Windows

When the Windows authenticator plug-in is installed, the Curity Identity Server supports Integrated Windows Authentication (IWA), enabling users to login using either Kerberos or NTLM. This allows users to login with an existing session they obtained when logging into their Windows workstation; when a session isn't yet established, users are also able to login using their normal Windows login. With this feature, organizations can provide single sign-on to their Windows users, and reduce the number of credentials that users must manage.

IWA architecture
IWA architecture

Installing the Windows Connector#

To install the Windows Connector, perform the following steps:

  1. Make sure that your Windows Web server has ASP.NET 3.5 or higher enabled.
  2. Copy the files located in <INSTALL_DIR>/misc/windows-connector to the Windows Web server.
  3. Configure a Web site within IIS to use the physical path of the directory to where the files were copied. This web site need not be the default Web site; however, the Windows Connector must be installed in the root of the Web site. It cannot be served from an application, virtual directory, or sub-directory within a site.

Ensure that the worker process for this Web site has read access to this directory.

  1. Configure IIS to allow overriding authentication in the web.config file by doing the following:
    • Open the file %windir%/system32/inetsrv/config/applicationHost.config in an editor.
    • Find the sectionGroup element with name="system.webServer". Under this element will be another sectionGroup with name="security". This, in turn, will have a sectionGroup called authentication. Within this, you will find section elements. For the ones with name="windowsAuthentication" and name="anonymousAuthentication", change overrideModeDefault to Allow.

Hint: The XPath of this element is /configuration/configSections/sectionGroup[@name='system.webServer']/sectionGroup[@name='security']/sectionGroup[@name='authentication']/section[@name='windowsAuthentication']

  • Below the security element but still within system.webServer, locate httpErrors. Ensure lockAttributes is blank or does not include defaultPath.

Configuring an Authenticator#

In order for IWA to work, add an authenticator of type windows. The ID will be reflected in the URLs accessed by the user and in the Windows Connector configuration. Required settings:

  • windows-connector-url: The HTTPS URL of the Windows Connector in IIS. Use a valid certificate and include an optional port if needed.
  • symmetric-key: A shared secret for encrypting messages between the Windows Connector and the Curity Identity Server.
  • fail-over-authenticator: (Optional) An authenticator to use when IWA fails.

Configuration Example#

<authenticator>
  <id>win1</id>
  <windows xmlns="https://curity.se/ns/conf/authenticators/windows">
    <windows-connector-url>https://ad.example.com/<windows-connector-url></windows-connector-url>
    <symmetric-key>MyGoodPassword</symmetric-key>
    <fail-over-authenticator>html-with-sms-otp</fail-over-authenticator>
  </windows>
</authenticator>

Configuring the Windows Connector#

The Windows Connector includes a web.config file with settings that must match your deployment:

  1. In appSettings, set the crypto.key value to the same symmetric key used in the Curity Identity Server.
  2. Set the idsvr.url value to the authentication endpoint URL of your Windows authenticator.
  3. Replace occurrences of the default URL (https://localhost:8443/dev/authn/anonymous/win1) with the external URL of the anonymous endpoint of your authentication profile in the Curity Identity Server.

Troubleshooting#

Using the Request Log in the Curity Identity Server#

The request log ($IDSVR_HOME/var/log/request.log) includes details of every request. It shows status codes and request parameters, including IIS error codes (e.g., statusCode=[500], subStatusCode=[50]). Use this to debug IIS issues.

Enable Tracing of the Windows Authenticator#

To capture detailed logs in server.log, enable trace level for the Windows authenticator plugin:

<AsyncLogger name="se.curity.identityserver.plugins.authenticators.windows" level="TRACE"/>

Do not enable this log except for when troubleshooting. Enabling it will severely impact performance and log sensitive data.

Enable Tracing in IIS#

In web.config, find the trace element in system.web and set enabled="true". Then browse to <windows-connector-host>/Trace.axd to view trace logs.

Do not enable this log except for when troubleshooting. Enabling it will severely impact performance and log sensitive data.

Disable ASP.NET Errors in IIS#

In web.config, locate customErrors in system.web and set mode="Off". ASP.NET errors will then be displayed in IIS instead of redirecting to the Curity Identity Server.

Disable HTTP Errors in IIS#

In web.config, locate httpErrors in system.webServer and set errorMode="Detailed". HTTP errors will then be shown directly in IIS.

For more details, see the IIS documentation.

Was this helpful?