Configuring Windows Authentication

Mobile App Service is being deprecated. Please use API as a backend for the Mobile App instead.

In order to use Windows Authentication, the Mobile App Service requires certain security changes on the web server computer hosting the Mobile App Service:

  1. Grant all Windows accounts that will be used to sign in to the Mobile App the right to log on locally to the web server computer hosting the Mobile App Service.

    In order to grant a user account the ability to log on locally to the web server computer, you must either make that user a member of a group that already has the "Allow log on locally" user right or grant the right to that user account.

    INFO: For instructions on configuring security policy settings on Windows Server 2003, see the Microsoft TechNet article "Edit security settings on a Group Policy object" at http://technet.microsoft.com/en-us/library/cc736516%28v=ws.10%29.aspx.

    INFO: For details specific to more recent versions of Windows, see the Microsoft TechNet article "Group Policy" at http://technet.microsoft.com/en-us/library/cc754286.aspx.

  2. If your technicians are still unable to access the Mobile App, you may need to grant the Windows account that the Internet Information Services (IIS) uses to run the Mobile App Service application the "Act as part of operating system" user right on the web server computer. This privilege may be required in IIS 6 (Windows Server 2003, Windows Server 2003 R2).

    INFO: For details on the "Act as part of operating system" user right, see the Microsoft TechNet article "User Rights" at
    http://technet.microsoft.com/en-us/library/dd349804%28v=WS.10%29.aspx.

    1. First, find out which Windows account IIS uses to run the Mobile App Service application. In IIS 6 (Windows Server 2003, Windows Server 2003 R2), worker processes run as Network Service by default.

    2. Grant the "Act as part of operating system" user right to the default Windows account, or change the default account to a different Windows account that already has this privilege (for example, the Local System account). However, either of these workarounds presents a security risk for your web server.

      NOTE: You can assign user rights to the account as follows:
      1. Log on as an administrator on the computer where the Mobile App Service is installed.
      2. Open the Local Security Policy.
      3. In the Local Policies, go to User Rights Assignment and double-click the user right you want to grant.
      4. Add the desired account to the list of users that have this right.
      5. Click OK.

    3. Restart IIS.