Setup Windows Integrated Authentication for Cloud Applications
How Does The MiniOrange IWA Module Work?
This guide will give you an overview of how to set up Windows Integrated Authentication for Cloud Applications.
miniOrange Single Sign-On (SSO) server allows you to log into your application without having to re-enter your credentials. You will first need to successfully achieve windows authentication into the Windows domain, after having logged into a system integrated with an Active Directory domain. miniOrange achieves Windows integrated authentication by installing a component on a Windows Server linked to the Active Directory domain. This setup basically acts as a SAML 2.0 Identity Provider. When the user tries to access a cloud application like Salesforce, the request is forwarded to the miniOrange SSO Server. This Server forwards the request to the on-premise miniOrange SAML module installed on the Windows authentication machine. SSO is performed based on the response received from the module. This is how Windows authentication is used to achieve Windows integrated security.
Prerequisites
- Windows Server 2008 R2/2012/2016/2019
- Internet Information Services (IIS) v7+ for Windows Server
- Active Directory installed and configured with IIS
- PHP v5+ installed & configured with IIS (archive link)
- LDAP extension for PHP (you can follow these instructions to enable the extension)
- A miniOrange account (you can register here)
- The miniOrange Integrated Windows Authentication (IWA) module (Download Link)
Step 1: Setting up a Service Account for Delegated Authentication
- Identify a Domain Service Account that you can use for delegated authentication; this account will be used by the IWA module
- Open a command prompt window in Administrative Mode and enter the following command:
setspn -S HTTP/##Server FQDN## ##Domain Service Account##
For example, let’s say your server FQDN is server.contoso.com, and your domain service account name is CONTOSO\iwauser; then the command will be:
setspn -S HTTP/server.contoso.com CONTOSO\iwauser
- Open Active Directory Users and Computers search for the Domain Service Account used in the previous step
- Navigate to the Delegation tab; select Trust this user for delegation to any service (Kerberos only)
This user account can now be used for authenticating the IWA module.
Step 2: Installing the IWA module on IIS
- Copy the module to the IIS root directory; the default path is C:\inetpub\wwwroot\
- Open IIS Manager, expand the host entry in the left pane
- Add an Application Pool for the module
- Right-click on this newly created Application Pool and click on Advanced Settings
- Scroll down to Identity under the heading Process Model
Click on the 3 dots and select Custom Account, enter the credentials of the Domain Service Account and click Set - Convert the module to an application; assign it to the Application Pool created in Step 3
- Navigate to the Authentication section of the site, disable Anonymous Authentication and enable Windows Authentication
- If the Windows Authentication option is not visible, your IIS installation may be missing the Windows Authentication role. You can install it using the steps outlined in this document.
- Navigate to the Configuration Editor section of the site, search for
system.webServer/security/authentication/windowsAuthentication
Set useKernelMode as False and useAppPoolCredentials as True
Step 3: Configuring LDAP connection in the IWA module
- Navigate to the root directory of the IWA module,
for example C:\inetpub\wwwroot\saml-xecurify\ - Open the file ldapconfig.php for editing
- Set the values of the following fields in the manner shown in this table
- Save and close the file
| Parameter | Description | Sample Value |
| $this->ldap_server_url | Full URL of your LDAP server, with port | ldap://server.contoso.com:389 |
| $this->ldap_bind_account_dn | Distinguished Name of your LDAP Service Account | CN=Service User,CN=Users,DC=contoso,DC=com |
| $this->ldap_bind_account_password | Password of your LDAP Service Account | - |
| $this->search_base | Search base in which to look for users | CN=Users,DC=contoso,DC=com |
| $this->search_filter | Search filter | (|(userprincipalname=?)(samaccountname=?)) |
| $this->user_attributes | List of attributes that you want to fetch from AD & send in response | array("givenname", "sn", "mail", "department", "userprincipalname") |
Step 4: Configuring miniOrange as a SAML Service Provider (SP) in the IWA module
- Navigate to the root directory of the IWA module; for example,
C:\inetpub\wwwroot\saml-xecurify\ - Open the file samlsso.php for editing
- Set the values of the following fields in the manner shown in this table:
- You can get the value of <CustomerID> by logging into your miniOrange account, and navigating to Product Settings:
- Save and close the file
| Parameter | Value |
| ACS URL | https://<branding>.xecurify.com/moas/broker/login/saml/acs/<CustomerID> For example, if the branding set in your miniOrange account is iwatest, with customer ID 123456, then the value of this parameter will be: https://iwatest.xecurify.com/moas/broker/login/saml/acs/123456 |
| Issuer | Hostname of the Windows Server, for example https://server.contoso.com |
| Audience | https://login.xecurify.com/moas |
Step 5: Adding the IWA module as a SAML Identity Provider (IdP) in miniOrange
- Log into your miniOrange account, and navigate to the Identity Providers section on the left
- Click on Add Identity Provider
- Enter a suitable name for the IdP, as well as a suitable display name
- Enter the values for the fields IDP Entity ID, SAML SSO Login URL, and X.509 Certificate as follows:
- Configure Attribute Mapping if required; you can map the attributes fetched from the LDAP in Section 5 to values that will be sent to your applications
- Scroll down to the bottom and click Save.
The IWA module has now been successfully added as a SAML IdP in miniOrange.
| Parameter | Value |
| IDP Entity ID | As set in the previous section under Issuer |
| SAML SSO Login URL | Of the format http://<hostname-of-server>/saml-xecurify/samlsso.php For example, if the FQDN of your Windows Server is server.contoso.com, then the value of this parameter will be: http://server.contoso.com/saml-xecurify/samlsso.php |
| Audience | https://login.xecurify.com/moas |
Step 6: Configuring Browsers for Integrated Windows Authentication
- These steps need to be followed on the machines of all the users who will be using the miniOrange IWA module for authentication.
- Open Internet Explorer
- Navigate to Internet Options
- Go to Security → Local Intranet; click on Sites, and (optionally) on Advanced
- Enter the full URL of the Windows Server and click OK
For example, http://server.contoso.com - Under Security Level, select Custom Level
- In the properties window that appears, scroll down to the bottom, and select Automatic Logon only in Intranet Zone
- Click OK to save this setting
- Go to the Advanced Tab, and scroll down to the bottom
- Find and enable the option Enable Integrated Windows Authentication
- Save these settings, and restart the browser to load the changes
- Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
- Optionally, you may need to whitelist the URL of the Windows Server machine where your IIS is hosted; this can be done by adding the following parameter to your Chrome startup: --auth-server-whitelist=
For example: --auth-server-whitelist="server.contoso.com" - Click enter and restart the browser to load the changes
- Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
- Open a new browser tab, and enter about:config in the address bar
Click on Accept the Risk and Continue in case you’re prompted for it - In the search box, type network.negotiate-auth.trusted-uris
- Click on the edit button near the result, and add the FQDN of the Windows Server in the text box that pops up
For example, server.contoso.com - Click enter and restart the browser to load the changes
A] Internet Explorer
B] Google Chrome
C] Mozilla Firefox
External References
Contents
- Prerequisites
- Step 1 Setting up a Service Account for Delegated Authentication
- Step 2 Installing the IWA module on IIS
- Step 3 Configuring LDAP connection in the IWA module
- Step 4 Configuring miniOrange as a SAML Service Provider (SP) in the IWA module
- Step 5 Adding the IWA module as a SAML Identity Provider (IdP) in miniOrange
- Step 6 Configuring Browsers for Integrated Windows Authentication
- External References
×
![]()
Hello there!
Need Help? We are right here!
