in the Windows Control Panel. This setting requires a computer restart.

    Iternet Options

Firefox

  1. Navigate to the page about:config. Acknowledge the warranty warning. Double-click network.negotiate-auth.trusted-uris. Add the domain name. Use commas to separate multiple values.

    When heightened security is important, use the exact host name of the Commander server (the fully qualified domain name).

    about:config

What do users see at sign in

Users may sign in to Commander and the Service Portal with the standard sign in page forms, or they may enable Use Windows session authentication instead.

Troubleshooting

If a user enables Windows session authentication when Active Directory and/or the browser isn't configured correctly, the message "Unable to sign in using Windows session authentication" is displayed, and users are prompted to enter their Windows credentials. Verify that Active Directory is configured properly, and that the browser is configured as detailed Configure the browser.