Configuring single sign on for a web farm

Before reading this article, read the guides on configuring a web farm and single sign-on.

In this example, we will be using:

  • Active Directory domain named mycompany (mycompany.com);
  • ARR controller computer name – elma;
  • Names of computers with ELMA – elma1 and elma2;
  • name of the user who will run ELMA – mycompany\elma_user.


  • In the Active Directory domain, create a user on whose behalf ELMA server application pools and the application pool on the ARR controller will be started. Or use an existing user of this domain. In this example – mycompany\elma_user.
  • Make sure that the ARR controller computer and the ELMA server computers are in the same domain as the user (in this example – mycompany).

To configure single sign-on:

1. Configure a web farm following the instructions (https://kb.elma-bpm.com/article-1745.html) and make sure that it works.

2. Configure single sign-on following the instructions (https://kb.elma-bpm.com/help/EN/Platform/content/Admin_Through_autorization_index.html). The following settings must be changes in these instructions, to ensure single sign-on on a web farm:

  • In the dialog box for selecting Windows authentication provider (step 4) and put Negotiate in the first place and click OK:

  • click Advanced Settings in the right menu and in the opened dialog box check Enable Kernel-mode authentication and click OK:

  • go to the Configuration Editor of the added SSPI application;


  • in the drop-down list select system.webServer -> security -> authentication -> windowsAuthentication;

  • set True for the following parameters authPersistNonNTLM, authPersistSingleRequest, enabled, useAppPoolCredentials anduseKernelMode;

3. In the advanced settings of application pools set the start on behalf of mycompany\elma_user:

  • for the ELMA servers (elma1 and elma2) – for the ELMA site pool.

4. Enable anonymous authentication (disable all the other authentication types) in the Default Web Site on the controller side (elma server). Go to the Authentication section of this site and leave only the Anonymous Authentication enabled.



5. The next step is configuring the IIS application pool. In the advanced settings of application pools, specify mycompany\elma_user as the identity:

  • for the controller (elma server) – for the DefaultAppPool;


6. Set SPN for each ELMA server and controller (bind their addresses to the user, under whose account application pools will be running). You can do it using the SETSPN command (in the command prompt), or the ADSI Edit console (adsiedit.msc).

After setting SPN, restart all the servers. Moreover, the changes may not apply immediately after restarting.

Example of using the command prompt:

SETSPN -S HTTP/elma.mycompany.com mycompany\elma_user

SETSPN -S HTTP/elma1.mycompany.com mycompany\elma_user

SETSPN -S HTTP/elma2.mycompany.com mycompany\elma_user

Example of using the ADSI Edit console:

In the CN=Users tree, find the elma_user and in its context menu click Properties.


In the opened window, on the Attribute Editor tab, find the servicePrincipalName attribute, click Edit and add all the ELMA servers and the controller server.


7. Check that single sign-on works on each server and then on the controller server.

If you are configuring single sign-on for a web farm using the Kerberos authentication protocol, then you should perform the settings described below.
  • at step 2 of this guide, place the Negotiate:Kerberos provider in the first place;
  • at step 4 select Kerberos authentication on the controller side, i.e. leave only the Windows Authentication enabled and select Negotiate:Kerberos in the list of providers;
  • follow the steps 5 and 6;

At the next step, configure delegating Kerberos to AD. For the controller, add the http service type and specify the farm server names; for the farm servers - add the http service type and specify the controller name:


Kerberos will not work correctly if the same SPN names are used by different domain entries.

Therefore, you need to make sure that there are no duplicate names in the domain. For this, you can start cmd.exe and run the command setspn /x

If duplicates are found, delete them.

After that, configure the database connection file. Open the Configuration.config file and add the following line:

<add name="MainDB" connectionString="Data Source=testbigbase.elewise.local;Initial Catalog=ElmaFermBase;Integrated Security=SSPI;"/>

Also edit the file Web.config.xslt. Add the following line to this file:

<sessionState mode="SQLServer" sqlConnectionString="data source=TestBigBase.elewise.local;Integrated Security=SSPI;" cookieless="false" timeout="30"/>

For ELMA Agent to work with Kerberos, you need to start is the first time with the parameter USINGKERBEROSONWFBALANCE=True.

Kerberos is set up. Follow step 7.


In order for single sign-on to continue working correctly after updating of the web farm, it is necessary to do the following:

  • create a copy of the Settings.config file in the …/<Folder with the ELMA system files>/Web/ folder;
  • update the web farm;
  • rename the updated Settings.config file in the …/<Folder with the ELMA system files>/Web/ folder in the following way: Settings_< version_number_of_the_updated_system >.config. For instance, Settings_3_13_13.config;
  • move the previously copied file to the ../< Folder with the ELMA system files >/Web/


Articles in This Category