[CyberArk][PAS] Windows Authentication doesn't work

Modified on Sun, 11 Aug, 2019 at 11:28 AM

Symptom:

When Windows Authentication is enabled, users are still unable to login into PVWA.


Cause:
The Hardening GPO settings provide only the 'Administrators' group the 'Access this computer from the network' permission.
As part of the PVWA Hardening - the GPO removes all groups but the "Administrators" from the "Access this computer from the network" setting.
As a result, users who aren't Administrators on the PVWA machine can't log in to PVWA with Windows Authentication.

 

Solution:
Add the 'Domain Users' group to this permission setting in the PVWA Hardening GPO should resolve the issue.


Note:
This setting is required for the PVWA v10 interface:
 

Enable Windows authentication in the new PVWA interface:

    1. Using Notepad (not Notepad++), open the IIS configuration file. By default, this is

       %WinDir%\System32\Inetsrv\Config\applicationHost.config.

    2. At the end of the file, add the following lines:

<location path="Default Web

Site/PasswordVault/api/auth/windows/logon">

<system.webServer>

<security>

<authentication>

<windowsAuthentication enabled="true" />

</authentication>

</security>

</system.webServer>

</location>

    3. Restart the IIS server.

Test Windows Authentication in the PVWA:
In the PVWA, in the list of available authentication methods, click Windows; the PVWA will authenticate you with your Windows authentication and will not prompt you for additional authentication.





 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article