Integrated Windows Authentication (IWA) is a popular authentication mechanism that is used to authenticate users in Microsoft Windows servers. It uses Negotiate/Kerberos or NTLM to authenticate users based on an encrypted ticket/message passed between a browser and a server. Follow the instructions in the sections below to configure IWA for local or federated authentication in WSO2 Identity Server (IS).
...
Panel | ||
---|---|---|
| ||
|
How IWA with Keberos works
...
Add a DNS host entry in the Active Directory (AD) to map the IP address of the WSO2 Identity Server to a hostname. If there are multiple kerberos domains, WSO2 IS should have a virtual host name for each kerberos domain.
Info When adding the DNS entry, generally the first part of the hostname is given. The AD will append the rest with it's AD domain. For example, if the AD domain is wso2.com, after you add a DNS host entry, the final result will be similiar to the following:
Code Block title Example idp.wso2.com
NOTE: Kerberos does not work with IP addresses, it relies on domain names and correct DNS entries only.
Open the
carbon.xml
file found in the<IS_HOME>/repository/conf
folder and set the hostname (idp.wso2.com
) in the<HostName>
tag.Code Block language xml <HostName>idp.wso2.com</HostName> <MgtHostName>idp.wso2.com</MgtHostName>\
Open the
jaas.conf
file found in the<IS_HOME>/repository/conf/identity
folder and check if the configuration is as follows.Code Block Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false storeKey=true useTicketCache=false isInitiator=false; }; Client { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=false; };
Register WSO2 IS using the same hostname (
idp.wso2.com
) in Active Directory. To do this, use the DNS tool on the machine that is running WSO2 IS to add an entry for the hostname (idp.is.local), and map it to the local ip address.Create a service account in the Active Directory for WSO2 IS or use an existing account. (For this tutorial, the sample username of the service account is is_linux).
Note Note: The account used for WSO2 IS needs to be different from the one used by the user to login to the application.
Run the following commands to register WSO2 IS as a service principal in Active Directory.
Note Note: Replace
is_linux
with the username of your service account in the command below. The format of the command is as follows:[setspn -A HTTP/<url of Identity Server> <service_account>]
Code Block setspn -A HTTP/idp.wso2.com is_linux setspn -A HTTP/idp is_linux
...
- Set up IWA as a local authenticator or as a federated authenticator by following the steps above.
Download and set up the travelocity sample application. To do this, follow the instructions on the Configuring Single Sign-On page.
Edit the service provider you created for the travelocity sample, and expand the Local and Outbound Authentication section.
- Select Local Authentication or Federated Authentication (depending on which one you set up), as as the Authentication Type. If you are using Federated Authentication, and select the identity provider you created above.
- Restart the Apache Tomcat server and run the travelocity sample application from a Windows machine.
...