AD Group Manager Web supports two authentication modes. You choose between them by setting the Authentication value in appsettings.json.
Basic authentication (default)
In Basic mode, the application displays a login form where users enter their Active Directory username and password. The application validates these credentials against the AD domain.
{"Authentication":"Basic"}
How it works
The user navigates to the AD Group Manager Web URL and sees a login form.
The user enters their AD username (sAMAccountName format) and password.
The application authenticates the user against the configured AD domain using LDAP.
On success, a cookie-based session is created. The session expires after a period of inactivity (configurable via InactiveSessionTimeoutInMinutes in appsettings.json, default 60 minutes).
IIS configuration for Basic mode
In IIS Manager, open the Authentication settings for your AD Group Manager Web site and ensure:
Anonymous Authentication — Enabled
Windows Authentication — Disabled
This is the default IIS configuration — no changes are needed after a standard installation.
When to use Basic mode
You want a simple setup without additional IIS or AD configuration.
Users access the application from machines that are not joined to the domain (for example, personal devices or other networks).
You want users to see which domain they are authenticating against.
You need a straightforward deployment with no service account.
Default domain
When Basic authentication is used, the admin panel Settings page lets you configure a default domain name that is pre-filled on the login form. You can also control whether managers are allowed to change the domain name on the login form.
Windows authentication (Kerberos)
In Windows mode, IIS handles authentication transparently using the Kerberos (Negotiate) protocol. Users on domain-joined machines are authenticated automatically without seeing a login form.
{"Authentication":"Windows"}
How it works
The user navigates to the AD Group Manager Web URL.
IIS intercepts the request and negotiates Kerberos authentication with the user’s browser.
The browser sends the user’s Kerberos ticket (obtained from the domain controller at Windows logon) to IIS.
IIS validates the ticket and passes the authenticated identity to the application.
No login form is shown — the user is signed in automatically.
IIS configuration for Windows mode
In IIS Manager, open the Authentication settings for your AD Group Manager Web site and set:
Anonymous Authentication — Disabled
Windows Authentication — Enabled (with Kernel-mode authentication enabled in Advanced Settings)
Additional requirements
Windows authentication requires more setup than Basic mode:
Service account — create a dedicated AD account with read permissions on AD objects and write-member permissions on managed groups.
SPN registration — register a Service Principal Name for the service account so Kerberos can identify the service.
Application Pool identity — configure the IIS Application Pool to run under the service account.
IIS authentication settings — disable Anonymous, enable Windows Authentication with kernel-mode.
appsettings.json — set Authentication to "Windows".
All users access the application from domain-joined machines.
You want single sign-on (no login form).
Your organization prefers Kerberos-based authentication.
You have a service account with appropriate AD permissions.
Comparison
Basic
Windows
Login experience
Username/password form
Automatic (SSO)
IIS setup
Default (no changes)
Requires configuration
Service account
Not required
Required
SPN registration
Not required
Required
Non-domain machines
Works
Does not work
Session management
Cookie with configurable timeout
IIS-managed
AD permissions
Each user’s own permissions
Service account permissions
Restricting access by OU
Regardless of which authentication mode you use, you can restrict which users can log in by configuring the AllowedOUs setting in appsettings.json. When set, only users whose AD accounts are in one of the specified OUs can access the application. Administrator users always bypass OU restrictions.