Windows Authentication

Windows Authentication

If all your users are on the same Windows domain you may benefit from using Windows authentication, with FastClose Server using the Kerberos protocol to authenticate users.

You must still create an account for each user in FastClose before they can login with Windows authentication.

Enable Windows Authentication

In the Admin app, login as Administrator using the password, click 'System' then 'Setup' and scroll to the 'Server Authentication' section.

Select 'Windows Authentication' from the dropdown and click 'Save'.

Do not logout until you have used the procedure below to create a new user for yourself, with your Windows domain username filled in, and with membership of the Administrators group. Or edited your existing administrative user and filled in that field.

You can use the Password Sign In page as a fall back if you cannot login using Windows Authentication during configuration and setup of new users.

Creating New Users

In the Admin web app, click 'Users' then 'Create New User'.

A Windows user is mapped to their FastClose user by their Windows Domain Username. If a matching Windows Domain Username does not exist in FastClose then the user will not be able to login.

2681ed62-ed9f-45a9-bd2d-55d8d86fedf5

The 'Windows User Name' needs to match the Windows domain name and username, separated by a backslash. It is case insensitive.

The Windows User Name field is only available once you have selected Windows Authentication in your System / Setup page.

The 'Username' value is used for the name of the user's personal reports folder in FastClose. It can be any unique value.

If the authentication mode is ever reverted to Username and Password, users will be able to login with the Username value but a new password must be set for each of them.

IIS Hosted FastClose Server

FastClose Server can be hosted within IIS rather than as its own web server if desired. There is separate documentation on how to set up FastClose Server under IIS which should be followed first.

Windows Authentication under an IIS hosted FastClose Server should work with no extra steps.

Common Problems

Service Principal Name

FastClose Server uses the Kerberos protocol to authenticate using trusted hosts. If you have not set the Service Principal Name (SPN) for FastClose Server then Windows Authentication may fail with the following symptom:

Desktop and web clients are not authenticated using Windows Authentication even though it is configured. But both do work locally on the FastClose Server.

You will see the following error in the logs:

System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.

The fix for this issue is to ensure the machine running FastClose Server has an SPN configured. First, you need to be logged in as an account which has the Domain Administrator role or has the Validated Write to Service Principal Names permission delegated to it. The command to enter at a 'Run as Administrator' command prompt looks like this:

setspn -S HTTP/myserver.mydomain.com myserviceaccount

where myserver.mydomain.com is the name of the machine running FastClose Server and myserviceaccount is the name of the service account the FastClose Server service is running as. You must restart FastClose Server afterwards.

Microsoft's documentation for SetSPN can be found here.

Powered By