Configuring Integrated Windows Authentication
Setup the Active Directory Domain Controller server, AX Server, and the desktop environment for each client application end user to configure Integrated Windows Authentication. Integrated Windows Authentication enables single sign-on access control for AX Client users.
Note
Integrated Windows Authentication is not supported for instances of AX Client running on the server's operating system. You must be connecting from a client operating system otherwise the application defaults to form-based authentication.
How it works
Integrated Windows Authentication uses the security features of Windows clients and servers. It does not prompt users for a user name and password, and the current Windows user information on the client computer is supplied by the web browser through a cryptographic exchange. The following protocols are used to manage authentication:
- SPNEGO AX Client connections
- Kerberos server profile connections to Analytics
If the authentication exchange initially fails to identify the user, the web browser will prompt the user for a Windows user account user name and password.
Create an SPN account
Create a new Windows Service Principal Name (SPN) account in Active Directory to map the AX Server authentication service to an Active Directory account.
- On the Active Directory Domain Controller server, click Start > All Programs > Administrative Tools > Active Directory Users and Computers.
- Right-click the domain entry in the treeview where you want to create the new SPN account and select New > User.
- Enter the requested information and click Next.
- Configure the user password and click Next:
- Enter the account password.
- Deselect User must change password at next logon.
- Select Password never expires.
- Click Finish.
Map the authentication service to the SPN account
Map the AX Server authentication service to the Active Directory SPN account using the ktpass command.
- On the Active Directory Domain Controller server, open a command prompt and change directories to the directory where ktpass.exe is located.
The default location is c:\Program Files\Support Tools.
-
To map the authentication service to the SPN account, enter the following keypass command:
ktpass /out filename /princ name /pass password /mapuser local_username /ptype principal_type /crypto encryption_type
For ktpass syntax, see Microsoft Ktpass reference.
Example
The following example maps the authentication service to the SPN account using the ktpass command:
ktpass /out 'C:\ax.keytab' /princ HTTP/axserver.ax.com@AX.COM /pass pass1234 /mapuser AXSSO /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
Register an SPN for the AX Connector service
Register an SPN for the AX Connector service using the setspn command.
- On the Active Directory Domain Controller server, open a command prompt and change directories to the directory where setspn.exe is located.
The default location is c:\Program Files\Support Tools.
-
To register the SPN, enter the following setspn command:
setspn -A ACLSE/full_domain_and_servername computer_name
Note
ACLSE is the required value to identify AX Connector and must be entered in all caps. The computer_name value can be entered as name or domain\name.
-
Optional. To verify the mapping of the SPN account, use the following setspn command:
setspn -L computer_name
Example
The following example uses the setspn command to register the SPN:
setspn -A ACLSE/axserver.example.com axserver
Test the SPN account mapping
Optionally, copy the keytab file to the AX Server instance and use the kinit command to test your SPN account mapping.
Prerequisite: Add the Java bin subfolder to your path environment variable to use the klist command without specifying the full path.
set PATH=java_bin_path;%PATH%
- On the Active Directory Domain Controller server, copy the .keytab file you created with the ktpass command and paste it in the Windows directory of AX Server.
- In the Windows directory of AX Server, create a file called krb5.ini.
-
From the command prompt, use the following command to verify that the keytab file can be read:
klist -k
-
To attempt to authenticate, use the following command:
kinit username@REALM.COM
- Enter the user's password and press Enter.
Example
The following is an example of a krb5.ini file:
[libdefaults] ticket_lifetime = 24000 default_realm = your_domain default_keytab_name = path_to_your_keytab_file dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] your_domain = { kdc = your_active_directory_server.domain.com:88 } [domain_realm] .your_domain = YOUR_DOMAIN
your_domain = YOUR_DOMAIN
Enable Integrated Windows Authentication from Internet Explorer
Enable Integrated Windows Authentication from Internet Explorer in each end user's desktop environment. Users must be connecting from a client operating system, Integrated Windows Authentication is not supported for instances of AX Client running on the server's operating system.
- In Microsoft Internet Explorer, click Tools > Internet Options > Advanced.
- Under the Security group, select Enable Integrated Windows Authentication and then click Apply.
- Click the Security tab.
- Select the Local Intranet icon and then click Sites.
- In the Local Intranet dialog box, click Advanced and then enter the HTTPS URL for your AX Server instance and click Add.
Example: https://axserver.ax.com.
- Click Close, click OK in each open dialog box until the Internet Options dialog box closes and restart Internet Explorer.
The updated settings take effect the next time Internet Explorer is launched.