Windows Authenticated logon configuration for Microsoft IIS7

Configuration

Step 1.  Setup and configure the HelpMaster Active Directory module

 

Before any Windows-based authentication can take place for any of the HelpMaster modules, including the web interface, you will need to first install, configure and run the HelpMaster Active Directory module to synchronize your HelpMaster users with a valid Active Directory account.  See Active Directory Module Overview for the installation and configuration process

 Step 2.  Create a Windows Authentication 'hmplogin' virtual directory / application on IIS

In order for the Windows Authentication feature of IIS 7 to work, it must first be installed.  This component is not installed by default, so you may need to install it.  See Installing Microsoft IIS 7 for details.  Ensure that you check the "Windows Authentication" checkbox during the install (see picture).


In addition to the creation of the required virtual directory for the web interface, a second directory needs to be created called 'hmplogin'.  Unlike the standard HelpMaster web interface virtual directory which accepts anonymous authentication, this virtual directory will be configured to authenticate valid Windows accounts (network accounts) only.  Once authentication has been successful, the authenticated Windows user will be automatically re-directed back to the standard HelpMaster web interface application and automatically logged in with their corresponding HelpMaster account.

To configure the Windows Authentication virtual directory, perform the following steps on your HelpMaster web server.  The following steps reflect the steps required for IIS version 7.

  1. Open the IIS Manager by selecting Control Panel > Administrative Tools > Internet Information Services (IIS) Manager
  2. "Right click" on the Default Web Site node/branch and select Add application... from the pop-up menu



    The properties for a new application will be displayed.
  3. The "Add Application" screen contains several settings that need to be configured.  After each of the settings below have been configured, click OK to create the web application.



    Alias : This is the name of your HelpMaster Windows authentication web application.  This should be one word without any spaces.  This name will be the web page that you will need to access to use the HelpMaster Module.  eg.  www.machinename.com/virtualdirectoryalias.  It is recommended that you call the name of this application "hmplogin".  This is the name used throughout this documentation.

    Application pool : Select the application pool that the HelpMaster web interface will operate in.  Choose the default, or select / create an application pool.  For further information about Application pools, refer to

    Physical path : Click the "..." button to browse to where you installed HelpMaster.  It is vital that you select the [HMP Web Install Path]\WinLogin folder.  If you selected default settings during the setup, this location may be "C:/inetpub/wwwroot/HelpMaster Web Interface/WinLogin" or similar.  Note: If you moved this folder at any time, or wish to re-locate this folder, please read this first.

    Connect as... : Select the connection method.  It is vital that this setting is set to "Application user (pass-through authentication)" (Important!)



  4. Once the HelpMaster "hmplogin" application has been created, ensure that it is configured for Windows Authentication.

    Click on the "hmplogin" application, then find the "Authentication" icon in the "IIS" group.  Right-click and select "Open Feature"

    If the Windows Authentication icon is not displayed, it most likely means that it is not installed.  See Installing Microsoft IIS 7 for details.  Ensure that you check the "Windows Authentication" checkbox during the install (see picture).


  5. Right-click on "Windows Authentication" and select "Enable" from the pop-up menu.


Step 3.  Configuring redirect for un-authenticated requests (optional)

 

Now that you have created a web application to accept Windows authenticated logins, you may like to configure this application to appropriately handle logins that for whatever reason cannot be authenticated.  (eg.  account has expired, network issues, non-network login etc).  When an authentication request fails, you can configure the IIS to re-direct the user back to the standard HelpMaster login page where they can try logging onto the HelpMaster web interface via their HelpMaster account.

To configure un-authenticated request redirection, perform the following steps on your HelpMaster web server.

  1. Click on the "hmplogin" application, then find the "Error Pages" icon in the "IIS" group.  Right-click and select "Open Feature"


  2. Edit the properties for '401;1' and '401;2'.  These error codes refer to authentication errors.  Rather than display the default error page, you can re-direct these errors to point back to your standard HelpMaster web interface application that you configured previously.

See also

Active Directory interaction with HelpMaster Windows modules

Creating a virtual directory