Skip to main content

Integrated Windows Authentication

Integrated Windows Authentication (IWA) is an authentication using the Kerberos token of the user Windows session.
For a user point of view, it's a passwordless authentication:

  • when a user logs in to his computer, he receives a Kerberos token from Active Directory.

  • when the user goes to Trustelem, the browser sends the Kerberos token from the computer to Trustelem.

  • Trustelem sends the Kerberos token to Active Directory in order to validate it.
    If everything is ok, the user is logged in, with his identity based on the Kerberos token.

Trustelem admin configuration

The option « Integrated Windows Authentication » under security tab ( https://admin-mydomain.trustelem.com/app#/security) must be enabled.
In addition, you need to check the following points:

  • the IP range of your internal network must be properly set and the user authentication must come from this network (IWA is only enabled on the internal zone).

  • the authentications must be done through https://mydomain.trustelem.com (Trustelem admin console does not allow IWA).

  • a Trustelem ADConnect connector linked to your Active Directory must be active and running.

  • the user whose Windows session is running must have been previously imported from your Active Directory server.
    Note: your logs ( https://admin-mydomain.trustelem.com/app#/logs) will have a login failure entry with the users identity if a user from your domain is identified by IWA but was not registered with Trustelem.

Server configuration

  • Connect to one of your servers as a domain administrator.

  • Open a command interpreter and enter the following command, after replacing 'trustelem-user' with the name of the user running Trustelem ADConnect connector:

setspn -s HTTP/mydomain.trustelem.com trustelem-user

Client configuration

Enabling IWA on your clients is a browser-specific operation.

  • Connect to a domain controller as a domain administrator

  • Download the file present in this link https://support.google.com/chrome/a/answer/187202

  • Extract the folder

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

iwa_google_gpo.png

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template, right click > "Add/Remove a template"

  • Click on "Add" and select the file in the previously extracted folder (policy_template/windows/adm/{langue}/chrome.adm)

iwa_chrome_add_adm.png

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/Policies for HTTP Authentication/Authentication server whitelist, right click > "Edit".

iwa_chrome_select.png

  • Click on "Enabled" and enter "*.trustelem.com" in the value field

iwa_chrome_whitelist.png

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/Policies for HTTP Authentication/Supported authentication schemes, right click > "Edit"

  • Click on "Enabled" and enter "negotiate" in the value field

iwa_chrome_auth.png

  • Verify that the GPO is enabled and linked to your domain

Note: with the new Edge based on Chromium, you have to go here: https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and click on Download Windows XX-bit policy. Then follow the Google GPO process.

  • Connect to a domain controller as a domain administrator

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

iwa_ie_gpo.png

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, right click > "Edit"

  • Click on "Enabled" and enter "*.trustelem.com" in the first field and "1" (Intranet zone) in the second field

iwa_ie_sites.png

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/Logon Options, right click > "Edit"

  • Click on "Enabled" and choose "Automatic logon with current username and password"

iwa_ie_logon.png

  • Check that the GPO is enabled and linked to your domain

  • Connect to a domain controller as a domain administrator

  • Download the GPO: https://github.com/mozilla/policy-templates/releases

  • Extract the folder, copy firefox.admx and firefox.adml for windows to your policy folder (usually C://Windows/PolicyDefinitions).

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Templates/Firefox/Authenticaton/SPNEGO, right click > "Edit".

iwa_firefox_gpo.png

  • Click on "Enabled" then "Show" and enter "https://mydomain.trustelem.com" in the value field

iwa_firefox_select.png

  • Verify that the GPO is enabled and linked to your domain

  • In the Windows start menu, search: Internet Options > Security

  • Select Local Intranet, then click on Sites

  • In the Local Intranet window, make sure that Include all local sites (intranet) not mentioned in other zones is checked, the click on Advanced

  • In the Local Intranet window, enter *.trustelem.com to the zone, so as to activate Single Sign-On. Click on OK, the close the Local Intranet window

  • In the Internet Options > Security > Local Intranet window, click on Custom Level... > User Authentication and choose Automatic logon with current username and password

  • Click on OK. Restart Microsoft Internet Explorer / Edge so as to activate this configuration

  • On user desktops, open an Active Directory-authenticated session

  • Launch Firefox

  • In the address bar, enter about:config

  • Select the network.negotiate-auth.trusted-uris parameter

  • Enter your custom Trustelem hostname: mydomain.trustelem.com or add it to the list, separated by commas

  • Click OK

  • Restart Firefox