Securing the Web Server
This page explains how to configure the authentication method for your xAssets web server and how to protect it with SSL. Choosing the right authentication method is one of the first decisions when deploying xAssets, as it affects how users log in and how user accounts are provisioned.
Authentication Methods
xAssets supports three authentication methods. You can use one method or combine database authentication with SSO:
| Method | How It Works | Best For |
|---|---|---|
| Windows Authentication | Users authenticate via their Windows/Active Directory credentials. IIS handles authentication before xAssets sees the request. | On-premise deployments where all users are on the same Active Directory domain |
| Database Authentication | IIS runs with anonymous access enabled. xAssets presents its own login page and authenticates users against credentials stored in the xAssets database. | Hosted deployments, mixed environments, or when users are not on a single domain |
| Single Sign-On (SSO) | Users authenticate via an external identity provider (Azure AD, Okta, OneLogin, Duo, or any SAML provider). See the Single Sign-On chapter for full details. | Organisations with a centralised identity provider |
Windows Authentication Setup
When using Windows Authentication:
- Create two Active Directory security groups: xAssets Users and xAssets Admins.
- Add your users to the appropriate AD group.
- In IIS Manager, disable Anonymous Authentication and enable Windows Authentication on the xAssets site.
- Set NTFS permissions on the IIS folders:
- Web root folder -- grant the xAssets Users group Read and Execute access.
- Web database subfolders (where xAssets writes temporary files) -- grant the xAssets Users group Read and Write access.
- Create matching user records in xAssets for each Windows user (the User ID must match their Windows username).
Tip: With Windows Authentication, users are never prompted for credentials by xAssets -- the browser negotiates authentication automatically using the logged-in Windows session. If users see a credentials prompt, check that the site URL is in the browser's Local Intranet zone.
Database Authentication Setup
When using Database Authentication:
- In IIS Manager, enable Anonymous Authentication and disable Windows Authentication on the xAssets site.
- Create user accounts in xAssets via Admin > Users and assign each user a password.
- Users will see the xAssets login page and must enter their username and password.
Warning: With database authentication, passwords are stored in the xAssets database. Always use SSL/HTTPS (see below) to protect credentials in transit. Consider enabling Multi-factor Authentication for additional security.
SSL/HTTPS
All xAssets version 6 and later products support SSL/HTTPS. SSL is strongly recommended for any installation accessible over a public network, and is required for SSO authentication.
To enable SSL:
- Obtain an SSL certificate from a certificate authority (or use an internal CA for intranet-only deployments).
- In IIS Manager, import the certificate and bind it to port 443 on the xAssets site.
- Optionally configure a redirect from HTTP (port 80) to HTTPS (port 443) to ensure all traffic is encrypted.
- Update the xAssets site URL in Settings if it has changed from http:// to https://.
Related Articles
- Users — creating and managing user accounts
- Multi-factor Authentication — adding a second verification step
- Single Sign-On — configuring SSO with external identity providers
- User Groups — controlling what authenticated users can see and do