PowerBuilder 2025 R2 provides built-in support for Windows authentication in PowerServer and PowerClient. With this feature, apps can use the Windows login that users already entered when signing in to their computers. As a result, users no longer need to manage a separate username and password for the app.
Note
During application upgrades, developers should temporarily enable Anonymous Authentication in IIS, because older client applications do not support Windows Authentication until the upgrade is installed. After the upgrade is complete, Anonymous Authentication can be disabled and users can then access the application using the configured Windows Authentication settings.
For how to enable/disable Anonymous Authentication in IIS, refer to Server configuration.
Three modes are available:
-
0 = Anonymous– Users can access the application or Web APIs without providing any credentials. This mode is generally used for testing or for resources intended to be publicly accessible. It provides no security protection and should not be used in production unless required. -
1 = Integrated– The app automatically uses the current Windows login. If this fails, a login dialog appears. -
2 = UserPassword– The user is prompted to enter Windows credentials. The user can choose to save their credentials by selecting "Remember me" in the login dialog for future use (and can remove the cached credentials through the Windows Credential Manager later).
PowerClient applications
In the PowerClient project painter > Security page, choose the authentication
mode under Windows authentication (client)
for file download. This setting determines the
authentication used when downloading application files and is
stored in apprun.json on the server (remember to
include apprun.json when deploying the app) and
pbapp.ini on the client.
PowerServer Web APIs
In the PowerServer project painter > Security page > Server security section, choose the
authentication mode under Web API
authentication. This setting determines the
authentication used for Web API requests and is stored in
appconfig.json on the server.
PowerServer cloud apps
In the PowerServer project painter > Security page > App security section, choose the
authentication mode under Windows
authentication (client) for file download. This setting
determines the authentication used when downloading application
files and is stored in apprun.json on the server
(remember to include apprun.json when deploying the
app) and pbapp.ini on the client.
Currently Windows Authentication is supported only when applications are hosted on IIS.
Step 1: Enable IIS Windows Authentication Feature
-
Open Server Manager on the Windows server.
-
Go to Add Roles and Features.
-
Under Server Roles, make sure Web Server (IIS) is installed.
-
In Role Services, enable Windows Authentication.
Step 2: Configure IIS Authentication for the Application
-
Open the IIS Manager and navigate to the application site.
-
Select Authentication under the IIS section.
-
Enable Windows Authentication.
-
Disable Anonymous Authentication if you want to force Windows login.
Step 3: Configure Authentication in PowerServer Project
After IIS has been set up, configure the authentication mode inside the PowerServer project:
-
In the project painter, go to the Security page.
-
For Web APIs, select the authentication mode under Web API authentication.
-
For app file downloads, select the authentication mode under Windows authentication (client) for file download.
-
Use the
CloudAppGetandCloudAppSetfunctions to get or change the authentication mode for Web APIs.These functions are only effective for PowerServer Web APIs; and they override the IDE settings.
CloudAppSet("apiwinauth", "1") // enable Integrated mode CloudAppGet("apiwinauth", string_value) -
Use the
SessionCreatingevent to adjust the PowerServer Web API URL, authentication settings etc. programatically before the session is created.SessionCreatingis fired before the session is created.
Windows considers each type of access — such as opening a website, downloading application files, or calling a Web API — as an independent resource. For security, Windows performs a separate authentication check for each resource. That means even though all these actions belong to the same application, Windows still verifies credentials separately, ensuring that access to one resource does not automatically grant access to another.
Because of this, users may see more than one login prompt, in the following scenarios within PowerServer (PowerClient is similar with scenario 1 and 2):
-
Scenario 1: Accessing the Website
When opening the Web Portal, IIS or a proxy may ask for Windows login (often shown as "Sign in to access this site"). This is standard Windows behavior.
-
When it appears: If IIS has enabled Windows authentication and the application is accessed from a web browser.
-
How to avoid it: This prompt is NOT related to the PowerServer project settings. You can change the browser settings to avoid this prompt, or launch the application from a desktop shortcut (no prompt).
-
-
Scenario 2: Downloading the app via launcher
When the Cloud App Launcher downloads app files, it may ask for login. The dialog usually shows the launcher name (for example, "AppLauncher_V3").
-
When it appears: If IIS has enabled Windows authentication and the PowerServer app security is set to Windows authentication (User password).
-
How to avoid it: Change the PowerServer app security to Windows authentication (Integrated).
-
-
Scenario 3: Calling Web APIs from the app
When the app calls the Web API, another login may appear. The dialog usually shows the app name (for example, "cloudapp1").
-
When it appears: If IIS has enabled Windows authentication and the PowerServer Web API authentication is set to Windows authentication (User password).
-
How to avoid it: Change the PowerServer Web API authentication to Windows authentication (Integrated). Alternatively, if the user selected "Remember me" (not selected by default), the credentials will be cached and automatically reused on the client. Users can later remove these cached credentials through the Windows Credential Manager.
-
These prompts are not duplicates—they are Windows' way of protecting different resources separately. If your environment uses Kerberos or SSO, Windows reuses the credentials silently, so users normally only log in once. If NTLM or Basic authentication is used, prompts may appear more than one time.
