Automatic sign-in (SSO) for Active Directory in Cayosoft Web Portal

Automatic sign-in also called Integrated Windows Authentication, allows users to log in to Web Portal automatically if they are running a browser on the workstation, where they have logged on with their Active Directory credentials. This method enables a Single Sign-On (SSO) experience for delegated administrators and employees.

To use the Automatic sign-in method, the server running Cayosoft AdministratorWeb Portal and all client computers must be in the same domain or a trusted domain. The same or trusted domains are the requirements for a browser to pass Windows credentials to the server.

You may also need to do certain configuration steps on client machines, as the browser passes Windows credentials only to websites in the Local Intranet or Trusted Sites zones.

If you use a short computer name in the Web Portal URL, such a site is identified as a Local Intranet zone by default and no additional browser configuration is required. If you use the fully qualified name of your server in the URL, such a site is identified as an Internet zone by default, and a browser does not send credentials to the server until the site is explicitly added to Local Intranet (recommended) or Trusted sites (with additional security settings configuration). Read the browser configuration instructions below for details.

Each user who requires access to the Web Portal must have a valid Windows local or domain user account, or be a member of a Windows local or domain group account. You can include accounts from other domains as long as those domains are trusted. The accounts must have access to the Cayosoft Administrator server computer.

If the client computer is not in the same domain where Web Portal is installed then when connecting to the Web Portal, the form-based sign-in page should open for entering Windows credentials. There is no automatic sign-in in this case.

IMPORTANT: When you switch to or from the Automatic sign-in (SSO) for Active Directory accounts method in the Web Portal settings, you must run the Web Portal registration tool to apply the change. To run the registration tool, navigate to the Web Portal settings and click Run Web Portal registration tool.

Cayosoft Administrator configuration for Automatic sign-in

NOTE: Please, be sure to run the Cayosoft Web Config tool to update your web interface configuration before using the automatic sign-in feature.

1. Run the Cayosoft Administrator console.

2. Navigate to Web Portal settings.

3. In the User sign-in authentication method section, select Automatic sign-in (SSO) + Sign-in form for Active Directory accounts.

4. Click Save Changes.

5. Perform an IIS reset:

   1. Click Start > All Programs > Accessories > Command Prompt.

   2. Type iisreset and click Enter.

   3. Once the message "Internet services successfully restarted" is displayed, close the Command Prompt.

Browser configuration for Automatic sign-in

To use Automatic sign-in (Integrated Windows Authentication) you need to configure the browser. These settings can be done manually on each client computer, where the Web Portal will be used, or you can use Group Policy to apply these settings automatically to all required client computers.

Manual browser configuration for Automatic sign-in (Integrated Windows Authentication)

Google Chrome and Microsoft Edge

NOTE: To use Google Chrome and Microsoft Edge for Automatic sign-in (Integrated Windows Authentication) you must deploy the settings shown in the Internet Options below.

Configuration

1. Navigate to Control Panel > Network and Internet.

2. Open Internet options.

3. Click the Security tab.

4. Click Local Intranet.

5. Click Sites.

7. In the Local intranet form, click Advanced.

8. Add the fully qualified name of your IIS server to Local intranet.

9. Click Close.

10. Click OK.

11. Click Custom level.

12. Scroll down to User Authentication.

13. Select Automatic logon only in intranet zone.

14. Click OK.

Mozilla FireFox

1. Open Firefox.

2. In the URL field type "About:Config".

3. You will receive a security warning. To continue, follow the steps in the prompt.

4. Search for the settings below by browsing through the list or searching for them individually. Locate each setting then update the value to the following:

Configuring Group Policy to apply Automatic sign-in settings

Microsoft Edge and Google Chrome

NOTE: Microsoft Edge and Google Chrome use the same settings as Internet Explorer.

1. Create a new Group Policy Object, or use an existing Group Policy Object.

2. Edit the Group Policy Object with the following settings:

   1. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List.

   2. Define this policy setting Enabled.

   3. Click the Show button to define the URLs and zone assignment.

   4. In the Show Contents window, add the Fully Qualified Name of your IIS server and assign it a value of 1 (Intranet zone)

      The following values are used to assign each zone:

      1 - Intranet zone

      2 - Trusted Sites zone

      3 - - Internet zone

      4 - Restricted Sites zone

5. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone > Logon Options.

6. Define this policy setting Enabled.

7. In the Logon options drop-down menu, select Automatic logon only in Intranet zone.

3. Link this GPO to an OU, domain, or site where you want to apply the policy.

   TIP: If you want to use Trusted sites zone instead of Intranet then you need to configure Logon Options setting in the Trusted Sites Zone.

Change History