Enable Windows Auto-login in an Active Directory Environment

This topic describes how to enable Windows Auto-login in an Active Directory Environment.

About this task

Note: Windows Auto-login authentication is not supported on a local client browser if Proficy Authentication is installed on the same machine.

See also Proficy Authentication Windows Auto-login.

Procedure

  1. Install Proficy Authentication.
    During installation (standalone or as part of Operations Hub), use a FQDN that has a proper record on the DNS server as the primary host name. A local name will not work. IP address is not recommended either.
  2. Log in to Proficy Authentication, and configure LDAP identity provider using the domain’s LDAP server.
    Test the LDAP login to make sure it works for LDAP users.
  3. Create a user account on the Active Directory domain.
    Proficy Authentication (UAA) uses this account for validating Windows domain credential (Kerberos service tickets) presented by browser on user’s behalf.
  4. Build the Service Principal Name (SPN).
    The SPN is formed based on the host’s canonical domain name, not any other aliases. It is in the form ofHTTP/fqdn@REALM, where HTTP is literal. The fqdn should be replaced by the actual FQDN of the host, typically in lower case, and REALM be replaced by the Active Directory domain name, typically in upper case.
    For example, if the Active Directory domain name is test.net, the host’s FQDN isuaa.test.net, then the full SPN is HTTP/[email protected]
  5. Create a keytab file for this account.
    The keytab file contains the cryptographic keys that are private to this account. Each key is specific to an encryption algorithm, so all the algorithms allowed for the account must be accounted for in the keytab file. It is recommended to specify All for the crypto parameter Crypto. The following is an example of how ktpass.exe command is used to generate a keytab file on a domain server:
    ktpass.exe -out xyz.keytab -mapUser [email protected] +rndPass -mapOp set +DumpSalt -crypto All
    -ptype KRB5_NT_PRINCIPAL -princ HTTP/[email protected]
  6. Copy the generated keytab file to the machine where Proficy Authentication is installed.
    For convenience, it is recommended to place the keytab file under the same directory as uaa.yml file, which is found in either of these locations:
    • C:\ProgramData\GE\Operations Hub\uaa-config
    • C:\ProgramData\GE\Proficy Authentication\uaa-config
    The keytab file contains crypto information, So it is strongly recommended to set a security for the file. The file should not be readable by non-privileged user accounts, except for the service account NT SERVICE\uaaTomcat.
  7. Configure UAA with the SPN and keytab file.
    1. Create a new file kerberos.yml (or use a different name but with .yml extension) under the sec subdirectory of the uaa-config directory, with the following code:
      kerberos:
        service-principal: HTTP/[email protected]
        keytab-location: 'file:///C:/ProgramData/GE/Operations Hub/uaa-config/xyz.keytab'
    2. Open uaa.yml file under uaa-config directory and copy the kerberos section at the end of the file as a template (the SPN and the full path to the keytab file as referenced in the above code).
  8. On client machines, make sure that the Proficy Authentication host is recognized on the Local Intranet zone or as a Trusted Site.
    If not recognized, the Chrome browser will not request a Kerberos ticket to send to Proficy Authentication. For test/staging purposes, it can be done via Control Panel as shown here:
    If the setting is configured interactively using Control Panel, then it is effective only for one user on one client machine. To configure for all users on one client machine, use local group policy. In an enterprise setting, an administrator should configure client machines via group policy. You can access the policy from User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List, as shown here:
  9. If Operations Hub is installed on a different machine than Proficy Authentication (i.e., in case of External Proficy Authentication or External UAA), then only the external UAA host name matters.
  10. As an administrator, you may allow users to interactively choose an authentication option, or you may set it in the URLs you distribute to users.
    1. Use a query parameter in Operations Hub Designer app or End app’s URL.
      For example, if a regular Designer app’s URL is https://xyz.test.net/iqp, then a URL that enables Windows Auto-login would be: https://xyz.test.net/iqp?authOption=kerberos

      This addition of authOption query parameter enables Windows Auto-login for the session.

    2. If the authentication is not included in the URL, then the following screen appears:
      Standard Proficy Authentication Login Choose this option if you want to use the standard login (username/password or SAML), or if Windows Auto-login has not been configured with Proficy Authentication.

      This is a regular login, which is based on username/password, including LDAP, or SAML.

      Active Directory (Windows) Integrated Login Choose this option only when it is set up with Proficy Authentication.

      This allows for autologin, wherein a user’s domain login session is used to log in to Proficy Authentication.

      Don’t ask me again Select this check box, if you don't want to display the Select Authentication screen every time you login.

      The system remembers the last selected authentication (between regular and autologin) and applies it for future logins.

      With Don’t ask me again enabled, you can clear the last selected authentication only during logout.

      Select You may also click here to clear the previously selected authentication option to clear the saved selection. Once cleared, the clearing option is hidden from the logout screen.

      Select click here to login again to return to the login page.

      Defer Select to dismiss this screen, and skip selecting an authentication. You have the choice to select authentication next time you login.
    Note:
    • It is not necessary for Proficy Authentication (or Operations Hub if different) host to be a domain member; it only needs to have a valid DNS record. However, both the user and the client machine that the user has logged into must be of a domain user/domain member respectively, in order to produce a Kerberos ticket to authenticate with Proficy Authentication.
    • For Administrator’s Console, the only way to use Windows Auto-login is to use the additional query parameter in the URL: https://xyz.test.net/site/adminconsole?authOption=kerberos