3.5 Integrated Windows Logon
If you set up the MyID server to use Integrated Windows Logon, MyID Desktop can use the cardholder's currently logged-on Windows identity to authenticate to MyID without having to enter passphrases or use a smart card.
Warning: Back up your system before you make any changes for Windows Logon. If you misconfigure the system, you may no longer be able to log in to MyID.
This section contains instructions for configuring MyID Desktop for Integrated Windows Logon. For information about configuring the MyID Operator Client for Integrated Windows Logon, see the Signing in using Windows authentication section in the MyID Operator Client guide.
To set up integrated Windows logon:
- From the Configuration category, select Security Settings.
- On the Logon Mechanisms tab, make sure that Integrated Windows Logon is set to Yes.
- Click Save changes, then click Save to confirm your changes.
- From the Configuration category, select the Directory Management workflow and set up a configuration-only directory for MyID.
- Click New and enter a new name – this can be any value.
- Select the Retrieve Base DN option.
- MyID attempts to connect to the directory and, if successful, displays a list of possible DNs. Select one of the DNs from the list.
- In most cases, you must select the DN that begins CN=Configuration.
- Click Save.
See section 5.7, Setting up a configuration-only directory for more information.
- Edit the roles within MyID.
- From the Configuration category, select Edit Roles.
- Click the Logon Methods option, and select Windows Logon for each role you want to be able to log on with Integrated Windows Logon.
- Click OK.
- Click Save Changes.
Note: The fields SAMAccountName and Domain must be stored in MyID when using Integrated Windows Logon. The Domain must contain the NetBIOS domain name and not the DNS format.
Note: Make sure that the web server has the following server role configured:
- Web Server (IIS)\Web Server\Security\Windows Authentication
This server role is required for Integrated Windows Logon to work.
Note: You must make sure that the MyID web site has been included in the list of Trusted Sites in the Internet Options on each MyID Desktop client.
You must also carry out additional configuration on the web services for Integrated Windows Logon; see the Configuring the MyID web services for Integrated Windows Logon section in the Web Service Architecture for details.
3.5.1 Integrated Windows Logon for existing user accounts
If you set up MyID for Integrated Windows Logon, and have existing user accounts in MyID that were already imported, you may have to resynchronize the user records before you can use those accounts with Integrated Windows Logon.
You can do this by selecting the user account in the Edit Person workflow, or by using the Batch Directory Synchronization Tool. See section 5.5, The Batch Directory Synchronization Tool for details.
3.5.2 Protected Users group in Active Directory
You cannot use Integrated Windows Logon with a user who is a member of the Protected Users group in Active Directory. Membership in the Protected Users group is designed to be restrictive and proactively secure by default.
If you attempt to use a member of this group to sign on to MyID using Integrated Windows Logon, you may see an error similar to the following:
800551 – Logon Denied.
You may also see an error similar to the following in the Windows Events:
NTLM authentication failed because the account was a member of the Protected Users group.