Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4257: Troubleshooting Integrated Windows Authentication (IWA) with Centrify Identity Service

Centrify Identity Service, App Edition ,  

22 November,16 at 04:21 PM

Applies to: Centrify Identity Service & Centrify Privilege Service
 

This article outlines the steps to enable, configure and troubleshoot Integrated Windows Authentication (IWA) to provide single sign-on. IWA to Centrify portals is available only after installing the Centrify Cloud Connector for integration with Active Directory.
 

Note: Starting with the cloud release of 16.7, use of HTTPS will be the default setting for IWA for any new cloud connector installation. For additional information, please see knowledge article KB-7074.

Administrators can configure a cloud connector to provide silent authentication when users log in to Cloud Manager and Centrify web portals. The cloud connector provides silent authentication when the following are true:
 
  • The cloud connector is enabled to provide silent authentication (this is the default) 
  • When the computer is inside the firewall
  • The user specifies a login suffix (see Using login sufix) in the URL.

For example, to log in with silent authentication to the Centrify User portal, the end user would enter the following URL syntax:
 
https://cloud.centrify.com/manage?customerid=domain.com (where domain.com is the user’s organization’s Customer ID or login alias)
 
 
 
Configuring Silent Authentication Settings for the Centrify Cloud Connector
 
By default, silent authentication is enabled after installing a cloud connector for integration with Active Directory.
 
To Enable or Disable cloud connector IWA Settings:

 
  1. Login to the Cloud Manager portal at https://cloud.centrify.com/manage and select Settings from the top menu and then Cloud Connectors from the options list
  2. Place a check next to the desired connector and choose "Modify" from the Actions menu
  3. Select “Enable Web Server” to use IWA or remove the selection to disable IWA
  4. Click OK
 
Administrators can also set IWA port values in the Cloud Connector settings from within the Cloud Manager. In the default configuration, the Cloud Connector uses HTTPS for Integrated Windows Authentication using port 8443 and a 10-second browser timeout value to determine if the computer is inside our outside the firewall. The IWA timeout value can also be increased if required on slow or congested networks.

 
To change the Integrated Windows Authentication port number:
  1. Login to the Cloud Manager portal at https://cloud.centrify.com/manage and select Settings from the top menu and then Cloud Connectors from the options list
  2. Right-click the server and click Modify
  3. Click the Port Number field and enter the new port number (Note The Enable Setting box must be checked to change the port number) NOTE: Port 80 is the standard port. If you change the port number to a non-standard number (for example, 111), Firefox and Chrome may require additional configuration because these browsers block some non-standard ports. Do not change the port number unless you know about the implications. See the Centrify User Suite Installation and Configuration Guide for more information.
  4. Click OK
 
 

Verify IWA Functionality
 
Administrators can verify the proxy server is providing IWA functionality using any client browser connected to the corporate LAN, including the proxy host itself.
 
To verify IWA functionality for the proxy host, enter the following URL into the address field of a client browser:
  1. http://<hostname>/iwa/ping (where <hostname> is the computer name of the proxy host - example: http://testdc01:8443/iwa/ping (NOTE: using the FQDN of the proxy server (hostname.domain.com) will bypass IWA as it is assumed the request is internet-based and not for the internal network. Adding the proxy hostname to the IE security zone “Local Intranet” will ignore the domain suffix and allow IWA to function)
  2. The test can also be performed on the proxy host itself using  http://localhost/iwa/ping or  http://127.0.0.1/iwa/ping
  3. If IWA is successful, a page will be displayed with the text: " Centrify Cloud Services IWA Host".
  4. If IWA is not functioning, a page error will be displayed.
 
 
 
Review Client Login URL
 
To invoke IWA on a client system, login to either the Centrify User Portal (http://cloud.centrify.com/my) or Cloud Manager (http://cloud.centrify.com/manage) portals with a URL that includes the appended string value "?customerid=". The URL should automatically append "IWA=true" to the end . It may be necessary to verify if IWA is enabled for the browser in use. The Customer ID value can include either the cloud tenant Customer ID (example: ABC1234) or a login suffix defined in the Cloud Manager settings.
 
