User authentication methods for Dashboard Server Community Edition
A key decision when deploying Dashboard Server is how users will authenticate (log on). There are two authentication methods you can use for Dashboard Server:

By default, Dashboard Server is installed with Forms authentication enabled. Forms authentication requires the user to enter his or her username and password to log on.
To use Forms authentication you do not need to make any changes after installation. If you have previously configured Windows authentication and want to switch back to Forms authentication see How to enable Forms authentication.

Windows authentication is also known as Integrated Windows Authentication (IWA), Single Sign-On (SSO) and Pass Through Authentication.
With Windows authentication enabled, the browser automatically authenticates to Dashboard Server using the user's Windows credentials. The user does not need to explicitly log on to the application.
In some scenarios, configuring Windows authentication can be more complex.
A single Dashboard Server instance (website) can be configured for either Forms authentication or Windows authentication, but not both.
For information about using an application proxy (Web Application Proxy and AD FS or Azure Application Proxy) for example to allow multi-factor authentication (MFA), see How to configure Dashboard Server to use an application proxy
To access Dashboard Server, a user must authenticate with their Windows credentials. For more information see User Management
Tip: If you want to make dashboards available to users within your organization without requiring authentication, you can use Open Access dashboards. Open Access dashboards can be shared across the organization and viewed without users needing to authenticate. To learn more about Open Access see Sharing Dashboards with anyone - Open Access.
How to enable Windows authentication
Make sure Dashboard Server has been installed and the initial configuration wizard (licensing etc) has been completed.
Enable Windows authentication using the Dashboard Server configuration script.
How to enable Windows authentication using the Dashboard Server configuration script
Modifying the configuration causes the web application to restart and all users will be logged off.
On the SquaredUp server click on the Start button and type:
command prompt
Change directory to the instance for which you wish to change authentication, by typing the correct path, for example:
cd c:\inetpub\wwwroot\SquaredUpv5\
orcd c:\inetpub\wwwroot\SquaredUpv4\
depending on your version of Dashboard Server.Type the following to enable Windows authentication, depending on your version of Dashboard Server:
squaredup5 windows
orsquaredup4 windows
Your browser, and other users' browsers, must be configured to use automatic logon for all your Dashboard Server URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.
Internet Explorer
Add the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for Dashboard Server.
Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.
Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced
Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.
When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.
Click on Local intranet and then Custom level
Scroll to the bottom of the settings and verify that either of the following settings are enabled:
Automatic logon with current user name and password
Automatic logon only in Intranet zone
Click OK, then Yes, then OK.
Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).
Chrome
By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.
In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.
For more details, see The Chromium Projects - HTTP authentication
Firefox
Firefox requires explicit configuration to enable Windows authentication.
- Type
about:config
in the location bar. - Type
network.negotiate-auth.trusted-uris
in the search box. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://
When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.
- Click OK.
- Repeat these steps for the
network.negotiate-auth.delegation-uris
setting.
Verify the configuration.
How to verify the configuration
Check that Dashboard Server is now accessible:
- Log on to a client machine using a different user account to that with which you are logged on to the SquaredUp Server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if it is misconfigured).
Browse to Dashboard Server. Check the servers short address and the fully qualified domain name (FQDN):
http://SquaredUpServer/SquaredUpv5 and http://SquaredUpServer.domain.tld/SquaredUpv5
If you are using multiple servers, check the short and FQDN names for all servers, and also the load balanced address.
- If Dashboard Server opens, check that graphs are shown.
Please contact SquaredUp Support if you experience any problems and reply to the automatic response with the output of the Dashboard Server Diagnostics (see Collecting diagnostic information) and, if possible, a screenshot of the problem.
How to enable Forms authentication
Forms authentication is enabled by default when Dashboard Server is installed. If you have previously configured Windows authentication and would like to switch back to Forms authentication, follow the instructions below.
Modifying the configuration causes the web application to restart and all users will be logged off.
Open a command prompt (cmd.exe) on the SquaredUp web server.
Navigate to the instance for which you wish to change authentication. By default for Dashboard Server v5 this is:
cd c:\inetpub\wwwroot\SquaredUpv5\
Then run
squaredup5 forms
If you have previously configured SPNs or Kerberos constrained delegation settings in Active Directory, these can be reverted after switching to Forms authentication.
Comments
0 comments
Please sign in to leave a comment.