Skip to main content

Articles in this section

See more
Print

Authentication methods in Cayosoft Guardian

  • Updated

Authentication methods in Cayosoft Guardian

Cayosoft Guardian provides flexible authentication options to meet the needs of enterprises of all sizes, from small organizations to highly regulated federal agencies. Administrators can choose from multiple authentication methods and configure Cayosoft Guardian to align with security, compliance, and operational requirements.

This article describes the available authentication methods and configuration guidance.

Authentication methods

Cayosoft Guardian supports the following authentication methods out of the box:

  • Password authentication - Users authenticate directly with a username and password managed within Cayosoft Guardian.

  • Microsoft 365 authentication - Users can sign in with their Microsoft 365 credentials via Entra ID. This supports modern authentication flows and integrates with existing identity and access management policies.

  • Integrated Windows authentication (IWA)- Users on domain-joined machines can be authenticated using their existing Windows credentials, allowing seamless single sign-on within the enterprise network.

  • Ping Identity authentication — Users can sign in using Ping Identity federation services. This method enables integration with Ping Identity-based single sign-on environments for organizations that use Ping as their identity provider. Learn more: Configure Ping authentication in Cayosoft Guardian.

Managing authentication methods

The Authentication Settings page in Cayosoft Guardian allows Global Administrators to control how users sign in to the system. From this page, you can enable or disable authentication methods, configure disclaimers, and customize sign-in behavior to meet your organization’s compliance and security requirements..

To access Authentication Settings:

  1. In the Cayosoft Guardian web portal, go to Settings > Service Settings.

  2. Select Authentication Settings from the list.

  3. In the right-hand panel, choose the Access experience tab to configure login options.

  4. Supported methods that can be toggled:

    • Password authentication – Users log in with credentials managed directly in Cayosoft Guardian.

    • Microsoft 365 authentication – Users log in with Microsoft Entra ID credentials.

      NOTE: Global Administrator permissions for users signing in via Microsoft 365 authentication must be configured separately using the Delegation tab in the Cayosoft Guardian portal. To do this, navigate to Settings > Delegation, and select a user from the configured tenant. The IWA Global Admin checkbox does not apply to these users.

    • Integrated Windows authentication - Enables seamless SSO for users on domain-joined machines. By default, users authenticating via Integrated Windows Authentication (IWA) do not automatically receive Global Administrator permissions in Cayosoft Guardian. To grant these permissions:

      1. The user must be a member of the Domain Administrators group in Active Directory.

      2. The checkbox "Grant Global Admin permissions in Cayosoft Guardian to local Windows administrators" on the Authentication Settings page must be enabled.

      3. Being a local Windows administrator on a client machine is not sufficient to gain Global Admin rights in Guardian. The user must be a Domain Administrator.

      4. Enabling this checkbox grants Global Admin rights only to users who are Domain Administrators and authenticate via IWA. It does not affect users logging in with Password or Microsoft 365 authentication.

    • Ping Identity authentication - Learn more: Configure Ping authentication in Cayosoft Guardian.

  5. Enter a Custom name for Integrated Windows authentication. This allows you to display a custom label for this option on the login screen.

  6. Enable Allow users to stay signed in. When enabled, users remain signed in across sessions unless they explicitly log out.

    NOTE: This option applies only when users signing in with a username and password.

  7. For Disclaimer settings:

    1. Require disclaimer acknowledgment – Forces users to accept the disclaimer text before accessing Guardian.

    2. Customize acknowledgment – Enter the text of the disclaimer to be displayed (for example, security notices, compliance policies, or acceptable use warnings).

  8. Click Save.

 

IMPORTANT: At least one authentication method must remain enabled at all times to prevent administrator lockout.

Integrated Windows authentication (IWA)

Integrated Windows authentication allows users to log in toCayosoft Guardian automatically if they are running a browser on the workstation, where they have logged on with their Active Directory credentials. This method enables a Single Sign-On (SSO) experience for delegated administrators and employees.

To use this method, the server running Cayosoft Guardian and all client computers must be in the same domain or a trusted domain. The same or trusted domains are the requirements for a browser to pass Windows credentials to the server.

You may also need to do certain configuration steps on client machines, as the browser passes Windows credentials only to websites in the Local Intranet or Trusted Sites zones.

If you use a short computer name in the Guardian URL, such a site is identified as a Local Intranet zone by default and no additional browser configuration is required. If you use the fully qualified name of your server in the URL, such a site is identified as an Internet zone by default, and a browser does not send credentials to the server until the site is explicitly added to Local Intranet (recommended) or Trusted sites (with additional security settings configuration). Read the browser configuration instructions below for details.

Each user who requires access to the Cayosoft Guardian must have a valid Windows local or domain user account, or be a member of a Windows local or domain group account. You can include accounts from other domains as long as those domains are trusted. The accounts must have access to the Cayosoft Guardian server computer.

If the client computer is not in the same domain whereCayosoft Guardian is installed then when connecting to the Web Portal, the form-based sign-in page should open for entering Windows credentials. There is no automatic sign-in in this case.

Manual browser configuration for Integrated Windows authentication

 

Google Chrome and Microsoft Edge configuration

NOTE: To use Google Chrome and Microsoft Edge for Automatic sign-in (Integrated Windows Authentication) you must deploy the settings shown in the Internet Options below.

  1. Navigate to Control Panel > Network and Internet.

  2. Open Internet options.

  3. Click the Security tab.

  4. Click Local Intranet.

  5. Click Sites.

  1. In the Local intranet form, click Advanced.

  2. Add the fully qualified name of your IIS server to Local intranet.


  1. Click Close.

  1. Click OK.

  2. Click Custom level.

  3. Scroll down to User Authentication.

  4. Select Automatic logon only in intranet zone.

  5. Click OK.

Mozilla FireFox

  1. Open Firefox.

  2. In the URL field type "About:Config".

  3. You will receive a security warning. To continue, follow the steps in the prompt.

  4. Search for the settings below by browsing through the list or searching for them individually. Locate each setting then update the value as follows:

Setting name Description
network.negotiate-auth.delegation-uris Enter the Fully qualified name of your IIS server
network.automatic-ntlm-auth.trusted-uris   Enter the Fully qualified name of your IIS server
network.automatic-ntlm-auth.allow-proxies True network.negotiate-auth.allow-proxies    True

Configuring Group Policy to apply IWA settings

Microsoft Edge and Google Chrome

NOTE: Microsoft Edge and Google Chrome use the same settings as Internet Explorer.

  1. Create a new Group Policy Object, or use an existing Group Policy Object.

  2. Edit the Group Policy Object with the following settings:

    1. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List.

    2. Define this policy setting Enabled.

    3. Click the Show button to define the URLs and zone assignment.

    4. In the Show Contents window, add the Fully Qualified Name of your IIS server and assign it a value of 1 (Intranet zone)

      The following values are used to assign each zone:

      1 - Intranet zone

      2 - Trusted Sites zone

      3 - Internet zone

      4 - Restricted Sites zone

  1. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone > Logon Options.

  2. Define this policy setting Enabled.

  3. In the Logon options drop-down menu, select Automatic logon only in Intranet zone.

  1. Link this GPO to an OU, domain, or site where you want to apply the policy.

    TIP: If you want to use Trusted sites zone instead of Intranet, then you need to configure Logon Options setting in the Trusted Sites Zone.

 

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.