Setup Windows Integrated Authentication for Cloud Applications

How Does The MiniOrange IWA Module Work?

This guide gives a brief overview for Setting up Windows Integrated Authentication for Cloud Applications.

miniOrange Single sign-on (SSO) server allows you to login to your applications without re-entering your credentials after you authenticate yourself into the Windows domain by login into a system joined to the Active Directory domain. miniOrange achieves this by installing a component on a Windows Server joined to the Active Directory (AD) domain that, basically acts as a SAML 2.0 Identity Provider. When the user tries to access a cloud application like Salesforce, the request is sent to the miniOrange SSO Server which in turn forwards the request to the on-premise miniOrange SAML module installed in the Windows machine which determines the user logged in, and performs SSO based on the response from the module.

Prerequisites

  • Windows Server 2008 R2/2012/2016/2019
  • Internet Information Services (IIS) v7+ for Windows Server
  • Active Directory installed and configured with IIS
  • PHP v5+ installed & configured with IIS (archive link)
  • LDAP extension for PHP (you can follow these instructions to enable the extension)
  • A miniOrange account (you can register here)
  • The miniOrange Integrated Windows Authentication (IWA) module (Download Link)

Step 1: Setting up a Service Account for Delegated Authentication

  • Identify a Domain Service Account that you can use for delegated authentication; this account will be used by the IWA module
  • Open a command prompt window in Administrative Mode and enter the following command:
    setspn -S HTTP/##Server FQDN## ##Domain Service Account##
    For example, let’s say your server FQDN is server.contoso.com, and your domain service account name is CONTOSO\iwauser; then the command will be:
    setspn -S HTTP/server.contoso.com CONTOSO\iwauser
  • Open Active Directory Users and Computers search for the Domain Service Account used in the previous step
  • Navigate to the Delegation tab; select Trust this user for delegation to any service (Kerberos only)
    This user account can now be used for authenticating the IWA module.
  • windows authentication for cloud delegation

Step 2: Installing the IWA module on IIS

  • Copy the module to the IIS root directory; the default path is C:\inetpub\wwwroot\
  • Open IIS Manager, expand the host entry in the left pane
  • Expand IIS Host entries
  • Add an Application Pool for the module
  • Add Application Pool
  • Right-click on this newly created Application Pool and click on Advanced Settings
  • Application Pool - Advanced Settings
  • Scroll down to Identity under the heading Process Model
    Click on the 3 dots and select Custom Account, enter the credentials of the Domain Service Account and click Set
  • windows authentication for cloud apppool
  • Convert the module to an application; assign it to the Application Pool created in Step 3
  • Convert module to application - set Application Pool name
  • Navigate to the Authentication section of the site, disable Anonymous Authentication and enable Windows Authentication
  • windows authentication for cloud kernel mode false
  • If the Windows Authentication option is not visible, your IIS installation may be missing the Windows Authentication role. You can install it using the steps outlined in this document.
  • Navigate to the Configuration Editor section of the site, search for
    system.webServer/security/authentication/windowsAuthentication
    Application - Configuration Editor Set useKernelMode as False and useAppPoolCredentials as True
  • windows authentication for cloud use app pool credentials

Step 3: Configuring LDAP connection in the IWA module

  • Navigate to the root directory of the IWA module,
    for example C:\inetpub\wwwroot\saml-xecurify\
  • Open the file ldapconfig.php for editing
  • Set the values of the following fields in the manner shown in this table
  • Parameter Description Sample Value
    $this->ldap_server_url Full URL of your LDAP server, with port http://server.contoso.com:389
    $this->ldap_bind_account_dn Distinguished Name of your LDAP Service Account CN=Service User,CN=Users,DC=contoso,DC=com
    $this->ldap_bind_account_password Password of your LDAP Service Account -
    $this->search_base Search base in which to look for users CN=Users,DC=contoso,DC=com
    $this->search_filter Search filter (|(userprincipalname=?)(samaccountname=?))
    $this->user_attributes List of attributes that you want to fetch from AD & send in response array("givenname", "sn", "mail", "department", "userprincipalname")
  • Save and close the file

