Integrated Windows Authentication

Integrated Windows Authentication (IWA) is an authentication using the Kerberos token of the user Windows session.
For a user point of view, it’s a passwordless authentication:

  • when a user logs in to his computer, he receives a Kerberos token from Active Directory.

  • when the user goes to Trustelem, the browser sends the Kerberos token from the computer to Trustelem.

  • Trustelem sends the Kerberos token to Active Directory in order to validate it.
    If everything is ok, the user is logged in, with his identity based on the Kerberos token.

Trustelem admin configuration

The option « Integrated Windows Authentication » under security tab ( https://admin-mydomain.trustelem.com/app#/security) must be enabled.
In addition, you need to check the following points:

  • the IP range of your internal network must be properly set and the user authentication must come from this network (IWA is only enabled on the internal zone).

  • the authentications must be done through https://mydomain.trustelem.com (Trustelem admin console does not allow IWA).

  • a Trustelem ADConnect connector linked to your Active Directory must be active and running.

  • the user whose Windows session is running must have been previously imported from your Active Directory server.
    Note: your logs ( https://admin-mydomain.trustelem.com/app#/logs) will have a login failure entry with the users identity if a user from your domain is identified by IWA but was not registered with Trustelem.

Server configuration

  • Connect to one of your servers as a domain administrator.

  • Open a command interpreter and enter the following command, after replacing ‘trustelem-user’ with the name of the user running Trustelem ADConnect connector:

setspn -s HTTP/mydomain.trustelem.com trustelem-user

Client configuration

Enabling IWA on your clients is a browser-specific operation.

  • Connect to a domain controller as a domain administrator

  • Download the file present in this link https://support.google.com/chrome/a/answer/187202

  • Extract the folder

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

gpo chrome

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template, right click > “Add/Remove a template”

  • Click on “Add” and select the file in the previously extracted folder (policy_template/windows/adm/{langue}/chrome.adm)

gpo chrome

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/Policies for HTTP Authentication/Authentication server whitelist, right click > “Edit”.

gpo chrome

  • Click on “Enabled” and enter "*.trustelem.com" in the value field

gpo chrome

  • Navigate to User Configuration/Policies/Administrative Template/Classic Administrative Templates(ADM)/Google/Google Chrome/Policies for HTTP Authentication/Supported authentication schemes, right click > “Edit”

  • Click on “Enabled” and enter “negotiate” in the value field

gpo chrome

  • Verify that the GPO is enabled and linked to your domain

  • Connect to a domain controller as a domain administrator

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

gpo ie

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, right click > “Edit”

  • Click on “Enabled” and enter "*.trustelem.com" in the first field and “1” (Intranet zone) in the second field

gpo ie

  • Navigate to User Configuration/Policies/Administrative Template/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/Logon Options, right click > “Edit”

  • Click on “Enabled” and choose “Automatic logon with current username and password”

gpo ie

  • Check that the GPO is enabled and linked to your domain

  • Connect to a domain controller as a domain administrator

  • Download the GPO: https://github.com/mozilla/policy-templates/releases

  • Extract the folder, copy firefox.admx and firefox.adml for windows to your policy folder (usually C://Windows/PolicyDefinitions).

  • Open the Group Policy Management Console (gpmc.msc)

  • Choose an existing GPO or create a new one

  • Edit the policy (Right click > Edit)

  • Navigate to User Configuration/Policies/Administrative Templates/Firefox/Authenticaton/SPNEGO, right click > “Edit”.

gpo firefox

gpo chrome

  • Verify that the GPO is enabled and linked to your domain

  • In the Windows start menu, search: Internet Options > Security

  • Select Local Intranet, then click on Sites

  • In the Local Intranet window, make sure that Include all local sites (intranet) not mentioned in other zones is checked, the click on Advanced

  • In the Local Intranet window, enter *.trustelem.com to the zone, so as to activate Single Sign-On. Click on OK, the close the Local Intranet window

  • In the Internet Options > Security > Local Intranet window, click on Custom Level… > User Authentication and choose Automatic logon with current username and password

  • Click on OK. Restart Microsoft Internet Explorer / Edge so as to activate this configuration

  • On user desktops, open an Active Directory-authenticated session

  • Launch Firefox

  • In the address bar, enter about:config

  • Select the network.negotiate-auth.trusted-uris parameter

  • Enter your custom Trustelem hostname: mydomain.trustelem.com or add it to the list, separated by commas

  • Click OK

  • Restart Firefox