Activate this setting for the basic or Kerberos authentication.
1.1 Integrated Windows authentication
The option Windows integrated authentication provides you with the ability
to use Single Sign On. Based on Kerberos tickets, the Kerberos
authentication provides the Intrexx users with Single Sign On access to
the SharePoint server. To ensure successful authentication with Kerberos,
please take note of the following foundational requirements:
The users from your Active Directory must be added or
Please make sure that at
least one user is a member of the
so that you can continue to administrate the system.
The server, where Intrexx is installed, requires the group rule
"Delegation" in the Active Directory
("Trust this computer for delegation to any
service (Kerberos only)").
All clients and servers must be members of the same domain.
The Intrexx portal and the SharePoint server muss belong to
the local intranet zone from the perspective of the
The SPNEGO authentication must be activated in the browsers.
In Internet Explorer for example, the option
"Automatic log-on with current username and
password" must be selected in the security settings of
the used zone. Additionally, the option
"Enable Integrated Windows Authentication" must be
activated in the advanced settings.
When using Google Chrome, the hostnames of the Intrexx SharePoint
servers need to be added to a white list in the registry. You can
find more information about this here:
With Firefox, you need to add the servers to the white list in the Firefox configuration (about:config) under the keys:
To provide Kerberos tickets, the Intrexx Kerberos Token
Provider Service must be installed in the Internet
Information Server that is used to communicate with
Intrexx. Further information on this topic can be found
1.1.1. Intrexx Token Service - Service Principal Name / SharePoint Service Principal Name / Token service URI
You need to specify a so-called Service Principal Name (SPN) for the
authentication to be successful. The SPN contains information about the
service for which a Kerberos ticket should be created. This ticket is
needed for the Internet Information Server
of the Intrexx Portal Server.
The SPN is usually compiled as follows:
Computer-DNS-Name: Fully qualified hostname (e.g. mycomputer.mycompany.com)
KERBEROS_REALM: The domain is usually entered in capitals. (e.g. MYCOMPANY.COM)
The SPN from the example above would look like this:
1.2 Basic authentication
If the user cannot be authenticated, the basic authentication can be
With the Basic authentication, the username and password of a SharePoint
user are requested in Intrexx and sent as the header in the HTTP request
to SharePoint. This is the simplest login method and should only be used
in connection with HTTPS because otherwise, credentials are transferred without
2. Forms-based authentication
The forms-based authentication allows users to log in using a SharePoint
login form. With this option, a login form will be shown in Intrexx to
the user when they access the SharePoint data for the first time.
Intrexx then carries out the authentication using the SharePoint
Web service (or /_vti_bin/authenticate.asmx)
in the background.
This option can be
used to perform an authentication using an SAML-conforming identity provider.
Intrexx currently only supports Microsoft Active Directory Federation
Services (ADFS) as an identity provider.
The following prerequisites apply when using ADFS as authentication:
The ADFS server must be installed and configured in SharePoint.
The ADFS server has to support basic and/or Windows integrated authentication.
The Intrexx Kerberos Token Service must be installed and configured
for Windows integrated authentication with ADFS. Further
information on this topic can be found
4.1. Active Directory Federation Services URL
In this field, the URL for the ADFS server's login page is specified, as
it is sent from the SharePoint server to the client browser via redirect.
This could look something like this:
The URL contains the three essential parameters "wa", "wtrealm" and "wctx".
The required values
for these parameters can be taken from your SharePoint ADFS configuration.
Please note that the URL character string is already encoded in such a way
that it conforms to URL.
Intrexx sends the user login details to this URL and, if the login
was successful, is redirected to the SharePoint server to complete the
authentication and authorization. When using basic authentication, the
username and password are sent directly to ADFS. With Kerberos, a ticket
will first of all be requested for ADFS using the Intrexx Kerberos
Provider Service, this ticket will then be sent to ADFS. Additionally,
the Service Principal Name of the ADFS server will be needed for
Kerberos. Windows integrated authentication must also be activated and
the SPN of the Intrexx Kerberos Token Service must be specified.
4.2 Assigning users for the authentication methods
If more than one authentication method is activated, the first available
method will be selected according to the following order of priority:
Windows integrated authentication
In principle, the basic authentication and/or forms-based authentication
need to be activated to access data using the Portal Manager when creating
applications. So that you can specify at the user/group level which Intrexx
user should use which SharePoint authentication method for logging in, the
methods to be used can be defined in a user-specific schema attribute in
the Intrexx User Schema Manager. To do that, create a new attribute with
the string type and with a length of
50 in the Schema Manager for users and/or groups.
The name can be chosen freely. The SharePoint authentication method for a
user or group can now be entered as this attribute.
The list below shows which name should be entered for each method:
Windows basic authentication
Windows integrated authentication
Trusted identity provider
Make sure you are precise when entering the name. Intrexx ascertains the
method to be used from the user attribute during runtime when accessing
the SharePoint data groups for the first time. If this is not available
or specified, Intrexx will search for the attribute in the user groups.
If it cannot be found there either, Intrexx will proceed with the order
of priority listed above. The connector must also be informed as to what
the user or group attribute is called.