Single Sign On (SSO)

Since version 2.6 you can configure Single Sign On (SSO) to remove the default login form. A login is not required any more. SpaceObServer Web Access applies the authentication object from the Windows login.

Two steps are required to set up SSO for SpaceObServer Web Access:

Enable Windows Authentication Feature

  1. Start the Server Manager on the machine where you have installed SpaceObServer Web Access.

  2. On the Dashboard, click the Add Roles and Features link.

  3. In the left menu, select Server Roles.

  4. In the main window of Server Roles, navigate to Web Server (IIS) ‣ Web Server ‣ Security and enable the Windows Authentication checkbox.

  5. Press the Next button and continue the activation.

Enable the Windows Authentication for the website

  1. Open the IIS-Manager (inetmgr).

  2. Select the site SpaceObServer WebAccess.

  3. In the main window, double-click on Authentication.

  4. Enable the mode Windows Authentication.

  5. Disable all other modes (Forms Authentication, Anonymous Authentication, etc.).

Note

Modify the Web.config file (only if you have updated from a previous version <V2.6)

  1. Navigate to the installation directory (the default path is C:\Program Files\JAM Software\SpaceObServer Web Access\) and open the Web.config file.

  2. Find the XML element: <authentication>.

  3. Remove the <forms> ... </forms> element contained in it, if present, and save the file.

  4. Restart the page using the IIS Manager.

Tip

If you access the website from a client computer via the browser and a native prompt for username and password still appears, add the site to the intranet zone.

Add the website to the intranet zone for all client computers

You can add the website to the intranet zone via the Group Policy in your Domain Controller.

  1. Navigate to Start ‣ Control Panel ‣ Administrative Tools ‣ Group Policy Management.

  2. Expand your forest ‣ Domains ‣ your domain.

  3. Right-click Group Policy Objects and click New, give it an appropriate name and click OK.

  4. Right-click your newly created Group Policy Object and click the Edit button.

  5. Expand User Configuration ‣ Policies ‣ Administrative Templates ‣ Windows Components ‣ Internet Explorer ‣ Internet Control Panel and click Security Page.

  6. Open the context menu via right-click on Site to Zone Assignment List and click Edit.

  7. Select the radio button Enabled. In the options pane, click the Show button.

  8. In the list, add a site to trust (e.g. http://webaccess.company.com), and give it a value of 1.

  9. Apply the settings by clicking OK, then Apply and OK, and close the Group Policy Management Editor window.

  10. In the Group Policy Management window, click your new Group Policy Object (GPO), and navigate to the Delegation tab.

  11. Click Add at the bottom, enter your user/group, click Check Names, then OK. If you want to include all users in your domain, you can add the group users.

  12. Change the dropdown under Permissions to Edit settings, delete, modify security, and click the OK button.

  13. In the Group Policy Management window, in the tree, right-click your domain in the Domains folder to open the context menu. In the context menu, click Link an Existing GPO.

  14. Select your created Group Policy Object (GPO), and then click OK.

The client computers need to update their cached group policies to apply the changes. This can be done on the client computers via the command:

gpupdate /force

After that, all client computers which call the WebAccess in the browser should not see any login form any more. They will be authenticated automatically.

Note

When your client computers use the Firefox Browser, a native login screen may still appear because you need to add some extra configuration.