Windows Authentication can be configured for a Vantagepoint on-premises installation using a local Active Directory.
- On the Web Server, the DeltekVantagepointAppPool must be running as a DOMAIN account with appropriate rights:
- This account should have a strong complex password which does not change.
- This account must not have logon restrictions set in Active Directory.
- On the Web/Application server, this account must be a member of the following groups:
• Local Administrators
• IIS_IUSRS Group
- Under Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment, the following rights must be enabled:
• Log on as a Batch Job
• Log on as a Service
- On the SQL server, this account must have the Server Role of Sysadmin
- On the Vantagepoint Web server, in IIS, change the Vantagepoint virtual folder security:
- Disable Anonymous, and Enable Windows Integrated Security.
- In Advanced Settings, make sure Kernel Mode Authentication is enabled.
- Do not change the Vantagepoint CLIENT virtual folder -- that should still remain set to Anonymous Security.
- Restart IIS for the change to take effect.
- In Vantagepoint, create the User records so that each Username and Domain matches the Username and Domain which are specified in the local Active Directory.
- This will allow the users to be automatically logged into Vantagepoint as long as they are logged into the Domain.
Note: The use of Integrated Security in IIS requires a CAL (Client Access License) for each user who will access the web server. This is a Microsoft, not Deltek, licensing requirement.
For more information about Windows Authentication, please refer to the Deltek Vantagepoint Installation and Maintenance Guide.
An alternative to Windows Authentication with the local Active Directory is Azure Active Directory with Single Sign-on. This is the approach used for Vantagepoint in the Cloud. This is described in the Cloud Administrator's Guide: Azure Authentication for Vantagepoint