/
Configuring IWA on Linux
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Configuring IWA on Linux

Apr 01, 2018

Integrated Windows Authentication (IWA) is a popular authentication mechanism that is used to authenticate users in Microsoft Windows servers. It uses Negotiate/Kerberos or NTLM to authenticate users based on an encrypted ticket/message passed between a browser and a server. Follow the instructions in the sections below to configure IWA for local or federated authentication in WSO2 Identity Server (IS). 

Tip: This IWA authenticator is provided OOTB and was implemented from WSO2 IS 5.3.0 onwards. It uses Kerberos internally and is the recommended approach as it overcomes some limitations of the IWA authenticator provided in previous versions of WSO2 IS which was based on NTLM. If you still want to use the previous IWA authenticator that was based on NTLM, it is available as an extension. For more information on how to setup the NTLM-based IWA authenticator, see Configuring IWA Single-Sign-On.

The benefits of using the authenticator based on Kerberos vs the authenticator based on NTLM are as follows:

  • Can be used on any operating system unlike NTLM which has to be run on a Windows server.

  • Performance and security on Kerberos are better.

Related Links

How IWA with Kerberos works

Setting up IWA

  1. Add a DNS host entry in the Active Directory (AD) to map the IP address of the WSO2 Identity Server to a hostname. If there are multiple Kerberos domains, WSO2 IS should have a virtual host name for each Kerberos domain.

  2. Open the carbon.xml file found in the <IS_HOME>/repository/conf folder and set the hostname (idp.wso2.com) in the <HostName> tag. 

    <HostName>idp.wso2.com</HostName> <MgtHostName>idp.wso2.com</MgtHostName>\

  3. Open the jaas.conf file found in the <IS_HOME>/repository/conf/identity folder and check if the configuration is as follows. (Refer this for more information on JAAS)

    Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false storeKey=true useTicketCache=false isInitiator=false; }; Client { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=false; };

  4. Register WSO2 IS using the same hostname (idp.wso2.com) in Active Directory. To do this, use the DNS tool on the machine that is running WSO2 IS to add an entry for the hostname (idp.is.local), and map it to the local IP address.

  5. Create a service account in the Active Directory for WSO2 IS or use an existing account. (For this tutorial, the sample username of the service account is is_linux).

  6. Run the following commands to register WSO2 IS as a service principal in Active Directory. 

    setspn -A HTTP/idp.wso2.com is_linux setspn -A HTTP/idp is_linux

You can now set up IWA either as a local authenticator or as a federated authenticator. 

Configuring WSO2 IS with IWA as a local or federated authenticator

  1. Follow the steps above to set up IWA. 

  2. Start the WSO2 IS server and log in to the management console.

  3. Navigate to Main>Identity Providers and click Add. Enter a name for the identity provider. 

  4. Expand the Federated Authenticators section and then expand IWA Federated Configuration

  5. Fill in the fields as follows:

  6. Configure your browser to support Kerberos and NTLM. The tabs below explain how to configure each browser. 

Testing the IWA authenticator

  1. Set up IWA as a local authenticator or as a federated authenticator by following the steps above. 

  2. Download and set up the Travelocity sample application. To do this, follow the instructions on the Configuring Single Sign-On page. 

  3. Edit the service provider you created for the Travelocity sample, and expand the Local and Outbound Authentication section. 

  4. Select Federated Authentication as the Authentication Type and select the identity provider you created above.

  5. Restart the Apache Tomcat server and run the Travelocity sample application from a Windows machine. 
     

Troubleshooting Tips

  • Use hostnames only (no IP addresses).

  • Check the configuration of the jaas.conf file, particularly the isInitiator=false property under the Server section (see step 3 of the Setting Up IWA section).

  • Make sure that your service principal (IS) is associated with only one account.

  • If you get an exception with an error message similar to “Checksum failed”, check whether you have given the correct password.

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.