5.8.4 Single Sign-on through IIS

This method assumes that Management and Security Server is set up to use Microsoft IIS web server (Windows only).

If you installed using the automated installer and integrated with IIS during installation, setup is complete. If you used an alternative installation method, see the MSS Installation Guide for more information.

Users who have logged in to Windows do not need to log in again to access sessions. You must administer usernames and passwords through the identity system used by IIS, typically Active Directory.

This authentication method can be used for the Sessions list as well as the Administrative Console. To enable Single Sign-on through IIS:

  1. Open mss/server/conf/container.properties

  2. Insert this line: management.server.iis.url= <url>

    where <url> is the IIS web server address and port along with the /MSS path.

    For example: http://<iisserver>/mss or https://<iisserver>/mss (when TLS is configured on your IIS server).

    If authentication fails, you may need to remove the domain name in order for the domain credentials to be passed to IIS: http://server/mss.

Credential Prompts When Using Single Sign-on

When Management and Security Server is configured to use Single Sign-On through IIS or through Windows, a user will be prompted for credentials under certain circumstances:

  • The browser's process owner is not a valid Windows user or a member of the Active Directory domain. Typically the browser's process owner performs the interactive login to the operating system. However, an exception to this occurs when the Run As command launches the browser as a different user.

  • The browser does not support single sign-on using Kerberos.

    • - In Internet Explorer, this option is enabled by selecting Enable Integrated Windows Authentication. While this option is enabled by default, it can be overridden through Group Policies and practices.
    • - In Mozilla Firefox, you must configure support for Kerberos authentication. Refer to Firefox documentation for instructions.

  • When using Internet Explorer, if the management.server.iis.url property contains periods (such as http://www.microsoft.com or http://10.0.0.1), the requested address is assumed to exist on the Internet. Credentials are not passed automatically, and a credentials prompt will appear. However, Internet Explorer can be configured to automatically pass credentials for such an address by adding it to the Trusted Sites list. Alternatively, you can configure a Custom security level in Internet Explorer to perform an Automatic logon with current username and password.

NOTE:If you use an MSS load balancer with Single Sign-on through IIS, additional persistence configuration is required. See Using a Load Balancer.

Related Topics