Single Sign-on through IIS
This method assumes that Management and Security Server is set up to use Microsoft IIS web server (Windows only).
If you installed using the automated installer and integrated with IIS during installation, setup is complete. If you used an alternative installation method, see the MSS Installation Guide for more information.
Users who have logged in to Windows do not need to log in again to access sessions. You must administer usernames and passwords through the identity system used by IIS, typically Active Directory.
This authentication method can be used for the Sessions list as well as the MSS Administrative Console.
To enable Single Sign-on through IIS:
-
Open
mss/server/conf/container.properties
-
Insert this line:
management.server.iis.url=<url>
where
<url>
is the IIS web server address and port along with the /MSS path.For example:
https://<iisserver>/mss
(when TLS is configured on your IIS server).If authentication fails, you may need to remove the domain name in order for the domain credentials to be passed to IIS:
https://server/mss
. -
If you want to access the Host Access for the Cloud web client, then you need to set that in the Session Server
container.properties
as well. See Configure Single Sign-on through IIS in the HACloud documentation.
Note
If you use an MSS load balancer with Single Sign-on through IIS, additional persistence configuration is required. See Using a Load Balancer.
Troubleshooting IIS Integration
If you encounter these errors, add or change the following settings.
-
Error: “Login failed. Invalid username or password.”
Resolution:
-
Change the authentication method to Anonymous.
-
Set the Anonymous Authentication to use Application pool identity.
-
-
Error: “Request Entity Too Large”
Resolution:
-
Add the following line to both
MSS\server\web\conf\ntiis\worker.properties
and\...\ntiis\worker_sec.properties
:worker.ajp13_worker.max_packet_size=65536
-
Add the following setting to
MSS\server\conf\container.properties
:servletengine.ajpMaxPacketSize=65536
-
Circumstantial Credential Prompts When Using Single Sign-on
When Management and Security Server is configured to use Single Sign-On through IIS or through Windows, a user will be prompted for credentials under certain circumstances:
-
The browser's process owner is not a valid Windows user or a member of the Active Directory domain. Typically the browser's process owner performs the interactive login to the operating system. However, an exception to this occurs when the Run As command launches the browser as a different user.
-
The browser does not support single sign-on using Kerberos.
-
In Mozilla Firefox, you must configure support for Kerberos authentication. Refer to Firefox documentation for instructions.
-
In Internet Explorer, this option is enabled by selecting Enable Integrated Windows Authentication. While this option is enabled by default, it can be overridden through Group Policies and practices.
-
-
When using Internet Explorer, if the
management.server.iis.url
property contains periods (such ashttp://www.microsoft.com
orhttps://10.0.0.1
), the requested address is assumed to exist on the Internet. Credentials are not passed automatically, and a credentials prompt will appear.However, Internet Explorer can be configured to automatically pass credentials for such an address by adding it to the Trusted Sites list. Alternatively, you can configure a Custom security level in Internet Explorer to perform an Automatic logon with current username and password.