Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Agents

SafeNet Agent for Microsoft IIS

search

Please Note:

SafeNet Agent for Microsoft IIS

SafeNet Agent for Microsoft IIS is designed for Terminal Services Web (TS Web), but can also be used for IIS websites and resources where the authentication method is configured to use the Microsoft authentication. The agent ensures web-based resources are accessible only to authorized users, whether working remotely or behind a firewall, by prompting for additional credentials during logon.

By default, logon to the TS Web requires that the user provide a correct user name and password. SafeNet Agent for Microsoft IIS augments this logon mechanism with strong authentication by adding a requirement to provide a One-Time Password (OTP) generated by a Thales authenticator.

Compatibility

Authentication server

  • SafeNet Authentication Service PCE/SPE 3.9.2 and later

  • SafeNet Authentication Service Cloud

Network

  • TCP Port 443

Architecture

  • 64-bit

Web servers

  • IIS 10

Applications and objects

  • Terminal Services Web Sites

  • Virtual Directories

  • Applications

IIS authentication types

Web browsers

  • Microsoft Edge
  • Mozilla Firefox
  • Google Chrome

Note

If the Auth Node is configured with an IPv4 address, Mozilla Firefox might default to using IPv6, leading to authentication failures. To ensure compatibility, modify the Firefox settings by completing the following steps:

  1. Open Firefox and type about:config in the address bar.
  2. Click Accept the Risk and Continue (if prompted).
  3. In the search bar, type network.dns.disableIPv6.
  4. Set this option to true by double-clicking it or using the toggle button.
  5. Restart Firefox.

Additional software

  • Microsoft .NET Framework 4.8 (or above) must be installed.

  • The following ASP .NET versions (Server role component) must be installed:

    • Windows Server 2016 – ASP .NET 4.8 (or above)
    • Windows Server 2019 – ASP .NET 4.8 (or above)
    • Windows Server 2022 – ASP .NET 4.8 (or above)
    • Windows Server 2025 – ASP .NET 4.8 (or above)

  • IIS 6 Management Compatibility Role Service (and its sub components) must be installed.

Web browser requirements

  • Cookies must be enabled.

  • JavaScript must be enabled.

  • ActiveX plug-ins (software authenticator detection only).

Authentication methods

  • All authenticators and authentication methods supported by SafeNet sever.

Note

MobilePASS authenticator is not supported in Quick Log mode.

Authentication modes

There are two login authentication modes available for SafeNet Agent for Microsoft IIS.

By default, Standard Authentication Mode is enabled. The authentication mode can be modified after installation from the Authentication Methods tab.

Mode Description
Standard Authentication Mode Standard Authentication Mode enables a single-stage login process. Microsoft and SafeNet credentials must be entered in the SafeNet login page to access resources.
Split Authentication Mode Split Authentication Mode enables a two-stage login process:
- In the first stage, users provide their Microsoft credentials.
- In the second stage, users provide their SafeNet credentials.

This mode allows administrators to control authentication dialogs based on Microsoft groups or authenticator type (such as GrIDsure).

This is the preferred mode when migrating from static to One-Time Passwords (OTPs).

Standard authentication mode

  1. The user enters the URL into a web browser.

  2. SafeNet Agent for Microsoft IIS examines the incoming request against its IP range exclusions/inclusions list to determine if SafeNet authentication can be ignored.

  3. If IP address exclusion is detected, SafeNet credentials are not required. The user authenticates using their Microsoft credentials.

  4. If IP address exclusion is not detected, a SafeNet-enabled login page appears.

  5. The agent's authentication page is displayed with the following fields:

    • [Domain]User Name

    • Password

    • OTP

    Note

    By default, the Hardware / Software authenticator option is selected. If you toggle to the GrIDsure / SMS Challenge authenticator option, the OTP field (from the above list) becomes unavailable.

  6. The user enters their Microsoft and SafeNet credentials into the login page. If both sets of credentials are valid, the user is presented with their website, otherwise, the attempt is rejected.

    Note

    For GrIDsure/ SMS Challenge option, the user enters their Microsoft credentials into the login page. If the Microsoft credentials are valid, the user is presented with a GrIDsure grid or provided with an OTP via SMS. If the SafeNet credentials entered are valid, the user is presented with their website, otherwise, the attempt is rejected.

Split authentication mode

  1. The user enters the URL into a web browser.

  2. SafeNet Agent for Microsoft IIS examines the incoming request against its IP range exclusions/inclusions list to determine if SafeNet authentication can be ignored.

  3. If IP address exclusion is detected, SafeNet credentials are not required. The user authenticates and logs in to the website using their Microsoft credentials.

  4. If IP address exclusion is not detected, the user is presented with Microsoft Username and Microsoft Password fields. If the Microsoft credentials are valid, the user is allowed to continue, otherwise, the attempt is rejected.

  5. SafeNet Agent for Microsoft IIS examines the Microsoft username against its Exceptions list to determine if SafeNet authentication can be ignored.

  6. If a group authentication exception is detected, SafeNet credentials are not required. The user is presented with their website.

  7. If a group authentication exception is not detected, the agent examines the Microsoft username against its GrIDsure and SMS authentication group list.

  8. If a GrIDsure or SMS authentication group match is detected, the user is presented with their GrIDsure grid or provided with an OTP via SMS. If the SafeNet credentials are valid, the user is presented with their website, otherwise, the attempt is rejected.

  9. If a software authenticator is detected, the SafeNet login page will display the authenticator name and a PIN field.

  10. If a software authenticator is not detected, the SafeNet login page will display an OTP field.

  11. The user enters their SafeNet credentials into the login page. If the credentials are valid, the user is presented with their website, otherwise, the attempt is rejected.

Prerequisites

  • If the website is configured to use Basic Authentication, ensure that NTLM (a suite of challengeresponse authentication and session security protocols) is disabled.

  • If the website is configured to use Windows Authentication, ensure that NTLM is enabled.

  • Ensure that .Net Framework 4.8 or above is installed on the SafeNet Agent for Microsoft IIS machine.

  • Add an Auth Node in SAS: In the SAS Management Console, select VIRTUAL SERVERS > COMMS > Auth Nodes. Enter the name or IP address of the computer where SafeNet Agent for Microsoft IIS is installed. For details, see Authentication Nodes in the SafeNet Authentication Service Private Cloud Edition administrator guide.

On this page