Windows Authentication for Velocity Web Service Client (VWSC)

Overview

Prior to Velocity 3.7 SP1, the Velocity Web Service Client (VWSC) application used the Anonymous Authentication mode, which used the Forms Authentication Provider. As a result, when you initially hit the VWSC website, a login page displays and is authenticated by the Velocity Web Service.

Starting from Velocity 3.7 SP1, the Administrator can disable Anonymous Authentication and define Windows Authentication to support Auto-Login capability. For users logged in as an authorized Velocity operator in the Velocity domain in Windows, the VWSC login page is bypassed to enable the Auto-Login feature.

Enabling Auto-Login using Windows Authentication Provider

The VWSC application uses Anonymous authentication by default. To enable Auto-Login capability using Windows Authentication you must make configuration changes to the following:

Configuring IIS for Windows Authentication in Windows 10 Pro and above

The steps below enable Windows Authentication in IIS where Velocity Web Client or VWSC bundle is installed.

  1. Go to Control Panel > Programs

  2. Locate and click on Turn Windows Features on or off link as shown below

  3. In Windows Features dialog, expand Internet Information Services > World Wide Web Services > Security to see the available options

  4. Select the following highlighted options (if not selected already), and then click OK

    • World Wide Web Services > Security > Basic Authentication

    • World Wide Web Services > Security > Request Filtering

    • World Wide Web Services > Security > Windows Authentication
      A progress dialog shows that Windows is building the selected feature changes.

  5. Click Close after Windows completes the requested changes. Windows Authentication mode is now enabled in IIS.

Configuring IIS for Windows Authentication in Microsoft Windows Server 2016 and above

The steps below enable Windows Authentication in IIS on Windows Server where Velocity Web Client or VWSC bundle is installed.

  1. Go to Run and type ServerManager and press Enter or click Server Manager button in the Windows taskbar
    The Server Manager Dashboard screen displays as shown.

  2. Click Add roles and features link in Dashboard

  3. Read the wizard instructions and click Next to continue

  4. In Select installation type choose Role-based or feature-based Installation radio button

  5. Choose to Select a server from the server pool radio button

  6. Select the Windows Server 2016 from Server Pool and click Next

  7. Select the following highlighted options (if not selected already) and then click Next

    1. Select Server Roles. Choose the following options under Roles:

      1. Web Server (IIS) (20 of 43 Installed) > Web Server (14 of 34 Installed) > Security (1 of 9 Installed) > Request Filtering (Installed)

      2. Web Server (IIS) (20 of 43 Installed) > Web Server (14 of 34 Installed) > Security (1 of 9 Installed) > Basic Authentication

      3. Web Server (IIS) (20 of 43 Installed) > Web Server (14 of 34 Installed) > Security (1 of 9 Installed) > Windows Authentication

        Skip to the Confirmation menu in the Add Roles and Features Wizard

  8. In Confirm installation selections click Install to enable Windows Authentication

    The Installation progress window display the progress of the Feature Installation

  9. Click Close after the installation is done

Velocity Web Service Client Website Configuration

The Velocity Web Service Client Website configuration is done in the system where the Velocity Web Client and Website is installed or hosted.

  1. On the desktop, click Start >Programs or All Programs > Administrative Tools > Internet Information Services (IIS) Manager

  2. On the left panel in connections, select User > Sites > Default Web Sites > VWSC

  3. Double-click Authentication

  4. The VWSC Authentication window displays; right click Anonymous Authentication to Disable or select Disable link as shown

  5. Right click Windows Authentication to Enable or select Enable link as shown
    Except Windows Authentication all other authentications must be disabled

  6. Right click Windows Authentication and select Advanced Settings or click Advanced Settings link as shown

  7. In Advanced Settings dialog box, select Accept from Extended Protection drop-down and click OK as shown below

  8. In IIS Manager window, right click Default Web Site > All Tasks > Restart IIS for the changes to take place as shown below

PIV Enrollment using Windows Authentication

To configure anonymous authentication using IIS, you need to:

  1. Run Notepad as Administrator

  2. Open %WINDIR%\System32\inetsrv\config\applicationHost.config

  3. Save it as %WINDIR%\System32\inetsrv\config\applicationHost.config.bak for backup purposes

  4. Find following string: <section name="anonymousAuthentication" overrideModeDefault="Deny" />

  5. Replace Deny with Allow

  6. Save file as %WINDIR%\System32\inetsrv\config\applicationHost.config

  7. Recycle the Application Pool, to be sure that IIS re-reads web.config

Periodic recycling of Application Pool helps to avoid unstable states that can lead to application crashes, hangs, or memory leaks.

For details on how to recycle settings on application pool, refer to https://tinyurl.com/y44yb4mm

Configuring Browser Settings

Auto login window appears only if the user is currently logged into their device as a member of the Velocity Users Group in the Velocity domain and is an authorized Velocity operator. Configuring Microsoft Edge to automatically pass credentials for trusted sites without prompting can be done through the browser settings.

A. The following steps allow the user to configure Microsoft Edge browser without prompting their credentials over trusted sites:

  1.  Open Microsoft Edge

  2. Click on the three horizontal dots (...) in the upper-right corner of the browser window. This will open the menu, click Settings

  3. In the Settings menu, locate and navigate to Cookies and site permissions

  4. Under Cookies and data stored, click on Manage and delete cookies and site data

  5. This will open a new window where you can manage individual site permissions, scroll down to find the section labeled Allow "The following sites can save cookies on your device...", click Add

  6. Enter the URL of the trusted site for which you want to automatically pass credentials, click on Add to add and save new site

  7. Once you have configured the settings for the trusted site, you can also go back to the main Settings page in Microsoft Edge
    If you have a list of trusted sites, you can repeat the process to add each site to the list. Ensure that the URLs you add are correct to avoid any issues.

B. The following steps allows to add the website URL to work properly in latest Google Chrome versions:

  1. Go to Control panel > Internet Options. The Internet Properties window opens.

  2. In Internet Properties windows, select Security tab

  3. Select Local Intranet > Sites button

  4. The Local Intranet dialog window opens, select Advanced

  5. The Local Intranet windows displays, Add http://localhost/VWSC

  6. The URL is added to the Websites text area in Local Intranet, click Close

 

Related pages