Setting Up Integrated Windows Authentication in Secret Server 10.0

Important Points to Note:

• Information in this article applies to Secret Server version 10.0.000000 and higher.
• When this is enabled, additional configuration is needed in order for the mobile applications and protocol handler to connect to Secret Server.
• Learn how to do this: Thycotic Secret Server: Windows Authentication Enabled with Protocol Handler, Desktop Client, Mobile Devices, and Web Services

What Integrated Windows Authentication Does

Integrated Windows Authentication allows users to log into Secret Server automatically if they are logged into a workstation with their Active Directory credentials.

Setting Up Windows Authentication

Log into Secret Server as a User with Active Directory administration privileges

• Navigate to Administration > Active Directory and click Edit.
• Check the following boxes: Enable Active Directory Integration, Enable Synchronisation of Active Directory, and Enable Integrated Windows Authentication
• Select any of the options from the User Account Options drop down.
• Choose a synchronisation interval (this indicates how often Secret Server will pull in users from AD)
• Click Save.
• Click Edit Domains
• Click Create New
• Enter the domain to use for Single Sign On and an account to use to pull users from AD.
• Click Save and Validate.

Go back to the Active Directory Configuration page

• Click Edit Synchronisation
• Move any groups whose users you want SSO to work for into the Synchronised Groups listbox
• Click Save.
• Click Synchronise Now. This will pull all the users of the specified groups into Secret Server
• Open IIS
• Click your Secret Server website on the left or browse to your Secret Server application if using the Default Web Site
• Double-click Authentication.
• Enable “Windows Authentication” and disable “Anonymous Authentication”. Ensure that “Forms Authentication” is disabled. If Windows Authentication is not visible, ensure that the Windows Authentication Role Service is enabled as a Windows feature. (This is different than previous versions.)
• Restart your IIS server with iisreset command.
• On the Secret Server folder make sure that the users who will be logging in have the proper security settings such as Read or higher. Make sure the security settings are set to be inherited by child objects. Since Secret Server will be impersonating those users, they require access to Secret Server files.
• Log in to the Secret Server site from an authenticated workstation.

Other Points to Consider:

By default, the launcher will not work when off network using Integrated Windows Authentication. (HTTP 401 : Unauthorized Error) If you are running into this issue, Secret Server will need to be on Server 2008 or later and the following steps will need to be performed

• Open IIS and browse to your Secret Server application
• Expand the application node and click on the “launchers” folder
• Double-click “Authentication,” turn off “Windows Authentication” and turn on “Anonymous Authentication”
• Click on the “webservices” folder and follow the same steps to turn off Windows Authentication and turn on Anonymous Authentication

In order to use distributed engines with Windows Authentication please perform the following steps to allow engines to connect to Secret Server.

• Open IIS and browse to your Secret Server application
• Expand the application node and click on the “DistributedEngine” folder
• Double-click “Authentication,” turn off “Windows Authentication” and turn on “Anonymous Authentication

If you are using Client Certificates you will also need to do the following in IIS in order for launchers to work:

• Click on the “launchers” folder
• Double-click “SSL Settings” and set “Client certificates” to “Accept”
• Click on the “webservices” folder
• Double-click “SSL Settings” and set “Client certificates” to “Ignore”

For more information and general guidance on our products & services, please contact us.

Require further support?

Search all Knowledgebase articles

Send a Support Request to The Idency Support Team