Integrated Windows Authentication

Integrated Windows Authentication (IWA) is a Trustelem authentication using the Kerberos token of the user Windows session.
The point is to authenticate on Trustelem to access the apps, not to add MFA on Windows login.
For a user point of view, it's a passwordless authentication:

Trustelem admin configuration

The option « Integrated Windows Authentication » under security tab ( https://admin-mydomain.trustelem.com/app#/security) must be enabled.
In addition, you need to check the following points:

Server configuration

setspn -s HTTP/mydomain.trustelem.com trustelem-user

Client configuration

Enabling IWA on your clients is a browser-specific operation.

  • Connect to a domain controller as a domain administrator

  • Download the file present in this link https://support.google.com/chrome/a/answer/187202
    /!\ if the IWA for Chrome stops working, you may need to redownload the file and reinstall the GPO.
    For exemple, Chrome version 86 broke compatibility with the previous Chrome GPO.

  • Extract the folder

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

iwa_google_gpo.png

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template, right click > "Add/Remove a template"

  • Click on "Add" and select the file in the previously extracted folder (policy_template/windows/adm/{langue}/chrome.adm)

iwa_chrome_add_adm.png

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/HTTP Authentication/Authentication server whitelist, right click > "Edit".

iwa_chrome_select.png

  • Click on "Enabled" and enter "*.trustelem.com" in the value field

iwa_chrome_whitelist.png

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/HTTP Authentication/Supported authentication schemes, right click > "Edit"

  • Click on "Enabled" and enter "negotiate" in the value field

iwa_chrome_auth.png

  • Verify that the GPO is enabled and linked to your domain

Note: with the new Edge based on Chromium, you have to go here: https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and click on Download Windows XX-bit policy. Then follow the Google GPO process.

  • Connect to a domain controller as a domain administrator

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

iwa_ie_gpo.png

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, right click > "Edit"

  • Click on "Enabled" and enter "*.trustelem.com" in the first field and "1" (Intranet zone) in the second field

iwa_ie_sites.png

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/Logon Options, right click > "Edit"

  • Click on "Enabled" and choose "Automatic logon with current username and password"