Learn how to integrate your Windows Diego Cells with an existing Active Directory domain to enable support for apps using Windows Authentication. With Windows Authentication, you can access a Windows app on TAS for VMs [Windows] to transparently authenticate using your domain credentials.

Security considerations

In some configurations, Windows Authentication sessions are cached by source IP and port. The Gorouter maintains TCP connections to application containers and reuses them for subsequent inbound HTTP requests. If you do not deactivate this behavior in applications using Windows Authentication, user authentication sessions might be shared among multiple users making HTTP requests to the Windows Authentication app. This is a serious security concern.

To deactivate this behavior in your applications:

• For .NET Framework apps using the hwc_buildpack, the authPersistSingleRequest and authPersistNonNTLM IIS settings are set to false by default. Ensure that these settings are set to false, and that any Windows applications using Windows Authentication do not override these properties.
• For .NET Core apps using the binary_buildpack, ensure that the Microsoft.AspNetCore.Authentication.Negotiate.NegotiateOptions for PersistKerberosCredentials and PersistNtlmCredentials settings are set to false.

If apps cannot be configured to deactivate this behavior, those apps must use TCP routing instead. The TCP router avoids this security concern because it does not maintain connections to application containers at all.

To activate TCP routing, see Networking for the TAS for VMs tile.

Apps using Windows Authentication can use the --no-route flag for the cf push command, or specify a routes section in the app manifest with only a TCP route. The --no-route flag no longer unbinds all existing routes associated with the app.

For more information, see the following:

• .NET Core Negotiate Authentication documentation
• .NET Framework IIS Negotiate Authentication documentation
• .NET Core Windows Authentication documentation

Prerequisites

Before you configure the TAS for VMs [Windows] tile for Windows Authentication, you must meet the following requirements:

• Your Active Directory instance must be configured with a GMSA and a regular user that has been granted access to the GMSA credentials. See the Microsoft documentation for specifics.
• Your Windows Diego Cells must have the appropriate firewall rules to access the Active Directory instance.
• Application Security Groups must be configured to allow traffic from application containers to the Active Directory instance.
• If TCP routing is not enabled and configured, then applications must be told to not persist authentication sessions for NTLM + Kerberos.
• If using Gorouter for routing, ensure that the Enable support for NTLM authentication in Gorouter property is enabled in the Networking settings of the TAS for VMs tile. This allows the Gorouter to properly handle NTLM challenge-response style negotiation when apps are configured with multiple instances. If you use routed isolation segments in front of apps that use Windows Authentication, then you must configure this setting on the Isolation Segment tile, as well.

Caution If your apps are not configured to deactivate persistent NTLM + Kerberos connections, then using Windows Authentication through the Gorouter might have undesirable security consequences. These apps must be accessible only through TCP routes.

• The The Gorouter and apps use mutual TLS to verify each other’s identity setting described in Advanced Features must not be selected, as this deactivates TCP routing.
• Depending on your IaaS, you might need to configure BOSH DNS handlers so that your application containers can resolve domain resources through the Active Directory instance. See the VMware Tanzu Operations Manager Documentation for IaaS-specific instructions.
• Apps intending to use Windows Authentication must use the HWC buildpack.

Note Use an isolation segment for Windows Authentication, because all apps in the TAS for VMs [Windows] installation have access to GMSA credentials. To associate a TAS for VMs [Windows] tile with an isolation segment so that its Diego Cells run in that segment, see Windows Diego Cells in isolation segments.

Limitations

• Authenticating through the cf CLI with Windows Authentication is not supported.
• Every app in the TAS for VMs [Windows] installation has access to GMSA credentials. There is no way to configure it on an app-by-app basis.
• Windows Authentication delegation from app to service is not supported.

Configuring the tile

Start the configuration by following the steps in the Microsoft documentation to create the appropriate values, then select Windows Authentication and use this procedure:

1. Under Windows Authentication, select Configure.
2. In the For security reasons, apps using Windows Authentication must use TCP routing text box, enter X to acknowledge this requirement. See Security considerations for the details.
3. In Active Directory FQDN, enter the domain of the Active Directory instance that application containers use for authentication.
4. In Standard user name, enter the name of the user account with access to the gMSA password. This is a user account.
5. In Standard user password, enter the password of the user account with access to the gMSA password. This is a user account.
6. In Container credential spec, enter a JSON string that describes the gMSA account and domain details. For more information about Windows Authentication, see Microsoft documentation.
7. Click Save.
8. Deploying the tile.

Rotating the standard user

Follow the steps in the Microsoft documentation, but do not create a new service account or security group.

1. Create a new user account.
2. Add the user to the security group that guards access to the GMSA service account.
3. Update the Standard user name and Standard user password text boxes with the new user information.
4. Click Save.
5. Deploying the tile.

Troubleshooting

For troubleshooting details, see Troubleshooting Windows authentication.