Windows Authentication Setup
Windows Authentication (also called Integrated Windows Authentication or IWA) allows users to log in to RAMP automatically using their Windows domain credentials. Benefits include:
- Seamless SSO — Users are automatically logged in when they access RAMP
- No login prompts — Authentication happens transparently
- Centralized management — Users managed through Active Directory
- Kerberos security — Strong authentication without transmitting passwords
Best For: Internal corporate environments, Windows-based infrastructure, domain-joined machines, IIS-hosted deployments.
Prerequisites
Section titled “Prerequisites”Before you begin, ensure you have:
- Windows Server with Active Directory Domain Services
- IIS (Internet Information Services) installed
- Domain-joined servers for RAMP API hosting
- Service account with Active Directory read permissions
- .NET 10 Runtime installed on the server
- Client machines that are domain-joined
Architecture Overview
Section titled “Architecture Overview”+--------------+ Windows Auth +--------------+| Browser | ------------------> | RAMP API || (Domain PC) | (NTLM/Kerberos) | on IIS |+--------------+ +--------------+ | | LDAP (Optional) v +--------------+ | Active | | Directory | +--------------+Quick Start
Section titled “Quick Start”-
Create Service Account in Active Directory
Section titled “Create Service Account in Active Directory”Create a dedicated service account for RAMP to run under:
Terminal window # PowerShell on Domain ControllerNew-ADUser -Name "RAMP Service" `-SamAccountName "ramp-service" `-UserPrincipalName "ramp-service@yourdomain.com" `-AccountPassword (ConvertTo-SecureString "ComplexPassword123!" -AsPlainText -Force) `-Enabled $true `-PasswordNeverExpires $true `-Description "RAMP Application Service Account"# Add to Domain Users (minimum required)Add-ADGroupMember -Identity "Domain Users" -Members "ramp-service" -
Configure IIS for Windows Authentication
Section titled “Configure IIS for Windows Authentication”Install Windows Authentication Feature
Section titled “Install Windows Authentication Feature”Terminal window # Run as AdministratorInstall-WindowsFeature Web-Windows-AuthAlternatively, use Server Manager:
- Open Server Manager -> Manage -> Add Roles and Features
- Navigate to: Web Server (IIS) -> Web Server -> Security
- Check Windows Authentication
- Click Install
Create Application Pool
Section titled “Create Application Pool”- Open IIS Manager (inetmgr)
- Navigate to Application Pools -> Add Application Pool
- Settings:
- Name:
RAMP - .NET CLR Version:
No Managed Code(for .NET 10) - Managed Pipeline Mode:
Integrated - Click OK
- Name:
- Right-click the
RAMPapplication pool -> Advanced Settings - Under Process Model -> Identity: Click […]
- Select Custom account -> Set…
- Enter service account credentials:
- User name:
YOURDOMAIN\ramp-service - Password: [service account password]
- Click OK
- User name:
Create or Configure Website
Section titled “Create or Configure Website”- Right-click Sites -> Add Website (or select existing site)
- Settings:
- Site name:
RAMP - Application pool: Select
RAMPpool created above - Physical path:
C:\inetpub\wwwroot\RAMP(or your deployment path) - Binding:
httpson port443with SSL certificate
- Site name:
- Click OK
Enable Windows Authentication
Section titled “Enable Windows Authentication”- Select your RAMP website in IIS
- Double-click Authentication feature
- Disable Anonymous Authentication (right-click -> Disable)
- Enable Windows Authentication (right-click -> Enable)
- Right-click Windows Authentication -> Providers…
- Ensure providers are in this order (most secure first):
Negotiate(Kerberos)NTLM
- Right-click Windows Authentication -> Advanced Settings…
- Enable Kernel-mode authentication: Checked
- Click OK
-
Configure RAMP Backend
Section titled “Configure RAMP Backend”Update
appsettings.jsonin your RAMP API deployment folder:{"Authentication": {"Providers": {"Windows": {"Enabled": true,"AutoProvision": true,"Domain": "YOURDOMAIN.COM"}}},"Jwt": {"Secret": "YourSecretKeyAtLeast32CharactersLong!","Issuer": "RAMP.API","Audience": "RAMP.Web","AccessTokenExpirationMinutes": 480},"ConnectionStrings": {"DefaultConnection": "Server=sql-server;Database=RAMP;Integrated Security=true;TrustServerCertificate=true"}}Configuration Explained:
Enabled: true— Activates Windows authentication providerAutoProvision: true— Automatically creates RAMP user accounts on first loginDomain— Your Active Directory domain name
-
Deploy RAMP to IIS
Section titled “Deploy RAMP to IIS”Publish the Application
Section titled “Publish the Application”Terminal window cd src/RAMP.APIdotnet publish -c Release -o C:\Publish\RAMPCopy Files to Server
