5.8.4 Single Sign-on through IIS

This method assumes that Management and Security Server is set up to use Microsoft IIS web server (Windows only).

If you installed using the automated installer and integrated with IIS during installation, setup is complete. If you used an alternative installation method, see the MSS Installation Guide for more information.

Users who have logged in to Windows do not need to log in again to access sessions. You must administer usernames and passwords through the identity system used by IIS, typically Active Directory.

This authentication method can be used for the Sessions list as well as the Administrative Console.

To enable Single Sign-on through IIS:

  1. Open mss/server/conf/container.properties

  2. Insert this line: management.server.iis.url=<url>

    where <url> is the IIS web server address and port along with the /MSS path.

    For example: http://<iisserver>/mss or

    https://<iisserver>/mss (when TLS is configured on your IIS server).

    If authentication fails, you may need to remove the domain name in order for the domain credentials to be passed to IIS: http://server/mss.

  3. If you want to access the Host Access for the Cloud web client, then you'll need to set that in the Session Server container.properties as well. See Configure Single Sign-on through IIS in the HACloud documentation.

NOTE:If you use an MSS load balancer  with Single Sign-on through IIS, additional persistence configuration is required. See Using a Load Balancer.

Troubleshooting IIS Integration

If you encounter these errors, add or change the following settings.

  • Error: “Login failed. Invalid username or password.”

    Resolution:

    1. Change the authentication method to Anonymous.

    2. Set the Anonymous Authentication to use Application pool identity.

  • Error: “Request Entity Too Large”

    Resolution:

    1. Add the following line to both MSS\server\web\conf\ntiis\worker.properties and  \...\ntiis\worker_sec.properties:

      worker.ajp13_worker.max_packet_size=65536
    2. Add the following setting to MSS\server\conf\container.properties:

      servletengine.ajpMaxPacketSize=65536

Circumstantial Credential Prompts When Using Single Sign-on

When Management and Security Server is configured to use Single Sign-On through IIS or through Windows, a user will be prompted for credentials under certain circumstances:

  • The browser's process owner is not a valid Windows user or a member of the Active Directory domain. Typically the browser's process owner performs the interactive login to the operating system. However, an exception to this occurs when the Run As command launches the browser as a different user.

  • The browser does not support single sign-on using Kerberos.

    • - In Internet Explorer, this option is enabled by selecting Enable Integrated Windows Authentication. While this option is enabled by default, it can be overridden through Group Policies and practices.
    • - In Mozilla Firefox, you must configure support for Kerberos authentication. Refer to Firefox documentation for instructions.
  • When using Internet Explorer, if the management.server.iis.url property contains periods (such as http://www.microsoft.com or http://10.0.0.1), the requested address is assumed to exist on the Internet. Credentials are not passed automatically, and a credentials prompt will appear. However, Internet Explorer can be configured to automatically pass credentials for such an address by adding it to the Trusted Sites list. Alternatively, you can configure a Custom security level in Internet Explorer to perform an Automatic logon with current username and password.

Related Topics