Manage Integrated Windows Authentication (IWA)

This topic describes how to configure IWA for CyberArk Identity.

CyberArk Identity lets you accept an IWA connection as sufficient authentication for users with Active Directory accounts when they sign in to CyberArk Identity. CyberArk Identity uses Kerberos SSO for silent authentication. With IWA enabled, the browser uses the current user's Active Directory information to prove its knowledge of the password through a cryptographic exchange with the in-process web server built into the connector.

The result is users with Active Directory/LDAP accounts can sign in to CyberArk Identity from domain-joined computers that are within your organization’s corporate network without entering sign in credentials.

Before you begin

Before you configure IWA with CyberArk Identity, complete the following tasks.

Configure browsers for silent authentication.
Verify that the connector's AD service account has local log in permission.

Setting Deny Local Logon in Active Directory for the AD service account user blocks IWA.
Decide if you want to use the CyberArk tenant CA (recommended because the CA automatically installs to the CyberArk Identity Connector and minimizes configuration steps), a third-party CA (for example, Symantec or GoDaddy), or your internal CA.

See Manage host certificates for more details about creating and importing host certificates.

Enable Integrated Windows Authentication (IWA)

The following steps describe how to enable IWA.

Step 1: Define a Secure Zone

IWA is available for domain-joined machines within a Secure Zone. See Define Secure Zones for additional detail about Secure Zones.

To define a Secure Zone:

In the Identity Administration portal, go to Settings > Network > Secure Zones > Add.
Enter a name to quickly identify the IP address or range.
Enter an IP address or a range of addresses in the form <network>/<subnet mask>, or using a comma-separated list without spaces, then click OK.

Use routable, public IP addresses.

Step 2: Verify that at least one connector has IWA enabled.

IWA is enabled by default on the connector. This procedure describes how to verify that the default setting has not changed.

To verify that the IWA service is enabled:

Go to Settings > Network > CyberArk Identity Connectors, then click a connector to open the connector configuration page.
On the IWA Service tab, confirm that Enable Web Server is selected.

(Optional) Modify the following settings on the IWA Service tab, then click Save.

Setting or property	Description
Enable web server	This is selected by default. This setting supports IWA and Office clients. If you disable the web server, you cannot change the DNS Hostname, HTTP Port Number and HTTPS Port number values.
DNS Hostname	The default is the connector’s host computer’s name. You can enter a DNS short name here or the fully qualified domain name in the IE local intranet zone.
IWA Detection Timeout	The length of time IWA waits for a response from the connector. The default is 10 seconds.
HTTPS Port Number	The default port is 8443. Port 8443 is the standard port. If you change the port number to a non-standard number, Firefox and Chrome may require additional configuration because these browsers block some non-standard ports. Do not change the port number unless you know about the implications.
Connector Host Certificate	The host certificate used by the CyberArk Identity Connector must be issued by a trusted issuer. You can trust the tenant specific CA we have created for you by default, or provide your own. See Manage host certificates for more detail.

Step 3: Deploy the IWA root CA certificate to all domain-joined Windows machines in your organization.

To deploy the IWA root CA certificate:

Select the relevant connector or add a new one, then go to the IWA Service tab and click Download your IWA root CA certificate.
Deploy the connector using common industry tools.

Deployment methods include:
- Intune: https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root
- Domain controller (group policy): https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

Step 4: Verify IWA over HTTPS

You can test the validity of the CyberArk Identity Connector host certificate with the following procedure.

To verify IWA over HTTPS:

Open a web browser from an IWA client machine.
Go to the following URL: https://<yourconnectorhostname>:<httpsport>/iwa/ping.

Replace <YourConnectorHostname> and <httpsport> with the corresponding values. For example: https://2016WindowsServer:8443/iwa/ping
Look for the green certificate in the browser.

Step 5: Verify that IWA is enabled in policy settings

You can configure CyberArk Identity to bypass already configured authentication rules and default authentication profiles when IWA is configured. Check your policy settings to make sure IWA is not disabled in a policy set that has priority for your AD users. You might have disabled IWA in a policy set to enforce additional authentication challenges on certain users.

To verify that IWA is enabled in policy settings:

Go to Core Services > Policies and select a policy set.
Go to Authentication Policies > CyberArk Identity, then click the Enable authentication policy controls drop-down menu and select Yes.
Under Other Settings, select Allow IWA connections.

(Optional) Select additional IWA policy settings for additional control over enforcing MFA with IWA connections.

Option	Description
Set identity cookie for IWA connections	CyberArk Identity can set a cookie in the current browser session after a successful IWA-based sign-in. CyberArk Identity checks the browser for this cookie when the user signs in to the User Portal. If the cookie is present, the user is not prompted for any additional authentication challenges required by the applicable authentication profile.
IWA connections satisfy all MFA mechanisms	IWA overrides all application-specific step-up authentication requirements. For example, you can configure the Box application to require two authentication challenges if users access the application from inside a secure zone. With this setting, CyberArk Identity ignores those authentication requirements if IWA is available.

Click Save.

AD users signing in from domain-joined Windows machines that are inside a secure zone can now authenticate using IWA.

Step 6: (Optional) Set IP address affinity for IWA connections

IP address affinity for IWA connections allows admins of large network environments to prioritize connectors in the same region as the IWA client, creating more predictability in how users’ endpoint connectors are selected. If no connector is available for the specified IP address, a different connector is selected based on the default selection criteria which takes into account subnet proximity and connector health. If you configure multiple connectors to serve the same IP range, one of those connectors is selected randomly.

To set IP address affinity for IWA connections:

Go to Settings > Network > CyberArk Identity Connectors.
Click the connector that you want to set IP address affinity for, then select IWA Service.
Enter the Client IP ranges that you want to prioritize the selected connector, then click Save.

You can enter a single IP address or a range of IP addresses. Separate each entry with a comma. For example:

Disable IWA

IWA is enabled by default. If you do not want to allow IWA connections, you can disable it.

To disable IWA:

Go to Settings > Network > CyberArk Identity Connectors, then click a connector.
On the IWA Service tab, clear the Enable Web Server checkbox, then click Save.