This article explains how to configure the Client so that it relies on the user's Windows credentials to authenticate.
For remote access, implementing your security policies requires that users successfully authenticate to the Client. Ensuring seamless authentication increases your network security and creates a simple user experience. For users that authenticate with SSO, you can configure the Client to use the user's Windows credentials to authenticate. This means users are only required to authenticate to the device, and do not need to enter their credentials and authenticate again when connecting with the Client. You can configure this to happen automatically or be initiated by the user. After the SSO session expires, the Client silently re-authenticates with Windows credentials. This creates a seamless authentication and re-authentication process.
If you configure this feature together with the Windows registry key to automatically launch the Client after initial installation and Connect on Boot, the Client always launches, authenticates, and connects without a user taking any action.
Company ABC wants a simple user experience for their users so that they can connect to Cato with as few clicks as possible. To do this they want to make the Client authentication process automatic. This means that to connect to Cato, users only need to open the Client and click Connect.
The admin configures the Cato SSO settings to automatically use the user's Windows credentials to authenticate.
Every time users log in to their device, even if the SSO token has expired, the Client is able to connect to the network without requiring additional authentication from the user.
Company ABC wants to ensure their users are connected to the Client as often as possible. To do this they want to make the Client connection process automatic so that new and existing users do not need to remember to manually click the Connect button in the Client.
The admin configures these settings:
-
So that the Client launches straight away for new users the first time that they start the device, they define a Windows registry key on the device
-
So that the Client connects every time the device boots, they enable Connect on Boot
-
To remove the requirement of manual user authentication, they enable Automatic Client Authentication to use the user's Windows credentials to authenticate
Every time users log into their device, the Client launches, authenticates and connects without any action from the user.
Note
Note: If Azure can't provide the authentication token for the user, then the user follows the standard authentication flow by entering their Azure credentials in the Client.
-
Authenticating with Windows credentials is supported:
-
On Windows Client v5.8 and higher
-
On devices running Windows 10 or higher
-
On Azure AD joined devices (Hybrid AD joined is supported from Client v5.11 and above)
-
With Azure configured as the SSO provider for your account and users allowed to login with SSO
-
This feature is enabled within your Azure SSO configuration. Once you enable it, you can choose the user experience.
To authenticate with Windows credentials:
-
From the navigation menu, click Access > Single Sign-On.
-
From the SDP Client users section, select Sign in with Windows credentials.
-
From the drop-down menu configure the user experience:
-
Automatically: The Client automatically uses Windows credentials to authenticate
-
User Selection: The user has to confirm authentication with their Windows credentials, however does not need to re-enter them or can choose to authenticate as a different user
-
-
Click Save.
Users now authenticate to Cato with their Windows Credentials. New users automatically authenticate with their Windows credentials. Configured users automatically authenticate the next time the SSO session expires.
Note
Note: If multiple users are configured on a device, only the user configured in the Client can authenticate with their Windows credentials.
You can configure authentication with Windows Credentials with two other features to create a seamless user experience. This means that the Client launches, authenticates, and connects without any action from the user.
Define the LaunchAuthPageOnStartup
Windows registry key to automatically launch the Client after initial installation. This feature is for new users the first time they log in to their device.
You can choose to enable Connect on Boot in the Cato Management Application for the entire account, so that the Clients always connect every time the device boots. This feature is configured for users to enforce Client connection without any action from the user.
For accounts that only want to enable Connect on Boot for specific users, you can define the ConnectOnBoot
registry key on the devices for the required users.
If your SSO Token validity configuration is set to Always Prompt and you enable authentication with Windows Credentials, the Client silently authenticates with the users Windows Credentials without any prompt.
8 comments
This works really well! If only there were a LaunchAuthPageMinimizedOnStartup registry option it would be a seamless and non-intrusive experience for the end user.
Thank you for the suggestion, JM!
I have passed it on to the Product Management team
Kind Regards,
Dermot Doran
Will the Cato client support passwordless with Azure? Thanks!
I’m passwordless with my Azure AD account, and yes - it works just fine.
our Azure is federated by Okta with MFA, will this work?
Is there automatic connection for first time users? It seems even after i added the registry LaunchAuthPageOnStartup=1 (DWORD), it does launch Cato automatically but still stuck at the prompt where it asks for an email address to join the Cato network.
That is only for first time users, after the initial entering of email, they would then be connected automaitcally subsequently. But just checking if we can even automate the initial step.
Delin Hong (PRIA) Apologize for the delayed response, there should be an automatic connection for first-time users. Please open a ticket with Support.
Is it possible to assign this policy to individual users/groups for testing?
Please sign in to leave a comment.