Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Integrated Windows Authentication (IWA) is a popular authentication mechanism that is used to authenticate users in Microsoft Windows servers. It uses Negotiate/Kerberos or NTLM to authenticate users based on an encrypted ticket/message passed between a browser and a server. Follow the instructions in the sections below to configure IWA for local or federated authentication in WSO2 Identity Server (IS). 

...

  1. Add a DNS host entry in the Active Directory (AD) to map the IP address of the WSO2 Identity Server to a hostname. If there are multiple kerberos domains, WSO2 IS should have a virtual host name for each kerberos domain.

    Info

    When adding the DNS entry, generally the first part of the hostname is given. The AD will append the rest with it's AD domain. For example, if the AD domain is wso2.com, after you add a DNS host entry, the final result will be similiar to the following:

    Code Block
    titleExample
    idp.wso2.com

    NOTE: Kerberos does not work with IP addresses, it relies on domain names and correct DNS entries only.

  2. Open the carbon.xml file found in the <IS_HOME>/repository/conf folder and set the hostname (idp.wso2.com) in the <HostName> tag. 

    Code Block
    languagexml
    <HostName>idp.wso2.com</HostName>
    <MgtHostName>idp.wso2.com</MgtHostName>\
  3. Open the jaas.conf file found in the <IS_HOME>/repository/conf/identity folder and check if the configuration is as follows.

    Code Block
    Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=false
    storeKey=true
    useTicketCache=false
    isInitiator=false;
    };
    
    Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=false;
    };
  4. Register WSO2 IS using the same hostname (idp.wso2.com) in Active Directory. To do this, use the DNS tool on the machine that is running WSO2 IS to add an entry for the hostname (idp.is.local), and map it to the local ip address.

  5. Create a service account in the Active Directory for WSO2 IS or use an existing account. (For this tutorial, the sample username of the service account is is_linux).

    Note

    Note: The account used for WSO2 IS needs to be different from the one used by the user to login to the application.

  6. Run the following commands to register WSO2 IS as a service principal in Active Directory. 

    Note

    Note: Replace is_linux with the username of your service account in the command below. The format of the command is as follows: [setspn -A HTTP/<url of Identity Server> <service_account>]

    Code Block
    setspn -A HTTP/idp.wso2.com is_linux
    setspn -A HTTP/idp is_linux

...

  1. Follow the steps above to set up IWA. 

  2. Start the WSO2 IS server and login to the management console.
  3. Navigate to Main>Identity Providers and click Add. Enter a name for the identity provider. 
  4. Expand the Federated Authenticators section and then expand IWA Federated Configuration
  5. Fill in the fields as follows:

    FieldDescriptionSample Value
    EnableEnable this to enable a custom authenticator for the identity provider.Selected
    Server Principal Name

    The SPNName should be the SPN you registered in step 6 of Setting up IWA, with the Active Directory domain. The SPNName follows this format:

    Code Block
    languagebash
    <service class>/<host>@<AD domain>

    For example,

    If the SPN is HTTP/idp.wso2.com, where HTTP is a service class (in this case, HTTP is not the standard protocol; it is the service class) and IS.wso2.com is the Active Directory domain, the SPNName will be HTTP/idp.wso2.com@wso2.com

    HTTP/idp.wso2.com@wso2.com
    Server Principal Password The SPNPassword should be the password of the service account associated with the SPN (the service account created in step 6 of Setting up IWA).-
    User store domains

    [Mandatory only if you want to use IWA as a local authenticator]

    The mounted user stores in which you want the user’s existence to be checked in.

    • To configure IWA as a local authenticator, mount the user store domain names of the relevant user stores that you expect the user to be in.
    • To configure IWA as a federated authenticator, leave this field blank.
    PRIMARY
    Panel
    Localtabgroup
    Localtab
    activetrue
    titleIWA as a Local Authenticator

    Image RemovedImage Added

    Localtab
    titleIWA as a Federated Authenticator

    Image RemovedImage Added

  6. Configure your browser to support Kerberos and NTLM. For more information on how to do this, see the following article

...

  1. Set up IWA as a local authenticator or as a federated authenticator by following the steps above. 
  2. Download and set up the travelocity sample application. To do this, follow the instructions on the Configuring Single Sign-On page. 

  3. Edit the service provider you created for the travelocity sample, and expand the Local and Outbound Authentication section. 

  4. Select Select Local Authentication or  or Federated Authentication (depending on which one you set up), as the the Authentication Type.Select IWA as the authenticator. 
  5. If you are using Federated Authentication, select the identity provider you created above.
    Image Added
  6. Restart the Apache Tomcat server and run the travelocity sample application from a Windows machine. 
     

...