3.5 Integrated Windows Logon
If you set up the MyID server to use Integrated Windows Logon, MyID Desktop can use the cardholder's currently logged-on Windows identity to authenticate to MyID without having to enter passphrases or use a smart card.
Warning: Back up your system before you make any changes for Windows Logon. If you misconfigure the system, you may no longer be able to log in to MyID.
To set up integrated Windows logon:
- From the Configuration category, select Security Settings.
- On the Logon Mechanisms tab, make sure that Integrated Windows Logon is set to Yes.
- Click Save changes, then click Save to confirm your changes.
- From the Configuration category, select the Directory Management workflow and set up a configuration-only directory for MyID.
- Click New and enter a new name – this can be any value.
Select the Retrieve Base DN option.
MyID attempts to connect to the directory and, if successful, displays a list of possible DNs. Select one of the DNs from the list.
In most cases, you must select the DN that begins CN=Configuration.
- Click Save.
- Edit the roles within MyID.
- From the Configuration category, select Edit Roles.
- Click the Logon Methods option, and select Windows Logon for each role you want to be able to log on with Integrated Windows Logon.
- Click OK.
- Click Save Changes.
Note: The fields SAMAccountName and Domain must be stored in MyID when using Integrated Windows Logon.
Note: Make sure that the web server has the following server role configured:
- Web Server (IIS)\Web Server\Security\Windows Authentication
This server role is required for Integrated Windows Logon to work.
Note: You must make sure that the MyID web site has been included in the list of Trusted Sites in the Internet Options on each MyID Desktop client.
You must also carry out additional configuration on the web services for Integrated Windows Logon; see the Configuring the MyID web services for Integrated Windows Logon section in the Web Service Architecture for details.
3.5.1 Integrated Windows Logon for existing user accounts
If you set up MyID for Integrated Windows Logon, and have existing user accounts in MyID that were already imported, you may have to resynchronize the user records before you can use those accounts with Integrated Windows Logon.
You can do this by selecting the user account in the Edit Person workflow, or by using the Batch Directory Synchronization Tool. See section 5.5, The Batch Directory Synchronization Tool for details.