Skip to content

Single Sign-on through IIS

This method assumes that Management and Security Server is set up to use Microsoft IIS web server (Windows only).

Users who have logged in to Windows do not need to log in again to access sessions. You must administer usernames and passwords through the identity system used by IIS, typically Active Directory.

This authentication method can be used for the Assigned Sessions list as well as the MSS Administrative Console.

Configure MSS for Single Sign-on through IIS

First, integrate IIS with MSS using the detailed steps in the MSS Deployment Guide.

Then select the "Single sign-on through IIS" as the authentication method.

Troubleshooting IIS Integration

If you encounter these errors, add or change the following settings.

  • Error: “Login failed. Invalid username or password.”

    Resolution:

    1. Change the authentication method to Anonymous.

    2. Set the Anonymous Authentication to use Application pool identity.

  • Error: “Request Entity Too Large”

    Resolution:

    1. Add the following line to both MSS\server\web\conf\ntiis\worker.properties and  \...\ntiis\worker_sec.properties:

      worker.ajp13_worker.max_packet_size=65536

    2. Add the following setting to MSS\server\conf\container.properties:

      servletengine.ajpMaxPacketSize=65536

Circumstantial Credential Prompts When Using Single Sign-on

When Management and Security Server is configured to use Single Sign-On through IIS or through Windows, a user will be prompted for credentials under certain circumstances:

  • The browser's process owner is not a valid Windows user or a member of the Active Directory domain. Typically the browser's process owner performs the interactive login to the operating system. However, an exception to this occurs when the Run As command launches the browser as a different user.

  • The browser does not support single sign-on using Kerberos.

    • In Mozilla Firefox, you must configure support for Kerberos authentication. Refer to Firefox documentation for instructions.

  • If the management.server.iis.url property contains periods (such as http://www.microsoft.com or https://10.0.0.1), the requested address is assumed to exist on the Internet for some browsers; credentials are not passed automatically, and a credentials prompt will appear.

    However, Edge can be configured to automatically pass credentials for such an address by adding it to the AuthServerAllowList. Refer to your browser's documentation for support of an equivalent setting.