Section titled “Copy Files to Server”Transfer the published files to your IIS server:
- Source:
C:\Publish\RAMP\* - Destination:
C:\inetpub\wwwroot\RAMP\(or your configured path)
Set Folder Permissions
Section titled “Set Folder Permissions”Terminal window # Grant service account access to application foldericacls "C:\inetpub\wwwroot\RAMP" /grant "YOURDOMAIN\ramp-service:(OI)(CI)F" /T - Source:
-
Configure Frontend
Section titled “Configure Frontend”Update
.env.productionin your RAMP frontend deployment:Terminal window # Disable OIDC (use Windows Auth instead)VITE_OIDC_ENABLED=false# API endpoint (use HTTPS in production)VITE_API_BASE_URL=https://ramp.yourdomain.com/api# Enable credential passing for Windows AuthVITE_USE_CREDENTIALS=true -
Configure Kerberos (Recommended)
Section titled “Configure Kerberos (Recommended)”For enhanced security, configure Kerberos authentication:
Create Service Principal Names (SPNs)
Section titled “Create Service Principal Names (SPNs)”Terminal window # On Domain Controller or with AD admin rightssetspn -S HTTP/ramp.yourdomain.com YOURDOMAIN\ramp-servicesetspn -S HTTP/ramp YOURDOMAIN\ramp-service# Verify SPNs were createdsetspn -L YOURDOMAIN\ramp-serviceExpected Output:
Registered ServicePrincipalNames for CN=RAMP Service,CN=Users,DC=yourdomain,DC=com:HTTP/ramp.yourdomain.comHTTP/rampConfigure Client Browsers
Section titled “Configure Client Browsers”For automatic authentication to work, add RAMP to the Local Intranet zone:
Internet Explorer / Edge:
- Internet Options -> Security -> Local intranet -> Sites -> Advanced
- Add:
https://ramp.yourdomain.com - Ensure “Require server verification (https:) for all sites in this zone” is checked
Chrome (uses Windows settings):
- Inherits IE/Edge Local Intranet zone settings
Firefox:
- Navigate to
about:config - Set
network.negotiate-auth.trusted-uristohttps://ramp.yourdomain.com
-
Test the Configuration
Section titled “Test the Configuration”Test from Domain-Joined Machine
Section titled “Test from Domain-Joined Machine”- Open browser on a domain-joined client computer
- Navigate to:
https://ramp.yourdomain.com - Expected: You are automatically logged in (no login prompt)
- Verify: Your domain username appears in the UI (e.g., “YOURDOMAIN\john.doe”)
Check Authentication Method
Section titled “Check Authentication Method”In browser developer tools:
- Open Network tab
- Access RAMP
- Find the first API request (e.g.,
/_api/auth/me) - Check Request Headers for:
Authorization: Negotiate ...(Kerberos) — BestAuthorization: NTLM ...(NTLM) — Acceptable
Troubleshooting
Section titled “Troubleshooting”Login Prompt Appears (Automatic Auth Not Working)
Section titled “Login Prompt Appears (Automatic Auth Not Working)”Problem: Browser shows login prompt instead of automatic authentication.
Solutions:
-
Verify client is domain-joined:
Terminal window # On client machinesysteminfo | findstr /B /C:"Domain"Should show your domain, not “WORKGROUP”
-
Add site to Local Intranet zone (see Step 6)
-
Check IE Security Settings:
- Internet Options -> Advanced
- Scroll to Security section
- Ensure “Enable Integrated Windows Authentication” is checked
-
Verify IIS Windows Auth is enabled (see Step 2)
401 Unauthorized Error
Section titled “401 Unauthorized Error”Problem: User gets “401 Unauthorized” after attempting authentication.
Solutions:
-
Check service account has AD permissions:
Terminal window # Verify account is activeGet-ADUser -Identity "ramp-service" -Properties Enabled, PasswordNeverExpires -
Verify IIS application pool identity:
- IIS Manager -> Application Pools -> RAMP -> Advanced Settings
- Process Model -> Identity should be
YOURDOMAIN\ramp-service
-
Check IIS logs:
- Location:
C:\inetpub\logs\LogFiles\W3SVC1\ - Look for 401 errors with sub-status codes:
401.1— Access denied (wrong credentials)401.2— Access denied due to server configuration401.3— ACL on resource
- Location:
-
Test service account login:
- Try logging into the server with the service account credentials
- Verify it has access to the RAMP folder
User Authenticated But Has No Roles
Section titled “User Authenticated But Has No Roles”Problem: User logs in successfully but cannot access any features.
Solutions:
-
Verify user was auto-provisioned:
- Log in as administrator
- Navigate to Admin -> Users
- Search for the user’s domain username
-
Assign roles manually:
- Find the user -> Assign Roles
- Add appropriate application roles (e.g., User, Coordinator)
-
Configure Bootstrap Administrators:
- See Bootstrap Administrators Guide
- Add users to auto-assign admin roles on first login
Kerberos Not Working (Falling Back to NTLM)
Section titled “Kerberos Not Working (Falling Back to NTLM)”Problem: Authentication works but uses NTLM instead of Kerberos.
