• IAM
• Integrated Windows Authentication

Setup Integrated Windows Authentication For Cloud Apps

---

How Does The MiniOrange IWA Module Work?

This guide will give you an overview of how to set up Integrated Windows Authentication for Cloud Applications.

miniOrange Single Sign-On (SSO) server allows you to log into your application without having to re-enter your credentials. You will first need to successfully achieve windows authentication into the Windows domain, after having logged into a system integrated with an Active Directory domain. miniOrange achieves Windows integrated authentication by installing a component on a Windows Server linked to the Active Directory domain. This setup basically acts as a SAML 2.0 Identity Provider. When the user tries to access a cloud application like Salesforce, the request is forwarded to the miniOrange SSO Server. This Server forwards the request to the on-premise miniOrange SAML module installed on the Windows authentication machine. SSO is performed based on the response received from the module. This is how Windows authentication is used to achieve Windows integrated security.

Prerequisites

• Windows Server 2008 R2/2012/2016/2019
• Internet Information Services (IIS) v7+ for Windows Server
• Active Directory installed and configured with IIS
• PHP v5+ installed & configured with IIS (archive link)
• LDAP extension for PHP (you can follow these instructions to enable the extension)
• A miniOrange account (you can register here)
• The miniOrange Integrated Windows Authentication (IWA) module (Download Link)

1. Setting up a Service Account for Delegated   Authentication

• Identify a Domain Service Account that you can use for delegated authentication; this account will be used by the IWA module
• Open a command prompt window in Administrative Mode and enter the following command:
  setspn -S HTTP/##Server FQDN## ##Domain Service Account##
  For example, let’s say your server FQDN is server.contoso.com, and your domain service account name is CONTOSO\iwauser; then the command will be:
  setspn -S HTTP/server.contoso.com CONTOSO\iwauser
  
• Open Active Directory Users and Computers search for the Domain Service Account used in the previous step
• Navigate to the Delegation tab; select Trust this user for delegation to any service (Kerberos only)
  This user account can now be used for authenticating the IWA module.

2. Installing the IWA module on IIS

• Copy the module to the IIS root directory; the default path is C:\inetpub\wwwroot\
• Open IIS Manager, expand the host entry in the left pane



• Add an Application Pool for the module



• Right-click on this newly created Application Pool and click on Advanced Settings



• Scroll down to Identity under the heading Process Model
  Click on the 3 dots and select Custom Account, enter the credentials of the Domain Service Account and click Set



• Convert the module to an application; assign it to the Application Pool created in Step 3



• Navigate to the Authentication section of the site, disable Anonymous Authentication and enable Windows Authentication



• If the Windows Authentication option is not visible, your IIS installation may be missing the Windows Authentication role. You can install it using the steps outlined in this document.
• Navigate to the Configuration Editor section of the site, search for
  system.webServer/security/authentication/windowsAuthentication
  
  
  
• Set useKernelMode as False and useAppPoolCredentials as True

3. Configuring LDAP connection in the IWA module

• Navigate to the root directory of the IWA module,
  for example C:\inetpub\wwwroot\saml-xecurify\
• Open the file ldapconfig.php for editing
• Set the values of the following fields in the manner shown in this table

Parameter	Description	Sample Value
$this->ldap_server_url	Full URL of your LDAP server, with port	ldap://server.contoso.com:389
$this->ldap_bind_account_dn	Distinguished Name of your LDAP Service Account	CN=Service User,CN=Users,DC=contoso,DC=com
$this->ldap_bind_account_password	Password of your LDAP Service Account	-
$this->search_base	Search base in which to look for users	CN=Users,DC=contoso,DC=com
$this->search_filter	Search filter	(|(userprincipalname=?)(samaccountname=?))
$this->user_attributes	List of attributes that you want to fetch from AD & send in response	array("givenname", "sn", "mail", "department", "userprincipalname")

• Save and close the file

4. Configuring miniOrange as a SAML Service Provider (SP) in the IWA module

• Navigate to the root directory of the IWA module; for example,
  C:\inetpub\wwwroot\saml-xecurify\
• Open the file samlsso.php for editing



• Set the values of the following fields in the manner shown in this table:

Parameter	Value
ACS URL	https://<branding>.xecurify.com/moas/broker/login/saml/acs/<CustomerID> For example, if the branding set in your miniOrange account is iwatest, with customer ID 123456, then the value of this parameter will be: https://iwatest.xecurify.com/moas/broker/login/saml/acs/123456
Issuer	Hostname of the Windows Server, for example https://server.contoso.com
Audience	https://login.xecurify.com/moas

• You can get the value of <CustomerID> by logging into your miniOrange account, and navigating to Product Settings:





• Save and close the file

5. Adding the IWA module as a SAML Identity Provider (IdP) in miniOrange

• Log into your miniOrange account, and navigate to the Identity Providers section on the left
• Click on Add Identity Provider



• Enter a suitable name for the IdP, as well as a suitable display name
• Enter the values for the fields IDP Entity ID, SAML SSO Login URL, and X.509 Certificate as follows:

Parameter	Value
IDP Entity ID	As set in the previous section under Issuer
SAML SSO Login URL	Of the format http://<hostname-of-server>/saml-xecurify/samlsso.php For example, if the FQDN of your Windows Server is server.contoso.com, then the value of this parameter will be: http://server.contoso.com/saml-xecurify/samlsso.php
Audience	https://login.xecurify.com/moas




• Configure Attribute Mapping if required; you can map the attributes fetched from the LDAP in Section 5 to values that will be sent to your applications
• Scroll down to the bottom and click Save.
  The IWA module has now been successfully added as a SAML IdP in miniOrange.

6. Configuring Browsers for Integrated Windows Authentication

• These steps need to be followed on the machines of all the users who will be using the miniOrange IWA module for authentication.

A] Internet Explorer

• Open Internet Explorer
• Navigate to Internet Options
• Go to Security → Local Intranet; click on Sites, and (optionally) on Advanced
• Enter the full URL of the Windows Server and click OK
  For example, http://server.contoso.com
• Under Security Level, select Custom Level
• In the properties window that appears, scroll down to the bottom, and select Automatic Logon only in Intranet Zone
• Click OK to save this setting
• Go to the Advanced Tab, and scroll down to the bottom
• Find and enable the option Enable Integrated Windows Authentication
• Save these settings, and restart the browser to load the changes

B] Google Chrome

• Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
• Optionally, you may need to whitelist the URL of the Windows Server machine where your IIS is hosted; this can be done by adding the following parameter to your Chrome startup: --auth-server-whitelist=
  For example: --auth-server-whitelist="server.contoso.com"
• Click enter and restart the browser to load the changes

C] Mozilla Firefox

• Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
• Open a new browser tab, and enter about:config in the address bar
  Click on Accept the Risk and Continue in case you’re prompted for it
• In the search box, type network.negotiate-auth.trusted-uris
• Click on the edit button near the result, and add the FQDN of the Windows Server in the text box that pops up
  For example, server.contoso.com
• Click enter and restart the browser to load the changes

External References

• 2FA for Windows Login and RDP