AX2577

Using Windows Authentication

You can enable Windows Authentication for a system, to authenticate users based on their Windows domain credentials.

Windows Authentication behavior

When the Axiom Software login screen displays, users must enter their Windows user name, domain, and password. If the domain is an allowed domain and the Windows user name matches a user name in Axiom Software, then the credentials are passed to Windows for authentication into Axiom Software.

If the Windows Authentication configuration for Axiom Software only allows one domain, then that domain is assumed for authentication and users do not need to specify it when logging in. If multiple domains are allowed, then the domain must be specified in one of the following ways:

  • The user must include the domain with their user name, such as: DomainName\UserName.
  • The user must specify the appropriate domain using the Domain selection list on the login screen. This is an optional setting that can be enabled for your installation. For more information, see Domain selection list.

Users must enter their credentials each time they log in, unless they select Remember me to store their credentials for future use. For more information, see Remember me.

Setting up Windows Authentication

The following summarizes the setup process for Windows Authentication.

  1. Windows Authentication must be enabled for the system.

    For on-premise systems, Windows Authentication can be enabled during the Axiom Application Server installation. If it was not enabled during the installation, you can configure it later using either of the following options:

    • Use the Configure Authentication Methods page of the Axiom Software Manager. For more information, see the Installation Guide.

    • Use a Save Type 4 report to modify the applicable system configuration settings (WindowsAuthEnabled and WindowsAuthAllowedDomains). For more information, see System configuration settings.

    When you enable Windows Authentication, you must specify the valid domains for authentication. You can specify multiple domains, separated by commas. You can also choose to enable Active Directory Synchronization if you want to import and synchronize users from Active Directory (for more information, see Synchronizing users with Active Directory).

    For cloud systems, Axiom Support will enable Windows Authentication for you as part of the system setup, if that is your chosen authentication method.

  2. In security, Axiom Software users must be set up as follows to support Windows Authentication:

    • The user's Axiom Software login name must match their Windows login name.
    • The user's Authentication method must be set to Windows User. This is the default setting for new users if Windows Authentication is enabled for your installation.

    If users are imported from Active Directory, then they will automatically be created with the appropriate login name and authentication type.

  3. Cloud systems have the following additional requirements:

    • Installation of the Cloud Integration Service is required to enable the cloud system to communicate with your local Windows domain, to validate user credentials. For information on installing the Cloud Integration Service, see the Cloud Service Technical Guide and contact Axiom Support as needed.

    • A remote data connection must be created in Scheduler, with the option Use for authentication service enabled. For more information, see Managing remote data connections.

All users who are assigned to the Windows Authentication method will be authenticated based on their Windows credentials. This is the only way that these users can log in—they cannot log in using an internal Axiom Software password.

If you need to test the security settings of a Windows Authentication user, you can use the Log in as selected user feature to log in to Axiom Software as that user. For more information, see Testing user security.

Adding or removing domains for Windows Authentication

If the Windows domain names used by your organization for authentication have changed, you must update the list of allowed domains in Axiom Software. Users can only log into Axiom Software using Windows Authentication if their domain name matches one of the allowed domain names in this list. The list of allowed domains is stored in the system configuration settings (WindowsAuthAllowedDomains).

For example, when Windows Authentication was originally configured, you may have been using a domain named CompanyA. After a merger or reorganization, some or all of your users may now be using a domain named CompanyB. If those users need to log in to Axiom Software, you must add CompanyB to the list of allowed domains. You might leave CompanyA on the domain list if your organization is actively using both domains, or you might remove it if your organization has completely switched to using the CompanyB domain.

The list of allowed domain names for Windows Authentication can be managed in the Axiom Web Client, on the System Configuration page.

To add or remove a domain name for Windows Authentication:

  1. In the Web Client, click the menu icon in the Global Navigation BarThe blue bar across the top of pages in the Web Client. The Global Navigation Bar provides access to system-wide features.. From the Area menu, select System Administration.

  2. From the Navigation panel, select System Status > System Configuration.

    Alternatively, you can go directly to the System Configuration page as follows:

    Example On-Premise URL

    		 

    http://ServerName/Axiom/Admin/SystemConfiguration

    Where ServerName is the name of the Axiom Application Server, and Axiom is the default name of the virtual directory.
         

    Example Cloud System URL

    		 

    https://ClientName.axiom.cloud/Admin/SystemConfiguration

    Where ClientName is the name of your Axiom Cloud Service system.

  3. On the System Configuration page, locate the row for WINDOWSAUTHALLOWEDDOMAINS, and then click Edit.

    When you click the Edit button, the Value field on the row becomes editable.

  4. Modify the list of domains as needed to add or remove domain names. Multiple domain names must be separated with commas.

    For example, if the list is currently CompanyA, and you need to keep CompanyA but add new CompanyB, edit the domain names as follows:

  5. Click Update to save and apply your changes. The Value field now shows your edited list.

The changed list of domain names takes effect immediately after saving. If you removed a domain name, users in that domain can no longer log in using Windows Authentication. If you added a domain name, users in that domain can now log in using Windows Authentication.