AX2577

 

Using Windows Authentication

You can enable Windows Authentication for a system, to authenticate users based on their Windows domain credentials.

Windows Authentication behavior

When the Axiom Software login screen displays, users must enter their Windows user name, domain, and password. If the domain is an allowed domain and the Windows user name matches a user name in Axiom Software, then the credentials are passed to Windows for authentication into Axiom Software.

If the Windows Authentication configuration for Axiom Software only allows one domain, then that domain is assumed for authentication and users do not need to specify it when logging in. If multiple domains are allowed, then the domain must be specified in one of the following ways:

  • The user must include the domain with their user name, such as: DomainName\UserName.
  • The user must specify the appropriate domain using the Domain selection list on the login screen. This is an optional setting that can be enabled for your installation. For more information, see Domain selection list.

Users must enter their credentials each time they log in, unless they select Remember me to store their credentials for future use. For more information, see Remember me.

Setting up Windows Authentication

The following summarizes the setup process for Windows Authentication.

  1. Windows Authentication must be enabled for the system.

    For on-premise systems, Windows Authentication can be enabled during the Axiom Application Server installation. If it was not enabled during the installation, you can configure it later using either of the following options:

    • Use the Configure Authentication Methods page of the Axiom Software Manager. For more information, see the Installation Guide.

    • Use a Save Type 4 report to modify the applicable system configuration settings (WindowsAuthEnabled and WindowsAuthAllowedDomains). For more information, see System configuration settings.

    When you enable Windows Authentication, you must specify the valid domains for authentication. You can specify multiple domains, separated by commas. You can also choose to enable Active Directory Synchronization if you want to import and synchronize users from Active Directory (for more information, see Synchronizing users with Active Directory).

    For cloud systems, Kaufman Hall Software Support will enable Windows Authentication for you as part of the system setup, if that is your chosen authentication method.

  2. In security, Axiom Software users must be set up as follows to support Windows Authentication:

    • The user's Axiom Software login name must match their Windows login name.
    • The user's Authentication method must be set to Windows User. This is the default setting for new users if Windows Authentication is enabled for your installation.

    If users are imported from Active Directory, then they will automatically be created with the appropriate login name and authentication type.

  3. Cloud systems have the following additional requirements:

    • Installation of the Cloud Integration Service is required to enable the cloud system to communicate with your local Windows domain, to validate user credentials. For information on installing the Cloud Integration Service, see the Cloud Service Technical Guide and contact Kaufman Hall Software Support as needed.

    • A remote data connection must be created in Scheduler, with the option Use for authentication service enabled. For more information, see Managing remote data connections.

All users who are assigned to the Windows Authentication method will be authenticated based on their Windows credentials. This is the only way that these users can log in—they cannot log in using an internal Axiom Software password.

If you need to test the security settings of a Windows Authentication user, you can use the Log in as selected user feature to log in to Axiom Software as that user. For more information, see Testing user security.