Skip to main content
Skip table of contents

Using Windows Pass-Through (Kerberos) Authentication

Using Windows Pass-Through (Kerberos) Authentication

It is recommended to configure SAML 2.0 Single Sign On rather than Kerberos. SAML is compatible with all device types and reduces the need to manage multiple SSO methods.


By default AppsAnywhere presents all users with a web based login page.

Integrated Windows Authentication can also be used to allow Single Sign On (SSO) from domain machines using Kerberos. To initiate SSO automatically, you can direct users on domain machines to the following URL:

Our recommended approach is to use this URL when creating shortcuts to the AppsAnywhere portal for end-users on managed Windows devices.

You can then easily disable first-time user prompts for SSO in AppsAnywhere General Settings.


  1. This is presuming you have already completed a Managed Deployment of AppsAnywhere Client and Cloudpaging Player to domain joined devices.

  2. From Load Balancer Configuration; all traffic sent to the backend servers from the load balancer MUST be over HTTPS/443 for Kerberos to function.


In a classroom environment you may also want to suppress all user prompts including the first time welcome tour and EULA.

This is to avoid students getting a slightly different experience at the start of class, which can be off-putting for tutors. To do this direct users to the special URL of:

Other SSO Methods

AppsAnywhere also supports a range of additional SSO methods for web based Single Sign On. Please refer to Single Sign On Settings for these options.

This article is focused on configuring SSO for domain joined Windows machines.

Configuring for SSO with Integrated Windows Authentication

For SSO to work on domain Windows devices using Kerberos, the following need to be in place:

  • Your AppsAnywhere appliance must be Configured for Single Sign On

  • SPN records must be created for your AppsAnywhere service account (also via the above link).

    • Single Sign On must be enabled in AppsAnywhere Admin Settings > Single Sign On

  • The Active Directory user must be imported, or be a member of an imported AD group

  • The user is logged in to a domain machine with their AD account.

  • The user is running one of the latest versions of Edge or Internet Explorer*

  • Internet Explorer is configured for automatic login either locally in Internet Options or via GPO (this is sometimes referred to as pass-thru authentication)

  • The user visits one of the above special URLs

*It is also possible to configure SSO with Google Chrome and most other browsers. We have provided some details on how to test this below but you may need to refer to the publisher for details of how to apply global browser settings in your environment.

AppsAnywhere Single Sign On Settings

As noted above; Single Sign On must be enabled in AppsAnywhere Admin Settings > Single Sign On.

However, we recommend that you leave the Action for Unauthenticated Users set to Redirect to Login. Otherwise AppsAnywhere will attempt SSO even when users visit your normal service URL (e.g.

The above is not normally desirable, as users on BYOD devices will never be able to use Integrated Windows Authentication for SSO.

Configuring your browser for testing Integrated Windows Authentication

Microsoft Edge


  1. Verify that you are logged into Windows as a user in the domain.

  2. Update Internet Options.

    1. Use Windows Search and open Internet Options 

    2. Navigate to the Security tab.

    3. Select Local Intranet

    4. Click Custom level.

    5. Select Automatic login only in Intranet zone.

    6. Click OK.

  3. Verify that the AppsAnywhere domain is part of the local intranet zone.

    1. In the Internet Options dialog box on the Security Settings tab with Local intranet still selected, click Sites.

    2. In the Local intranet dialog box, click Advanced.

    3. In the next dialog box (also titled Local intranet), type the URL of your load balanced address (e.g. in the Add this Web site to the zone box, and then click Add.

    4. In the Local intranet dialog, box click OK.

    5. In the original Local intranet dialog box, click OK.

    6. In the Internet Options dialog box, click OK.



  1. In the URL text box of the Firefox browser, enter about:config to access the advanced settings.

  2. Click I'll be careful, I promise!.

  3. Double-click network.negotiate-auth.trusted-uris in the Preference Name column.

  4. Enter your AppsAnywhere Service URL in the text box. e.g.

  5. Click OK.

  6. Double-click network.negotiate-auth.delegation-uris in the Preference Name column.

  7. Enter your AppsAnywhere Service URL in the text box e.g.

  8. Click OK.

  9. Test Kerberos functionality by using the Firefox browser to log in to login URL e.g.


To make SSO work in Google Chrome, configure Internet Explorer using the method described above (Chrome uses IE setting).

In addition, it should be noted that all new versions of Chrome automatically detect Kerberos support on the website.

If you are using one of the earlier Chrome (Chromium) versions, run it with the following parameters to make Kerberos authentication on your web servers work correctly:


For example:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” --auth-server-whitelist="* " --auth-negotiate-delegate-whitelist="*"

Finally, test Kerberos functionality by using the Firefox browser to log in to login URL e.g.

If the Kerberos authentication is successful, the test URL goes to the Web interface.

 Deploy to managed devices

  1. Deploy the above internet settings to managed devices using Group Policy

  2. Ensure all managed devices load AppsAnywhere SSO on login using the configured URL e.g.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.