Configure Activate Anywhere to use Azure AD to Authenticate External Users

introduction your customer may be wanting to access activate from internet connected devices activate would recommend you deploy the activate anywhere web site onto a dmz server which allows remote users to access activate securely without needing to publish the internal activate web portal this provides a layer of protection and isolation from the internet to your activate server using a secure reverse proxy by default, activate uses a secure cookie based authentication scheme however, some customers may wish to use azure ad to authenticate users instead this guide will step you through the process to configure activate and the associated azure ad tenant to facilitate this requirement assumptions activate anywhere website configured and running please refer to the anywhere web site installation guide the steps below are performed with an azure ad global administrator account the activate anywhere server has web access to the azure ad tenant the environment has an azure ad tenant which is populated with the users who wish to authenticate guide register the azure application for activate create a new application registration in azure for the tenant you are wanting activate to use for authentication fill in name and redirect uri, eg “https //\<serverfqdn>/signin oidc anywhere”, in this case https //activate/signin oidc anywhere click register open the application from the app registrations tile, click authentication under the manage heading, tick the implicit grant 'id tokens' tickbox click save copy the application (client) id you will need this for activate remoteaccess parameter you can check the tenant name in the entra id tile and overview anywhere server iis configuration make sure you have iis/certificates all setup, bound and listening on for the activate anywhere site this guide assumes you have already setup activate anywhere with activate cookie based authentication over https/ssl and you have this published externally, internally or both check the iis bindings for activate anywhere here’s an example of a lab setup, binding is for ssl and has a valid cert for this site in activate studio open resources/configuration/external web/remoteaccess xml parameter add the authentication node as per below xml example to the remoteaccess xml parameter in this example we have pointed it at a set of parameters on the azure resource activate azure aad integration guide alternatively, they can be the explicitly the values of the application/tenant as configured above \<remoteaccess> \<requireterms>true\</requireterms> \<tokensettings> \<allowkeepmesignedin>true\</allowkeepmesignedin> \<tokenlifetimedays>90\</tokenlifetimedays> \<sessiontimeoutminutes>60\</sessiontimeoutminutes> \<autorenew>true\</autorenew> \<requiressl>true\</requiressl> \</tokensettings> \<images> \<anonymous>true\</anonymous> \</images> \<api> \<policy> \<enable>false\</enable> \<match> \<url>custom/ \</url> \<ipaddress> \</ipaddress> \</match> \</policy> \</api> \<ratelimiter> \<enable>true\</enable> \<permitlimit>100\</permitlimit> \<window>1\</window> \<queuelimit>25\</queuelimit> \<segmentsperwindow>4\</segmentsperwindow> \</ratelimiter> \<authentication> \<provider>azure\</provider> \<applicationid>=//resources/activedirectory/external directories/azure/applicationid\</applicationid> \<tenantname>=//resources/activedirectory/external directories/azure/tenantname\</tenantname> \<postlogoutredirecturi>https //activate domain local/\</postlogoutredirecturi> \</authentication> \</remoteaccess> on the main activate server, recycle the activate app pool (or run iisreset from command prompt) on the activate anywhere server, recycle the activate anywhere app pool (or run iisreset from command prompt) navigate to the anywhere site “https //< sitefqdn >”, in this case https //activate/ a global admin will have to accept consent on behalf of the organisation for the first time after authenticating you will be redirected to activate, you can see wendy evans has successfully signed in troubleshooting sometimes the serverprincipalname hasn't been registered against the active directory server computer object after logging in with azure/entra oauth and after being redirected the user is challenged for windows authentication check setspn has been run for the server if you need to adjust to url for the activate main site, in v8 this setting is defined under appsettings json for anywhere typically this will be under path %installdrive% \program files\activate\anywhere\\%instancename%\appsettings json adjusting the highlighted "server" value will change where anywhere looks for the main site