Integrated windows login, IWA

Used to leverage windows login already done from a domain connected client. Requires module AuthN to be deployed.

Configuration

Authenticator type: IwaAuthentication

Common Authenticator configuration can be found here.

Name

Description

Default value

Mandatory

package

Negotiate

error_url

If failing authentucation, whre to redirect user.

N/A

custom_identifier

Tag used for event separation

N/A

{
            "id": "iwa",
            "type": "IwaAuthentication",
            "config": {
              "base_path": "/saml/authn",
              "context_path": "/saml/authn/iwa"
            }
}

Property base_path should not contain the full path when used in conjunction with the Selector, instead, the full URI will be handled by the selector. The full path will be base_path + / + id.

Logging

Apart from system logging, event logging is done when starting, completing, and failing a transaction.

Event ids are:

WEB_100015("Authenticated using Integrated Windows Authentication")
- IDENTIFIER (user trace id)
- CUSTOMER_IDENTIFIER (if configured)
- SOURCE_USER_NAME (windows username)
- SOURCE_ADDRESS (ip of the remote session)
- AUTHENTICATOR_IDENTIFIER (id and display name)
WEB_100016("Failed authentication using Integrated Windows Authentication")
- IDENTIFIER (user trace id)
- CUSTOMER_IDENTIFIER (if configured)
- SOURCE_ADDRESS (ip of the remote session)
- AUTHENTICATOR_IDENTIFIER (id and display name)

Data exposed to global state

After a user completes a transaction, the authenticator is marked as done. Data from the authentication response is then put into the global state replacing existing values:

username

Prerequisite

Integrity must be running on a windows server joined to the domain where IWA "is to take place".
Integrity must run using a actual domain account belonging to the same domain as the server is joined.
Ensure that there is a DNS A record present for the host. Be sure the record is of A type.
A SPN registration must be done connecting the DNS name, protocol & account. This is done using the command setspn:

setspn -s HTTP/webserver.example.com DOMAIN\ServiceAccount
setspn -s HTTPS/webserver.example.com DOMAIN\ServiceAccount

Only HTTP or HTTPS is required depending on if HTTP traffic is encrypted or not.

Recommendation is that all communication is sent over HTTPS.

For testing on same host execute power-shell:

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableLoopbackCheck" -Value "1" -PropertyType DWORD

This is NOT a recommended production setting. Only for testing.

API

This authenticator has no UI

PreviousOn same device NextUser name & password