Authenticate Users Automatically with Windows Credentials

This article explains how to configure the Client so that it relies on the user's Windows credentials to authenticate.

Overview

For remote access, implementing your security policies requires that users successfully authenticate to the Client. Ensuring seamless authentication increases your network security and creates a simple user experience. For users that authenticate with SSO, you can configure the Client to use the user's Windows credentials to authenticate. This means users are only required to authenticate to the device, and do not need to enter their credentials and authenticate again when connecting with the Client. You can configure this to happen automatically or be initiated by the user. After the SSO session expires, the Client silently re-authenticates with Windows credentials. This creates a seamless authentication and re-authentication process.

If you configure this feature together with the Windows registry key to automatically launch the Client after initial installation and Connect on Boot, the Client always launches, authenticates, and connects without a user taking any action.

Use Case - Simplifying Client Authentication

Company ABC wants a simple user experience for their users so that they can connect to Cato with as few clicks as possible. To do this they want to make the Client authentication process automatic. This means that to connect to Cato, users only need to open the Client and click Connect.

The admin configures the Cato SSO settings to automatically use the user's Windows credentials to authenticate.

Every time users log in to their device, even if the SSO token has expired, the Client is able to connect to the network without requiring additional authentication from the user.

Use Case - Seamless Client Authentication and Connection

Company ABC wants to ensure their users are connected to the Client as often as possible. To do this they want to make the Client connection process automatic so that new and existing users do not need to remember to manually click the Connect button in the Client.

The admin configures these settings:

  • So that the Client launches straight away for new users the first time that they start the device, they define a Windows registry key on the device

  • So that the Client connects every time the device boots, they enable Connect on Boot

  • To remove the requirement of manual user authentication, they enable Automatic Client Authentication to use the user's Windows credentials to authenticate

Every time users log into their device, the Client launches, authenticates and connects without any action from the user.

Note

Note: If Azure can't provide the authentication token for the user, then the user follows the standard authentication flow by entering their Azure credentials in the Client.

Prerequisites

  • Authenticating with Windows credentials is supported:

    • On Windows Client v5.8 and higher

    • On devices running Windows 10 or higher

    • On Azure AD joined devices (Hybrid AD joined is supported from Client v5.11 and above)

    • With Azure configured as the SSO provider for your account and users allowed to login with SSO

Known Limitations

  • Azure AD that requires user interaction (such as MFA), is supported from Client v5.11 (it is not supported on Clients below v5.11)

  • The registry key InitialAlwaysOn is not supported for this feature

 

Configuring Authentication with Windows Credentials

This feature is enabled within your Azure SSO configuration. Once you enable it, you can choose the user experience.

Windows_Auth.png

To authenticate with Windows credentials:

  1. From the navigation menu, click Access > Single Sign-On.

  2. From the SDP Client users section, select Sign in with Windows credentials.

  3. From the drop-down menu configure the user experience:

    • Automatically: The Client automatically uses Windows credentials to authenticate

    • User Selection: The user has to confirm authentication with their Windows credentials, however does not need to re-enter them or can choose to authenticate as a different user

  4. Click Save.

    Users now authenticate to Cato with their Windows Credentials. New users automatically authenticate with their Windows credentials. Configured users automatically authenticate the next time the SSO session expires.

Note

Note: If multiple users are configured on a device, only the user configured in the Client can authenticate with their Windows credentials.

Configuring a Seamless User Experience

You can configure authentication with Windows Credentials with two other features to create a seamless user experience. This means that the Client launches, authenticates, and connects without any action from the user.

Automatically Launching the Client

Define the LaunchAuthPageOnStartup Windows registry key to automatically launch the Client after initial installation. This feature is for new users the first time they log in to their device.

To configure the Windows registry to automatically launch the Client:

  1. Go to this location in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN

  2. Define this key:

    • LaunchAuthPageOnStartup=1 (DWORD)

Using Connect on Boot for Entire Account

You can choose to enable Connect on Boot in the Cato Management Application for the entire account, so that the Clients always connect every time the device boots. This feature is configured for users to enforce Client connection without any action from the user.

Customizing Connect of Boot for Specific Users

For accounts that only want to enable Connect on Boot for specific users, you can define the ConnectOnBoot registry key on the devices for the required users.

To configure the Windows registry to Connect the Client when the device boots:

  1. Go to this location in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN

  2. Define this key:

    • ConnectOnBoot=1 (DWORD)

Using Always Prompt Token Validity and Authentication with Windows Credentials

If your SSO Token validity configuration is set to Always Prompt and you enable authentication with Windows Credentials, the Client silently authenticates with the users Windows Credentials without any prompt.

Was this article helpful?

0 out of 0 found this helpful

8 comments

  • Comment author
    JM

    This works really well! If only there were a LaunchAuthPageMinimizedOnStartup registry option it would be a seamless and non-intrusive experience for the end user.

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Thank you for the suggestion, JM!

    I have passed it on to the Product Management team

    Kind Regards,

    Dermot Doran

  • Comment author
    Matthew Sutton

    Will the Cato client support passwordless with Azure?  Thanks!

  • Comment author
    JM

    I’m passwordless with my Azure AD account, and yes - it works just fine.

  • Comment author
    Franklin Gonzales

    our Azure is federated by Okta with MFA, will this work?

  • Comment author
    Delin Hong (PRIA)

    Is there automatic connection for first time users? It seems even after i added the registry LaunchAuthPageOnStartup=1 (DWORD), it does launch Cato automatically but still stuck at the prompt where it asks for an email address to join the Cato network.

    That is only for first time users, after the initial entering of email, they would then be connected automaitcally subsequently. But just checking if we can even automate the initial step.

  • Comment author
    Yaakov Simon

    Delin Hong (PRIA)  Apologize for the delayed response, there should be an automatic connection for first-time users. Please open a ticket with Support.

  • Comment author
    Zach Kieffer

    Is it possible to assign this policy to individual users/groups for testing?

Add your comment