Learn how to integrate your Windows Diego Cells with an existing Active Directory domain to enable support for apps using Windows Authentication. With Windows Authentication, you can access a Windows app on TAS for VMs [Windows] to transparently authenticate using your domain credentials.
Do not use HTTP routing via the GoRouter for apps that use Windows Authentication. Windows Authentication sessions are cached by source IP and port. The GoRouter maintains TCP connections to app containers and re-uses them for subsequent inbound HTTP requests. This implies that a given GoRouter uses the same port to talk to an app for multiple users. User authentication sessions end up being shared among multiple users making HTTP requests to the Windows Authentication app, which is a serious security hazard.
To avoid this risk, use TCP routing. The TCP router does not maintain connections to app containers in the same fashion as the GoRouter does, so user authentication sessions are not shared among multiple users. To enable TCP routing, see Configure Networking for the TAS for VMs tile.
Apps using Windows Authentication should use the --no-route
flag to cf push
, or specify a routes
stanza in the app manifest with only a TCP route.
Apps using Windows Authentication can use the --no-route
flag for the cf push
command, or specify a routes
stanza in the app manifest with only a TCP route. The --no-route
flag no longer unbinds all existing routes associated with the app.
Before you configure the TAS for VMs [Windows] tile for Windows Authentication, ensure that you meet the following requirements:
Caution Using Windows Authentication through the GoRouter is strongly discouraged because it will result in authentication sessions for one user being returned to a different user. Apps using Windows Authentication should only be accessed via TCP routes.
Important VMware strongly recommends using an isolation segment for Windows Authentication because all apps in the TAS for VMs [Windows] installation will have access to the GMSA credentials. To associate a TAS for VMs [Windows] tile with an isolation segment so that its Diego Cells run in that segment, see Windows Diego Cells in Isolation Segments.
Start by following the steps in the Microsoft docs to create the appropriate values, then select Windows Authentication and follow this procedure:
X
to acknowledge this requirement. See Security considerations for the details.Follow the steps in the Microsoft docs, but do not create a new service account or security group.
For troubleshooting details, see Troubleshooting Windows authentication.