Configuring Integrated Windows Authentication

This article applies to Secret Server On-Premises only.

Introduction

Integrated Windows Authentication (IWA) allows users to log into Secret Server automatically if they are logged into a workstation with their Active Directory credentials.

To ensure users can access the Health Status page see Checking Secret Server Site Status without logging in, be sure to enable Form and Anonymous authentication in IIS.
Secure LDAP only works with Integrated Windows Authentication in Server 2008 R2 and later.

The SDK is designed to be used as it is shown below and is not designed to be run using IWA to retrieve tokens or Secret information. Given this, the SDK is not supported with IWA.

Setting Up Windows Authentication

Task 1: Configuring Secret Server

  1. Log into Secret Server as a user with Active Directory administration privileges.

  2. Navigate to and click Administration > Directory Services (In the General section). The Directory Services page appears, opened to the Domains tab.

  3. Click the Add Domain button and select Active Directory Domain or Azure Active Directory Domain. An Active Directory popup appears.

  4. If you chose Active Directory Domain:

    1. Type your FQDN in the Fully Qualified Domain Name text box.
    2. Type the name for people to read in the Friendly Name text box.
    3. Click to select the Active check box.
    4. If you wish to use secure LDAP, click to select the Use LDAPS check box.
    5. Click the Create New Secret link under Synchronization Secret. A popup appears.
    6. Click Active Directory Account in the Choose a Secret Template dropdown list. A Create New Secret popup appears.
    7. Fill in the popup with your desired parameters for your AD secret.
    8. Click the Create Secret button. The popup disappears and the secret name appears on the previous popup.
    9. Click the Site dropdown list to select your desired site.
    10. Click the Multifactor Authentication dropdown list to select your desired type of MFA, if any.
    11. Click the Validate & Save button to commit your choices. The popup disappears and your directory service appears in the table on the Directory Services page.

  5. If you chose Azure Active Directory Domain:

    1. Type your name for people to read in the Domain Name text box.
    2. Click to select the Active check box.
    3. Type your tenant ID in the Tenant ID text box.
    4. Type your client ID in the Client ID text box.
    5. Type your client password in the Client Secret text box.
    6. Click the Multifactor Authentication dropdown list to select your desired type of MFA, if any.
    7. Click the Validate & Save button to commit your choices. The popup disappears and your directory service appears in the table on the Directory Services page.

  6. Click the Configuration tab.

  7. Click the Edit button in the Directory Services section. The section becomes editable.

  8. If necessary, click to select the following check boxes:

    • Enable Directory Services
    • Enable Integrated Windows Authentication.

  9. Click the Save button.

  10. Click the Edit button in the User Synchronization section. The section becomes editable.

  11. Ensure the Enable User Synchronization check box is selected.

  12. Type the in the Days, Hours, and Minutes text boxes to choose a synchronization interval, which is how often Secret Server pulls in users from AD.

  13. Select your desired option from the User Account Options dropdown list.

  14. Select how to handle inactive users in the Automatic User Management dropdown list.

  15. Type your desired number of days in the Days to Keep Operational Log text box.

  16. Click the Save button. The Active Directory Configuration page returns to being read only.

  17. Click the Domains tab.

  18. Click the Synchronize Now button. This pulls all the users of the specified groups into Secret Server.

Task 2: Configuring IIS

  1. Start the Internet Information Services (IIS) Manager.

  2. Navigate to and select your Secret Server website in the Connections tree:

  3. Double-click the Authentication icon in the IIS section to open the Authentication pane.

  4. Enable the Windows Authentication parameter by right-clicking it and selecting Enable. For now, ignore the alert if it appears in the Alert section.

    If Windows Authentication is not visible, ensure that the Windows Authentication Role service is enabled in Windows. This is different than earlier versions.

  5. Disable the Anonymous Authentication.

  6. Disable the Forms Authentication. The alert in the Alert section should disappear.

  7. When finished, the Authentication settings should only have Windows Authentication enabled.

  8. Restart your IIS server with an iisreset command.

  9. On the Secret Server folder, ensure users have read or higher permission, and ensure the security settings are set to be inherited by child objects. Because Secret Server impersonates those users, they require access to Secret Server files.

  10. Log in to the Secret Server site from an authenticated workstation.

Task 3: Configuring Secret Server Launchers

By default, a launcher will not work when using IWA, resulting in an HTTP 401: Unauthorized error. If this is an issue, ensure Secret Server is on Windows Server 2008 or later and complete the following steps:

