Windows Authentication

If all your users are on the same domain and use Windows throughout your company you may benefit from using Windows authentication. FastClose Server uses the Kerberos protocol to authenticate users using their Domain and Login name.

You must create an account for each user before they can login with Windows authentication.

Enable Windows Authentication

On the Admin site: Click System → Setup and scroll to the Server Authentication section.

Select Windows Authentication from the dropdown and click Save.

You should create at least one other administrator via the Users page. Subsequently, any of those administrators can create other standard users, using their Windows domain username.

You may visit the Password Override page if you cannot login using Windows Authentication during configuration and setup of new users.

Creating New Users

On the Admin Site: Click Users → Create New User

A Windows Domain user is mapped to a FastClose user by their Domain and Username. If a user does not exist in the FastClose system then the windows user will not be able to login.

The Windows User Name input box becomes available after you have selected Windows Authentication in your Server Setup page.

Domain\Username needs to be the exact windows domain name and username. It is case insensitive.

Username is used for the name of the user's personal reports folder in FastClose. It can be any unique value.

If the authentication mode is ever reverted to Username and Password, users will still be able to login with the Username value (i.e. without the domain). In this scenario, all users created before version 3.0 will have the same password and that password can be obtained from FastClose support. Users created with or after version 3.0 will each have a long, randomly generated password which cannot be recovered: a new password must be set for each of them.

IIS Hosted FastClose Server

The FastClose web server can be hosted within IIS rather than as its own service if wished. There is separate documentation page on how to setup FastClose Server under IIS which should be followed first.

Windows Authentication under IIS hosted FastClose Server should work with no extra steps.

Common Problems

Service Principal Name

FastClose Server uses the Kerberos protocol to authenticate using trusted hosts. If you have not set the Service Principal Name (SPN) for FastClose Server then Windows Authentication may fail with the following symptom.

Desktop and Web clients are not authenticated using Windows Authentication even though it is configured. But both do work locally on the FastClose Server.

You will see the following error in the logs:

System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.

The fix for this issue is to ensure the machine running FastClose Server has an SPN configured. First, you need to be logged in as an account which has the Domain Administrator role or has the Validated Write to Service Principal Names permission delegated to it. The command to enter at a 'Run as Administrator' command prompt looks like this:

setspn -S HTTP/myserver.mydomain.com myserviceaccount

where myserver.domain.com is the name of the machine running FastClose Server and myserviceaccount is the name of the service account the FastClose Server service is running as. You must restart FastClose Server afterwards.

Microsoft's documentation for SetSPN can be found here.