Set Up Windows Authentication

Windows Authentication enables single sign-on (SSO) for AD Group Manager Web. Users on domain-joined machines are authenticated automatically via the Kerberos protocol without seeing a login form.

Video instructions

Watch the video walkthrough or follow the text instructions below.

Step 1: Create a service account

Create a dedicated AD service account with read and write permissions for managing groups, users, and computers in Active Directory.

Create the account

1. Open Active Directory Users and Computers.
2. Right-click on the container where you want to create the service account (for example, “Users”) and select New → User.
3. Fill in the account details and set a strong password.
4. Uncheck User must change password at next logon.
5. Click Next and Finish.

Grant read permissions

1. In Active Directory Users and Computers, right-click on the domain name and select Delegate Control.
2. Click Next on the Welcome page.
3. Click Add, select the service account, and click Next.
4. Choose Create a custom task to delegate and click Next.
5. Select Only the following objects in the folder and check:
   • User objects
   • Group objects
   • Computer objects
   • Contact objects
6. Click Next.
7. In the permissions list, select Read and Read All Properties.
8. Click Next and Finish.

Grant write permissions for group members

1. [Optional] Create a dedicated OU for the groups the service account will manage. In ADUC, right-click the domain → New → Organizational Unit. Move the relevant groups into this OU.
2. Right-click on the OU (or the domain, if you want write access everywhere) and select Delegate Control.
3. Click Next, then Add and select the service account. Click Next.
4. Choose Create a custom task to delegate and click Next.
5. Select Only the following objects in the folder and check Group objects. Click Next.
6. In the permissions list, select Write Members.
7. Click Next and Finish.

The service account now has read access to users, groups, computers, and contacts across the domain, and write-member access to groups in the target OU.

Step 2: Register the Service Principal Name (SPN)

The SPN is used by Kerberos to identify the service running on your IIS server.

1. Log in to a domain controller (or any machine with the setspn tool).
2. Open an elevated command prompt (Run as Administrator).

3. Register the SPN:

   setspn -S HTTP/your-web-app-hostname yourdomain\your-service-account
   

   Replace the placeholders with your actual values. For example, if your IIS server’s FQDN is groups.example.com, your domain is EXAMPLE, and your service account is svc-adgmweb:

   setspn -S HTTP/groups.example.com EXAMPLE\svc-adgmweb
   

4. Run iisreset on the IIS server after registering the SPN.

Step 3: Configure the IIS Application Pool

Update the Application Pool to run under the service account instead of the default identity.

1. Open IIS Manager.
2. In the left pane, expand the server name and click Application Pools.
3. Find the Application Pool used by AD Group Manager Web. Right-click it and select Advanced Settings.
4. In the Process Model section, find the Identity setting.
5. Click the … (ellipsis) button next to Identity.
6. Select Custom account and click Set.
7. Enter the username and password for the service account. Use the format DOMAIN\ServiceAccount or ServiceAccount@domain.com.
8. Click OK three times to close all dialogs.

Recycle the Application Pool for the change to take effect:

1. Right-click on the Application Pool in IIS Manager.
2. Click Recycle.

Step 4: Configure IIS site authentication

1. In IIS Manager, expand the server name, expand Sites, and click on the AD Group Manager Web site.
2. Double-click the Authentication icon in the center pane.
3. Right-click Anonymous Authentication and select Disable.
4. Right-click Windows Authentication and select Enable.
5. With Windows Authentication still selected, click Advanced Settings in the Actions pane on the right.
6. Check the box for Enable Kernel-mode authentication and click OK.

Step 5: Update appsettings.json

Open appsettings.json and set the Authentication value to "Windows":

{
  "Authentication": "Windows"
}

Restart the IIS site or run iisreset for the change to take effect.

Testing

1. Open a browser on a domain-joined machine and navigate to your AD Group Manager Web URL.
2. You should be signed in automatically without seeing a login form.
3. If you are an administrator, you will be redirected to the admin panel. Otherwise, you will see the All Groups page with your managed groups.

If authentication fails, the application will display an error message: “Windows Authentication failed. Please contact your administrator.”

Troubleshooting Windows Authentication

“401 Unauthorized” error — verify that Anonymous Authentication is disabled and Windows Authentication is enabled in IIS. Check that Kernel-mode authentication is enabled in the Advanced Settings.

Authentication prompt appears — if the browser shows a username/password dialog instead of signing in automatically:

• Verify the SPN is registered correctly: run setspn -L yourdomain\your-service-account and check the output includes HTTP/your-web-app-hostname.
• Make sure the site URL is in the browser’s Local intranet zone (Internet Explorer/Edge) or is trusted for Negotiate authentication.
• Check that the Application Pool is running under the service account, not the default identity.

“Access Denied” after authentication — the user may not be in an allowed OU, or the user may not be an administrator and may not have any managed groups in Active Directory.

Groups not loading or “permission denied” errors — verify the service account has the correct read and write-member permissions in Active Directory (see Step 1). Enable debug logging to see detailed error messages.

Next steps

• Authentication Options overview — compare Basic and Windows modes
• OU Access Control — restrict who can log in
• Set up SSL/TLS — encrypt traffic (recommended with Windows Authentication)