This article helps to set up domain/integrated domain authentication in the web application deployed on ASP.NET web server (Internet Information Services). Before setting up the web application add domain users in the desktop application security manager and grant them necessary access permissions.
To set up authentication in Foresight Analytics Platform web application, follow the steps:
Make sure that web server settings are determined:
If the repository, which is supposed to work with, is based on Oracle DBMS, execute additional setup of DBMS server and client computer. This step can be skipped for other DBMS.
Set up IIS.
Make sure that Windows authentication is enabled in the IIS services:
Open the IIS services manager by executing the inetmgr command in the command line. In the Connections tree select the server connection (localhost). Next, in the functions list (to the right of the connections) select 
Authentication and double-click to open it. The Enabled value should be set for the Windows Authentication item in the Status column.
Change the following parameters for the pool that uses the web application:
Load User Profile. Set the False value.
Certificate. Set the NetworkService value.
Set up web application. Depending on the selected authentication type, in the PP.xml file in the <metabase> section add the authentication attribute with the following values:
For domain authentication: authentication=”Domain”.
For integrated domain authentication: authentication=”IntegratedDomain”.
In the Connections tree for the web application in the functions list open Authentication. Enable the ASP.NET Impersonation and the Windows Authentication settings, the rest of the settings should be disabled. The user can enable the Basic Authentication setting instead of the Windows Authentication setting.
Make sure that anonymous authentication is enabled for the Config folder. To do this, select the Config folder inside the web application and open Authentication in the functions list. If the Anonymous Authentication checkbox is deselected, select it by selecting the appropriate context menu item.
Set up BI server:
For BI server application, open Authentication in the functions list, select the Windows Authentication checkbox and disable other settings.
Set up web server:
If the web server is located in a domain, the Trust Computer for Delegation item must be set. The Account is Sensitive and cannot be Delegated checkbox in the Active Directory must be deselected for user accounts.
NOTE. This setting is mandatory if integrated domain authentication works according to Kerberos protocol. To execute the setting, the user must have local network administrator permissions.
To log in to the system when domain authentication is used on the server with installed BI server and web application back end, the users must have the Interactive Logon privilege (LOGON32_LOGON_INTERACTIVE) on domain level.
Browser settings:
In browser settings include this server to the list of allowed nodes or local network.
NOTE. To connect to the site, use server name because Kerberos protocol does not support work with IP addresses. Kerberos supports work with the following browsers: Yandex.Browser, Chromium-Gost, Opera, Google Chrome, Mozilla Firefox and Chromium.
For Microsoft Edge additionally create the AuthNegotiateDelegateAllowlist and AuthServerAllowlist parameters on local computers of all users in one of the registry sections:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge] for everyone who uses the computer.
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Edge] only for me.
Check web application performance.
See also:
Foresight Analytics Platform authentication | Integrated Domain Authentication Using Service Reference