Solutions:
-
Verify SPNs are registered correctly:
Terminal window setspn -L YOURDOMAIN\ramp-serviceShould show
HTTP/ramp.yourdomain.comandHTTP/ramp -
Check for duplicate SPNs:
Terminal window setspn -XDuplicates cause Kerberos to fail. Remove duplicates if found.
-
Verify DNS resolution:
Terminal window nslookup ramp.yourdomain.comShould resolve to correct server IP
-
Check client is requesting Kerberos:
- Use
klistcommand on client machine - Should see ticket for
HTTP/ramp.yourdomain.com
- Use
-
Enable Kerberos logging:
Terminal window # On client machine (run as Administrator)reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1 /fCheck Event Viewer -> Windows Logs -> System for Kerberos events
Security Best Practices
Section titled “Security Best Practices”Production Checklist
Section titled “Production Checklist”- Use HTTPS — Install valid SSL certificate
- Dedicated service account — Don’t use personal or shared accounts
- Strong service account password — 20+ characters, rotated regularly
- Least privilege — Service account has read-only AD access
- Kerberos over NTLM — Configure SPNs for Kerberos
- Disable Anonymous Auth — Only Windows Auth should be enabled
- Enable audit logging — Track failed authentication attempts
- Network security — Firewall rules, AD traffic encryption
- Regular updates — Apply Windows and IIS security patches
Service Account Security
Section titled “Service Account Security”Do:
- Use a dedicated service account (not a user account)
- Set “Password never expires” (but rotate manually on schedule)
- Grant only required AD permissions (typically read-only)
- Use strong, unique password (20+ characters)
- Store password in secure vault (Azure Key Vault, etc.)
Don’t:
- Use an administrator account
- Use a personal user account
- Share the account with other applications
- Grant unnecessary AD permissions
- Store password in plaintext configuration files
Advanced Configuration
Section titled “Advanced Configuration”Optional: LDAP Integration for User Search
Section titled “Optional: LDAP Integration for User Search”If you want to enable directory search functionality in RAMP (e.g., searching for users to assign roles), configure LDAP:
{ "Authentication": { "Providers": { "Windows": { "Enabled": true, "AutoProvision": true, "Domain": "YOURDOMAIN.COM", "Ldap": { "Server": "ldap://dc.yourdomain.com:389", "SearchBase": "DC=yourdomain,DC=com", "ServiceAccount": { "Username": "YOURDOMAIN\\ramp-service", "Password": "[stored securely]" } } } } }}See LDAP Setup Guide for more details on LDAP configuration.
Optional: Cross-Forest Active Directory
Section titled “Optional: Cross-Forest Active Directory”For users in multiple AD forests:
{ "Authentication": { "Providers": { "Windows": { "Enabled": true, "Domains": [ { "Name": "CONTOSO.COM", "Ldap": { "Server": "ldap://dc1.contoso.com", "SearchBase": "DC=contoso,DC=com" } }, { "Name": "SUBSIDIARY.COM", "Ldap": { "Server": "ldap://dc1.subsidiary.com", "SearchBase": "DC=subsidiary,DC=com" } } ] } } }}User Provisioning
Section titled “User Provisioning”Automatic User Creation
Section titled “Automatic User Creation”When a domain user accesses RAMP for the first time:
- IIS authenticates the user via Windows Authentication
- User’s identity is passed to RAMP (e.g.,
YOURDOMAIN\john.doe) - RAMP checks if user exists with
IdentityProvider = "Windows" - If not, RAMP creates a new user account:
- Username:
YOURDOMAIN\john.doe - Email: Derived from username (or from LDAP if configured)
- Display Name: Same as username (or from LDAP if configured)
- IdentityProvider:
Windows
- Username:
- User is now logged in but has no roles by default
- Administrator must assign roles manually (or use Bootstrap Administrators)
Alternative: Deploying on Kestrel (Docker/Linux)
Section titled “Alternative: Deploying on Kestrel (Docker/Linux)”Windows Authentication typically requires IIS on Windows Server. However, for Docker deployments:
If you must use Windows Auth with Kestrel:
- Deploy on Windows Server (not Linux)
- Configure Kestrel to use Windows Auth (advanced setup)
Next Steps
Section titled “Next Steps”After configuring Windows Authentication:
- Bootstrap Administrators Guide — Auto-assign roles
- MFA Setup — Optionally add MFA for sensitive operations
- Authentication Overview — Compare all authentication providers
Related topics
Section titled “Related topics” Authentication Overview Compare all authentication methods and choose the right one
ADFS Authentication Setup Configure RAMP with Active Directory Federation Services for federated SSO