Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version 3

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Integrated Windows Authentication (IWA) is a popular authentication mechanism that is used to authenticate users in Microsoft Windows servers. It uses Negotiate/Kerberos or NTLM to authenticate users based on an encrypted ticket/message passed between a browser and a server. Follow the instructions in the sections below to configure IWA for local or federated authentication in WSO2 Identity Server (IS). 

Tip

Tip: This IWA authenticator is provided OOTB and was implemented from WSO2 IS 5.3.0 onwards. It uses Kerberos internally and overcomes the limitation of having to run WSO2 IS on a windows server, unlike is the recommended approach as it overcomes some limitations of the IWA authenticator provided in previous versions of WSO2 IS which was based on NTLM. If you still want to use the previous IWA authenticator that was based on NTLM, it is available as an extension. For more information on how to setup the NTLM-based IWA authenticator, see Configuring IWA Single-Sign-On.

The benefits of using the authenticator based on kerberos vs the authenticator based on NTLM are as follows:

  • Can be used on any operating system unlike NTLM which has to be run on a Windows server.
  • Performance and security on Kerberos is better.

Table of Contents

Panel
titleRelated Links

...

  1. Add a DNS host entry in the Active Directory (AD) to map the IP address of the WSO2 Identity Server to a hostname. If there are multiple kerberos domains, WSO2 IS should have a virtual host name for each kerberos domain.

    Info

    When adding the DNS entry, generally the first part of the hostname is given. The AD will append the rest with it's AD domain. For example, if the AD domain is wso2.com, after you add a DNS host entry, the final result will be similiar to the following:

    Code Block
    titleExample
    idp.wso2.com

    NOTE: Kerberos does not work with IP addresses, it relies on domain names and correct DNS entries only.

  2. Open the carbon.xml file found in the <IS_HOME>/repository/conf folder and set the hostname (idp.wso2.com) in the <HostName> tag. 

    Code Block
    languagexml
    <HostName>idp.wso2.com</HostName>
<MgtHostName>idp.wso2.com</MgtHostName>\

  3. Open the jaas.conf file found in the <IS_HOME>/repository/conf/identity folder and check if the configuration is as follows.

    Code Block
    Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
storeKey=true
useTicketCache=false
isInitiator=false;
};

Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false;
};

  4. Register WSO2 IS using the same hostname (idp.wso2.com) in Active Directory. To do this, use the DNS tool on the machine that is running WSO2 IS to add an entry for the hostname (idp.is.local), and map it to the local ip address.

  5. Create a service account in the Active Directory for WSO2 IS or use an existing account. (For this tutorial, the sample username of the service account is is_linux).

    Note

    Note: The account used for WSO2 IS needs to be different from the one used by the user to login to the application.

  6. Run the following commands to register WSO2 IS as a service principal in Active Directory. 

    Note

    Note: Replace is_linux with the username of your service account in the command below. The format of the command is as follows: [setspn -A HTTP/<url of Identity Server> <service_account>]

    Code Block
    setspn -A HTTP/idp.wso2.com is_linux
setspn -A HTTP/idp is_linux

...