Integrated Windows Authentication

SpectX Server supports the Kerberos provider in the SPNEGO negotiation scheme of Integrated Windows Authentication in the Active Directory domain.

When enabled the Integrated Windows Authentication option is displayed as an alternative login method in the login screen. Choosing this method initiates Windows user authentication with the SpectX Server.

The SpectX Server does not have to be part of the Windows domain for this to function.

To enable Integrated Windows Authentication authentication following mandatory configuration parameters must be set:

  • wgui.spnegoAuth.realm - The Kerberos realm (the domain name in the Active Directory). The value is case-insensitive (converted to upper case internally).

  • wgui.spnegoAuth.keytab - Path to Kerberos keytab file containing principal credentials of SpectX service account in Active Directory. Refer to service account creation instructions for acquiring the file.

  • wgui.spnegoAuth.redirectUri - The fully qualified URI of your SpectX WUI instance or its frontend server. The hostname in the URI must match with one used in service principal name set for the SpectX service account in Active Directory.

Optional authentication related parameters are:

  • wgui.spnegoAuth.name - The name of authentication scheme displayed on Login screen for this type of authentication (default is “with AD account”).

  • wgui.spnegoAuth.autoCreateAccount - Boolean setting enabling the automatic creation of user accounts in the SpectX user database when they first log into SpectX Server. This feature is off by default.

    Warning

    When automatic user account creation is enabled, every domain user can log in to SpectX Server. It is highly recommended to enforce authorization of access to SpectX Server.

  • wgui.spnegoAuth.autoCreateApiKey - Boolean setting enabling automatic creation of API keys for user accounts which get created automatically when they first log into SpectX Server with given authentication method. The setting is ignored if wgui.spnegoAuth.autoCreateAccount is not set to true. The default value for this setting is false.

  • wgui.spnegoAuth.errRedirectPeriod - Time period for displaying error message regarding failed IWA authentication before redirecting user’s browser to login page. Default value is 5s. Negative value disables automatic redirection.

  • wgui.spnegoAuth.fallbackToBasicAuth - If set to true, the Basic Authentication scheme is offered to clients in addition to SPNEGO as an alternate authentication scheme. Clients picking this means of authentication must provide Active Directory username and password, which is utilized by the server to perform Kerberos login on behalf of the user. All attempts to use NTLM instead of Basic Authentication are rejected.

    Note

    Note that the user’s credentials are transferred in clear unless communication between the client and SpectX Server is protected by TLS.