Integrated Windows Authentication

Integrated Windows Authentication (IWA) is a Trustelem authentication using the Kerberos token of the user Windows session.
The point is to authenticate on Trustelem to access the apps, not to add MFA on Windows login.
For a user point of view, it's a passwordless authentication:

Trustelem admin configuration

The option « Integrated Windows Authentication » under security tab ( https://admin-mydomain.trustelem.com/app#/security) must be enabled.
In addition, you need to check the following points:

Server configuration

setspn -s HTTP/mydomain.trustelem.com trustelem-user

Client configuration

Enabling IWA on your clients is a browser-specific operation.

  • Connect to a domain controller as a domain administrator

  • Download the file present in this link https://support.google.com/chrome/a/answer/187202
    /!\ if the IWA for Chrome stops working, you may need to redownload the file and reinstall the GPO.
    For exemple, Chrome version 86 broke compatibility with the previous Chrome GPO.

  • Extract the folder

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

iwa_google_gpo.png

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template, right click > "Add/Remove a template"

  • Click on "Add" and select the file in the previously extracted folder (policy_template/windows/adm/{langue}/chrome.adm)

iwa_chrome_add_adm.png

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/HTTP Authentication/Authentication server whitelist, right click > "Edit".

iwa_chrome_select.png

  • Click on "Enabled" and enter "*.trustelem.com" in the value field

iwa_chrome_whitelist.png

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/HTTP Authentication/Supported authentication schemes, right click > "Edit"

  • Click on "Enabled" and enter "negotiate" in the value field

iwa_chrome_auth.png

  • Verify that the GPO is enabled and linked to your domain

Note: with the new Edge based on Chromium, you have to go here: https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and click on Download Windows XX-bit policy. Then follow the Google GPO process.

  • Connect to a domain controller as a domain administrator

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

iwa_ie_gpo.png

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, right click > "Edit"

  • Click on "Enabled" and enter "*.trustelem.com" in the first field and "1" (Intranet zone) in the second field

iwa_ie_sites.png

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/Logon Options, right click > "Edit"

  • Click on "Enabled" and choose "Automatic logon with current username and password"

iwa_ie_logon.png

  • Check that the GPO is enabled and linked to your domain

  • Connect to a domain controller as a domain administrator

  • Download the GPO: https://github.com/mozilla/policy-templates/releases

  • Extract the folder, copy firefox.admx and firefox.adml for windows to your policy folder (usually C://Windows/PolicyDefinitions).

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Templates/Firefox/Authenticaton/SPNEGO, right click > "Edit".

iwa_firefox_gpo.png

  • Click on "Enabled" then "Show" and enter "https://mydomain.trustelem.com" in the value field

iwa_firefox_select.png

  • Verify that the GPO is enabled and linked to your domain

  • In the Windows start menu, search: Internet Options > Security

  • Select Local Intranet, then click on Sites

  • In the Local Intranet window, make sure that Include all local sites (intranet) not mentioned in other zones is checked, the click on Advanced

  • In the Local Intranet window, enter *.trustelem.com to the zone, so as to activate Single Sign-On. Click on OK, the close the Local Intranet window

  • In the Internet Options > Security > Local Intranet window, click on Custom Level... > User Authentication and choose Automatic logon with current username and password

  • Click on OK. Restart Microsoft Internet Explorer / Edge so as to activate this configuration

  • On user desktops, open an Active Directory-authenticated session

  • Launch Firefox

  • In the address bar, enter about:config

  • Select the network.negotiate-auth.trusted-uris parameter

  • Enter your custom Trustelem hostname: mydomain.trustelem.com or add it to the list, separated by commas

  • Click OK

  • Restart Firefox


Revision #11
Created 1 July 2022 08:16:34 by WALLIX Admin
Updated 8 November 2023 08:02:46 by WALLIX Admin