Diagnose and Fix Passthrough Authentication Issues

Passwordstate has a couple of base authentication methods, Active Directory Integrated and Forms Based Authentication.  When you setup Passwordstate for the first time you can choose which of these authentication options you want to use.  By default, the Active Directory Integrated version of Passwordstate is installed.

With Active Directory Integration you can take advantage of Single Sign-On (SSO).  SSO is an authentication scheme that allows logging in with a single username and password to access multiple computer applications and resources.  It uses your Active Directory credentials to automatically authenticate you to your Passwordstate website, without needing to re-enter your username and password. 

But what if that isn’t working?  How do you stop Passwordstate from prompting for your credentials each time you browse to Passwordstate?  What if you can’t select Passthrough AD Authentication in your System Settings?

Check your Internet Information Server Authentication Settings

Passwordstate requires users to enter their Active Directory username and password to authenticate by default.  During installation we also set the Internet Information Server (IIS) to Anonymous Authentication.  This setting needs to be disabled to allow your Windows clients to use SSO.  To do this you’ll need to open IIS on your webserver, select your Passwordstate website and double click Authentication,

Now right click Anonymous Authentication and select disable.  The results should look like the screen image below,

Now you can make the required changes in your Passwordstate Instance.

Choosing Passthrough AD Authentication

Logon to your Passwordstate instance and navigate to Administration TAB->System Settings->Authentication Options->Web Authentication Options and select Passthrough AD Authentication from the Choose Authentication Options drop down list as per the screenshot below

Once this has been set you can logoff and try browsing back to your Passwordstate instance.  You should now be automatically logged in with SSO from your Windows client.  Unfortunately, Linux and Mac clients will continue to prompt for the username and password credentials.

My Browser Is Still Prompting for Domain Credentials

You’ve now successfully configured your system to allow SSO.  So why could you still be receiving prompts to enter your domain credentials?  There are a number of reasons why you could continue to receive these prompts to enter your domain credentials.

First, check that you are currently logged on using a Domain Account and not a Local Account.  You should also check that you are using DNS for name resolution and not a hosts file.

Next you can confirm if your Passwordstate website is being detected as being in the ‘Local Internet’ Security Zone.  Security Zones are a legacy of Internet Explorer but appear to be still used by modern browsers.  To confirm if Passwordstate is in the correct Security Zone, open Control Panel->Internet Options->Security Tab and select Local intranet and click on Sites (screen shot below;

Next click on Advanced,

And confirm your Passwordstate website is listed under the Websites: listing.  The example below is for Click Studios Passwordstate instances.  If your Passwordstate instance is not shown here you should add the URL of the site to a group policy which forces your browser to detect the site is in the Local Intranet zone.  Alternatively, each user can add the URL in the Add this website to the zone: and click the Add button.

For the Firefox browser, open Firefox and type about:config in the URL bar.  In the Search dialog box type network:automatic and double click the network.automatic-ntlm-auth.trusted-uris result.  You’ll then need to enter your Passwordstate URL (screenshot below as reference),

Now restart your browser and SSO should be working.

Lastly, some customers SSO for Passwordstate has been affected by the order of the authentication providers in IIS for Windows Authentication.  You can try moving the NTLM Provider to the top.  To do this open IIS on your web server, select your Passwordstate website and double click Authentication.  Select Windows Authentication, click on Providers… select NTLM and click on Move Up.

Click on OK and then restart IIS or reboot the Webserver and your SSO for Passwordstate should now be working.

As always, we welcome your feedback via support@clickstudios.com.au.