Manage Integrated Windows Authentication (IWA)
This topic describes how to configure IWA for CyberArk Identity.
CyberArk Identity lets you accept an IWA connection as sufficient authentication for users with Active Directory accounts when they sign in to CyberArk Identity. CyberArk Identity uses Kerberos SSO for silent authentication. With IWA enabled, the browser uses the current user's Active Directory information to prove its knowledge of the password through a cryptographic exchange with the in-process web server built into the connector.
The result is users with Active Directory/LDAP accounts can sign in to CyberArk Identity from domain-joined computers that are within your organization’s corporate network without entering sign in credentials.
Before you begin
Before you configure IWA with CyberArk Identity, complete the following tasks.
Verify that the connector's AD service account has local log in permission.
Setting Deny Local Logon in Active Directory for the AD service account user blocks IWA.
Decide if you want to use the CyberArk tenant CA (recommended because the CA automatically installs to the CyberArk Identity Connector and minimizes configuration steps), a third-party CA (for example, Symantec or GoDaddy), or your internal CA.
See Manage host certificates for more details about creating and importing host certificates.
Enable Integrated Windows Authentication (IWA)
The following steps describe how to enable IWA.
Step 1: Define a Secure Zone
IWA is available for domain-joined machines within a Secure Zone. See Define Secure Zones for additional detail about Secure Zones.
- In the Identity Administration portal, go to Settings > Network > Secure Zones > Add.
- Enter a name to quickly identify the IP address or range.
Enter an IP address or a range of addresses in the form
<network>/<subnet mask>, or using a comma-separated list without spaces, then click OK.
Use routable, public IP addresses.
Step 2: Verify that at least one connector has IWA enabled.
IWA is enabled by default on the connector. This procedure describes how to verify that the default setting has not changed.
Go to Settings > Network > CyberArk Identity Connectors, then click a connector to open the connector configuration page.
On the IWA Service tab, confirm that Enable Web Server is selected.
(Optional) Modify the following settings on the IWA Service tab, then click Save.
Setting or property Description
Enable web server
This is selected by default. This setting supports IWA and Office clients.
If you disable the web server, you cannot change the DNS Hostname, HTTP Port Number and HTTPS Port number values.
The default is the connector’s host computer’s name.
You can enter a DNS short name here or the fully qualified domain name in the IE local intranet zone.
IWA Detection Timeout
The length of time IWA waits for a response from the connector. The default is 10 seconds.
HTTPS Port Number
The default port is 8443.
Port 8443 is the standard port. If you change the port number to a non-standard number, Firefox and Chrome may require additional configuration because these browsers block some non-standard ports. Do not change the port number unless you know about the implications.
Connector Host Certificate
The host certificate used by the CyberArk Identity Connector must be issued by a trusted issuer. You can trust the tenant specific CA we have created for you by default, or provide your own.
See Manage host certificates for more detail.
Step 3: Deploy the IWA root CA certificate to all domain-joined Windows machines in your organization.
Select the relevant connector or add a new one, then go to the IWA Service tab and click Download your IWA root CA certificate.
Deploy the connector using common industry tools.
Deployment methods include:
Step 4: Verify IWA over HTTPS
You can test the validity of the CyberArk Identity Connector host certificate with the following procedure.
- Open a web browser from an IWA client machine.
Go to the following URL:
<httpsport>with the corresponding values. For example:
Look for the green certificate in the browser.
Step 5: Verify that IWA is enabled in policy settings
You can configure CyberArk Identity to bypass already configured authentication rules and default authentication profiles when IWA is configured. Check your policy settings to make sure IWA is not disabled in a policy set that has priority for your AD users. You might have disabled IWA in a policy set to enforce additional authentication challenges on certain users.
Go to Core Services > Policies and select a policy set.
Go to Authentication Policies > CyberArk Identity, then click the Enable authentication policy controls drop-down menu and select Yes.
Under Other Settings, select Allow IWA connections.
(Optional) Select additional IWA policy settings for additional control over enforcing MFA with IWA connections.
Set identity cookie for IWA connections
CyberArk Identity can set a cookie in the current browser session after a successful IWA-based sign-in. CyberArk Identity checks the browser for this cookie when the user signs in to the User Portal. If the cookie is present, the user is not prompted for any additional authentication challenges required by the applicable authentication profile.
IWA connections satisfy all MFA mechanisms
IWA overrides all application-specific step-up authentication requirements. For example, you can configure the Box application to require two authentication challenges if users access the application from inside a secure zone. With this setting, CyberArk Identity ignores those authentication requirements if IWA is available.
AD users signing in from domain-joined Windows machines that are inside a secure zone can now authenticate using IWA.
IP address affinity for IWA connections allows admins of large network environments to prioritize connectors in the same region as the IWA client, creating more predictability in how users’ endpoint connectors are selected. If no connector is available for the specified IP address, a different connector is selected based on the default selection criteria which takes into account subnet proximity and connector health. If you configure multiple connectors to serve the same IP range, one of those connectors is selected randomly.
Go to Settings > Network > CyberArk Identity Connectors.
Click the connector that you want to set IP address affinity for, then select IWA Service.
Enter the Client IP ranges that you want to prioritize the selected connector, then click Save.
You can enter a single IP address or a range of IP addresses. Separate each entry with a comma. For example:
IWA is enabled by default. If you do not want to allow IWA connections, you can disable it.
- Go to Settings > Network > CyberArk Identity Connectors, then click a connector.
- On the IWA Service tab, clear the Enable Web Server checkbox, then click Save.