Comparing Integrated Windows Authentication and Forms Authentication
When you install the portal, you will have a choice of using Integrated Windows Authentication (or what is sometimes called 'Single Sign On' ) or Forms Authentication. It is important to understand the differences between these authentication options prior to installation so that the correct choice is made at installation time. It is possible to change the authentication option after installation, but it is easier to consider the options and make the correct choice prior to installation.
Regardless of the authentication mechanism the users must be providing Active Directory credentials because SCSM only supports Active Directory authentication. Claims-based authentication methods, basic auth, etc. are not options for authentication due to this dependency of SCSM on Active Directory for authentication.
Authentication Options
Integrated Windows Authentication
When using Windows Authentication, the portal must be installed on the same server as a System Center Management Server, however it does not have to be the primary management server.
Integrated Windows Authentication is an authentication method that allows the user of a Windows computer (not Linux or MacOS/iOS) to present their login credentials to the web server seamlessly to authenticate without being prompted. Integrated Windows Authentication uses the Kerberos Key Distribution Center which is part of an Active Directory environment to negotiate the authentication between the user's browser and the server to attest that the user is in fact the person that is using the browser.
Note: By default, the user context of the browser is the user account that the user used to log into the Windows operating system.
It is possible to use the runas.exe command to launch a browser in a user context that is different from the user account that was used to login to the Operating System.) When Integrated Windows Authentication is used, the Cireson Portal will impersonate the user to connect to System Center Service Manager. In order for Windows Integrated Authentication to work, the user's computer, the user's account, and the Cireson Portal web site web server must all be in the same domain or domains that have a trust relationship to each other.
Only Microsoft Edge and Chrome are supported by Cireson for using Integrated Windows Authentication. Typically, Integrated Windows Authentication is used in an intranet environment where the users are logged onto domain-joined Windows computers and connecting to a Cireson Portal web server that is in the same (or trusted) domain so that user's don't have to spend time logging into the server. Cireson only supports using Negotiate (Kerberos, primary) and NTLM (fallback) for authentication providers and the app pool must use Kernel Mode Authentication. If you choose to deploy the Cireson Portal web site using Integrated Windows authentication, these settings will be set by default.
Forms Authentication
Forms Authentication is an authentication method that prompts the user to enter a username and password in a login form. The password and username are sent to the web server and authenticated by the web server using Active Directory as the authority. If the credentials are authenticated the user receives an authentication token which is stored in the browser and used to authenticate the user from that point forward for that particular session. If the session expires, the user will be required to reenter the username and password.
Upon logging in, the user securely stores a login token in a cookie on the users local computer that can be used to authenticate instead of entering credentials for each session. The cookie will last as long as the authentication token is no longer valid either by logging out or clicking the sign out button. Once the user is authenticated by Active Directory, the Cireson Portal web site will create a connection to System Center Service Manager by securely passing the encrypted username and password to the System Center Data Access Service on the Service Manager management server. The Data Access Service will then authenticate the credentials with Active Directory as well and if the credentials are valid and the user has permission to connect to Service Manager, a connection object will be created in the Cireson Portal web site and stored in memory.
Because the username and password are sent on the network when using forms authentication, it is essential to use HTTPS/SSL to encrypt the traffic on the network between the browser and the server so that login credentials are not transmitted in clear text. Forms authentication is typically used in a scenario where the users accessing the Cireson Portal web site are logged into non-Windows computers, using a browser other than IE or Chrome, are on Windows computers which are not domain joined to a domain that the Cireson Portal web server is joined, or when users are accessing the Cireson Portal web site over the Internet.
How to Enable Integrated Windows Authentication OR Forms Authentication
In IIS, select the CiresonPortal website in the left side 'Connections' panel then choose the IIS Authentication Icon.
There are two settings on this page that you can enable or disable based on the authentication method you are after.
To enable Windows Integrated Authentication, enable Windows Authentication and disable Forms Authentication.
To enable Forms authentication, enable Forms Authentication and disable Windows Authentication.
Note: Please ensure you don't change any other setting and make sure that Anonymous Authentication is Enabled.
Configuring Internet Explorer for Integrated Windows Authentication
The default configuration of Internet Explorer should allow for using Integrated Windows Authentication, but you can be sure that things are set properly by checking the following:
- Internet Options -> Advanced tab -> [scroll to near the bottom] -> Verify that 'Enable Integrated Windows Authentication' is checked.
- Internet Options -> Security tab -> Intranet -> Trusted Sites button -> Check the three 'Include ....' checkboxes.
- Internet Options -> Security tab -> Local intranet - > Check to see if the level is set to Medium-Low. If it is set to something other than Medium-Low, click the Custom level... button and scroll to the bottom and make sure that the 'Automatic logon only in Intranet zone' option is selected.
- Internet Options -> Security tab -> Local intranet -> Click Sites -> Click Advanced -> Add the HTTP(S) address using the fully qualified name of the web server(s) you are connecting to if you are going to access the servers by their fully qualified name.
When testing Integrated Windows Authentication, only test from client computers and not from the server. You can test using different user accounts by using the runas.exe too.
Example:
runas /user:contoso\travis 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'