Step 4: Configuring miniOrange as a SAML Service Provider (SP) in the IWA module

  • Navigate to the root directory of the IWA module; for example,
    C:\inetpub\wwwroot\saml-xecurify\
  • Open the file samlsso.php for editing
  • windows authentication for cloud SAML module urls
  • Set the values of the following fields in the manner shown in this table:
  • Parameter Value
    ACS URL https://<branding>.xecurify.com/moas/broker/login/saml/acs/<CustomerID>
    For example, if the branding set in your miniOrange account is iwatest, with customer ID 123456, then the value of this parameter will be:
    https://iwatest.xecurify.com/moas/broker/login/saml/acs/123456
    Issuer Hostname of the Windows Server, for example https://server.contoso.com
    Audience https://login.xecurify.com/moas
  • You can get the value of <CustomerID> by logging into your miniOrange account, and navigating to Product Settings:
  • miniOrange Customer Key
  • Save and close the file

Step 5: Adding the IWA module as a SAML Identity Provider (IdP) in miniOrange

  • Log into your miniOrange account, and navigate to the Identity Providers section on the left
  • windows authentication for cloud identity providers
  • Click on Add Identity Provider
  • windows authentication for cloud Add identity source
  • Enter a suitable name for the IdP, as well as a suitable display name
  • Enter the values for the fields IDP Entity ID, SAML SSO Login URL, and X.509 Certificate as follows:
  • Parameter Value
    IDP Entity ID As set in the previous section under Issuer
    SAML SSO Login URL Of the format
    http://<hostname-of-server>/saml-xecurify/samlsso.php
    For example, if the FQDN of your Windows Server is server.contoso.com, then the value of this parameter will be:
    http://server.contoso.com/saml-xecurify/samlsso.php
    Audience https://login.xecurify.com/moas
    windows authentication for cloud identity source configuration
  • Configure Attribute Mapping if required; you can map the attributes fetched from the LDAP in Section 5 to values that will be sent to your applications
  • Scroll down to the bottom and click Save.
    The IWA module has now been successfully added as a SAML IdP in miniOrange.

Step 6: Configuring Browsers for Integrated Windows Authentication

  • These steps need to be followed on the machines of all the users who will be using the miniOrange IWA module for authentication.
  • A] Internet Explorer

    • Open Internet Explorer
    • Navigate to Internet Options
    • Go to Security → Local Intranet; click on Sites, and (optionally) on Advanced
    • Enter the full URL of the Windows Server and click OK
      For example, http://server.contoso.com
    • Under Security Level, select Custom Level
    • In the properties window that appears, scroll down to the bottom, and select Automatic Logon only in Intranet Zone
    • Click OK to save this setting
    • Go to the Advanced Tab, and scroll down to the bottom
    • Find and enable the option Enable Integrated Windows Authentication
    • Save these settings, and restart the browser to load the changes

    B] Google Chrome

    • Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
    • Optionally, you may need to whitelist the URL of the Windows Server machine where your IIS is hosted; this can be done by adding the following parameter to your Chrome startup: --auth-server-whitelist=
      For example: --auth-server-whitelist="server.contoso.com"
    • Click enter and restart the browser to load the changes

    C] Mozilla Firefox

    • Follow steps 1-7 in the Internet Explorer section (this is required for Windows)
    • Open a new browser tab, and enter about:config in the address bar
      Click on Accept the Risk and Continue in case you’re prompted for it
    • In the search box, type network.negotiate-auth.trusted-uris
    • Click on the edit button near the result, and add the FQDN of the Windows Server in the text box that pops up
      For example, server.contoso.com
    • Click enter and restart the browser to load the changes
Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com