  1. Open IIS and browse to your Secret Server application.

  2. Click the > to see the application's folders.

  3. Click to select the launchers folder. The launchers Home panel appears.

  4. Double-click the Authentication icon in the IIS section to open the Authentication pane.

  5. Ensure the Anonymous Authentication is set to Enabled.

  6. Ensure the Windows Authentication is set to Disabled.

  7. Ensure all others are disabled. When you are finished, the settings should have Anonymous Authentication enabled.

  8. Click the webservices folder.

  9. Double-click the Authentication icon in the IIS section to open the Authentication pane.

  10. Ensure the Anonymous Authentication is set to Enabled.

  11. Ensure the Windows Authentication is set to Disabled.

  12. Ensure all others are disabled. When you are finished, the settings should have Anonymous Authentication enabled

  13. Click the rdp folder.

  14. Double-click the Authentication icon in the IIS section to open the Authentication pane.

  15. Ensure the Anonymous Authentication is set to Enabled.

  16. Ensure the Windows Authentication is set to Disabled.

  17. Ensure all others are disabled.

Task 4: Configuring Distributed Engines

Similarly, Secret Server with distributed engines will not work with IWA by default. If this is an issue, complete the following:

  1. In Windows Explorer, navigate to the …\SecretServer\ folder. This folder is mapped to your SecretServer folder in your webserver.

  2. Create a subfolder named …\SecretServer\integrations.

  3. Create a subfolder called …\SecretServer\api in the same location.

  4. In your …\SecretServer\api folder, create a subfolder named …\SecretServer\api\DistributedEngine.

  5. Start IIS Manager:

    img

  6. Navigate the Connections tree back to integrations folder in the SecretServer node:

    img

  7. Double-click the Authentication icon in the IIS section to open the Authentication pane.

  8. Ensure the Anonymous Authentication is set to Enabled.

  9. Ensure the Windows Authentication is set to Enabled.

  10. Ensure all others are disabled.

  11. Navigate to the …\SecretServer\api\DistributedEngine folder.

  12. Double-click the Authentication icon in the IIS section to open the Authentication pane.

  13. Ensure the Anonymous Authentication is set to Enabled.

  14. Ensure the Windows Authentication is set to Disabled.

  15. Ensure all others are disabled.

Task 5: Configuring Disaster Recovery

Similarly, Secret Server Disaster Recovery will not work with IWA by default. If this is an issue, complete the following:

  1. In Windows Explorer, navigate to the …\SecretServer\ folder. This folder is mapped to your SecretServer folder in your webserver.

  2. Create a subfolder named …\SecretServer\integrations.

  3. Start IIS Manager:

    img

  4. Navigate the Connections tree back to integrations folder in the SecretServer node:

    img

  5. Double-click the Authentication icon in the IIS section to open the Authentication pane.

  6. Ensure the Anonymous Authentication is set to Enabled.

  7. Ensure all others are disabled.

Task 6: Configuring Client Certificates

If you are using client certificates, configure the following in IIS for launchers to work:

  1. Click to select the launchers folder. The launchers Home panel appears.

  2. Double-click the SSL Settings icon. The settings panel appears.

  3. Click to set the Client Certificates selection button to Accept.

  4. A dialogue box requiring a yes response pops up.

  5. Click Yes.

  6. Click to select the Webservices folder.

  7. Once again, double-click the SSL Settings icon.

  8. This time, set the Client Certificates selection button to Ignore.

If you are not automatically logged in to Secret Server after setting up IWA, IIS may not be handling the credentials correctly. To fix this, recreate the web site in IIS.

When testing IWA, keep in mind the requirements at Your Browser May Prompt You for a Password.

You may not be able to log in using IWA on the server running Secret Server for Server 2008 or later because of security settings.

Troubleshooting

AD User Prompted for Credentials Even Though IWA Is Active

A user is logged onto their machine with the same Active Directory credentials they can log into Secret Server with, but the browser still prompts them for their credentials to reach the site. Ensure your Secret Server site is included in a security zone that allows for automatic logon:

  1. In your browser, go to Internet Options > Security.

  2. Click the Trusted Sites security zone.

  3. Click the Custom Level button. The Security Settings – Trusted Sites Zone dialog box appears.

  4. Scroll down to User Authentication.

  5. Click to select the Automatic logon with current user name and password selection button.

  6. Click the OK button.

Logging in as a Local Account Is Not Available

In Secret Server 10.0 and later, Secret Server requires Integrated Mode in IIS. The Integrated Mode can only support either Window Authentication or Forms Authentication (used for local account authentication), not both. Because of this limitation, Forms Authentication must be disabled for the site when using Integrated Windows Authentication. Thus, logging in as Secret Server local account is not available when IWA is enabled.

Installing Windows Authentication in Windows Server 2012 Manager

  1. In Server Manager, click the Manage menu and select Add Roles and Features. The Add Roles and Features wizard appears.

  2. Click the Next button. The Select installation type window appears.

  3. Select the installation type.

  4. Click the Next button. The Server selection window appears.

  5. Select the destination server.

  6. Click the Next button. The Server roles window appears.

  7. Click to expand Web Server (IIS) > Web Server > Security.

  8. Click to select Windows Authentication.

  9. Click the Next button. The Select features window appears.

  10. Click the Next button. The Confirmation window appears.

  11. Click the Install button. The Results window appears.

  12. Click the Close button.