Learn how to integrate your Windows Diego Cells with an existing Active Directory domain to enable support for apps using Windows Authentication. With Windows Authentication, you can access a Windows app on TAS for VMs [Windows] to transparently authenticate using your domain credentials.
Do not use HTTP routing through the Gorouter for apps that use Windows Authentication. Windows Authentication sessions are cached by source IP and port. The Gorouter maintains TCP connections to application containers and reuses them for subsequent inbound HTTP requests. This implies that a given Gorouter uses the same port to talk to an app for multiple users. User authentication sessions are shared among multiple users making HTTP requests to the Windows Authentication app, which is a serious security issue.
To avoid this risk, use TCP routing. The TCP router does not maintain connections to application containers in the same way, the Gorouter does, because user authentication sessions are not shared among multiple users.
To activate TCP routing, see Configure networking for the TAS for VMs tile.
Apps using Windows Authentication can use the --no-route
flag for the cf push
command, or specify a routes
section in the app manifest with only a TCP route. The --no-route
flag no longer unbinds all existing routes associated with the app.
Before you configure the TAS for VMs [Windows] tile for Windows Authentication, you must meet the following requirements:
Caution Using Windows Authentication through Gorouter is discouraged because it causes authentication sessions for one user being returned to a different user. Apps using Windows Authentication must only be accessed through TCP routes.
Note Use an isolation segment for Windows Authentication, because all apps in the TAS for VMs [Windows] installation have access to GMSA credentials. To associate a TAS for VMs [Windows] tile with an isolation segment so that its Diego Cells run in that segment, see Windows Diego Cells in isolation segments.
Start the configuration by following the steps in the Microsoft documentation to create the appropriate values, then select Windows Authentication and use this procedure:
X
to acknowledge this requirement. See Security considerations for the details.Follow the steps in the Microsoft documentation, but do not create a new service account or security group.
For troubleshooting details, see Troubleshooting Windows authentication.