                Example URLs:
               
                https://cloud.centrify.com/my?customerid=AAB0123
                https://cloud.centrify.com/manage?customerid=AAB0123
 
If your organization leverages a customer tenant URL, it may be necessary to replace “cloud.centrify.com” with the appropriate tenant ID or suffix name. The
tenant ID is available and displayed in the browser URL after successful login to either the Cloud Manager or User portals.
 
                Example URLs:
 
                https://abc1234.my.centrify.com/my?customerid=company.com
                https://abc1234.centrify.com/manage?customerID=AAB0123
 
 
 
Review Browser Settings
 
For IWA silent authentication to work correctly, there are a few browser configuration tasks that may be necessary.


Firefox:  See the Cloud Manager Online Help section “Configuring Firefox to allow silent authentication
  • Either set network.negotiate-auth.allow-non-fqdn to “True” or add the cloud proxy server host name to the network.negotiate-auth.trusted-uris list of trusted sites

Internet Explorer: See the Cloud Manager Online Help sections “Configuring Internet Explorer security zones” and “Setting Integrated Windows Authentication
  • Enable IWA in Internet Options > Advanced Settings > Security
  • Add the fully qualified hostname of the server running the connector service to the local intranet zone if using a login URL that contains the FQDN of the proxy host http://<proxyhostname.domain.com>
  • Check for "Automatic logon only in Intranet zone" selected in Internet Options > Security > Local intranet > Custom Level > User Authentication
 
Chrome:  See the Cloud Manager Online Help section “Configuring Chrome to allow silent authentication
  • In most cases, silent authentication works for Google Chrome without additional configuration, if the cloud proxy server host name is available in your DNS.
  • Mac computers may need to run the following terminal command to permanently allow kerberos to a server or set of servers (example: *.mydomain.local).
          defaults write com.google.Chrome AuthServerWhitelist '<your domain>'


                                                                                                                                                                                                 
Safari:  See the Cloud Manager Online Help section “Configuring Safari to allow silent authentication
  • If you have the Centrify Identity Service for Mac agent installed, silent authentication automatically works in the Safari web browser. For more information about Centrify products on the Mac, see the Centrify Suite for Mac OS X Administrator’s Guide.
 
 
 
Review Cloud Manager Settings for Corporate IP Range
 
The configuration of a Corporate IP Range allows Administrators to specify public IP addresses that should be included with an organizations intranet. Connections made from these address have the following privileges:
  • Active Directory users can login to the Centrify User portal or the Cloud Manager with silent authentication (IWA must be enabled)
  • If authentication policy controls are enabled, these users can be exempt from the additional authentication requirements
 
There are two cloud service features that look to the Corporate IP range:
  1. Silent authentication for Cloud Manager and Centrify user portal logins:
    1. If the computer’s address is outside the IP range you specify here, Active Directory users are prompted to enter their credentials. (This feature is not available to users with cloud accounts) 
    2. Note This feature uses Integrated Windows authentication. See Configuring proxy servers in the Cloud Manager online help for more about Integrated Windows authentication
    3. If you do not specify a range, all IP addresses are treated as possibly "on premise".
       
  2. Multifactor login authentication:
    1. Users logging in to the portals from computer’s with an address that is outside the IP range are prompted to provide an additional authentication factor
    2. If you do not specify an IP range, all IP addresses are treated as "off premise” and all users—including those on your intranet—are prompted for an additional authentication factor
 
 
 
DNS Considerations
 
For IWA to function correctly, the client browser must be able to contact the proxy host via DNS by hostname within the IWA timeout value specified in the Cloud Manager settings. In some multi-domain environments, it may be necessary to add DNS records for the proxy host in the root domain for correct resolution by clients in a child domain or accessing the corporate LAN via VPN

Mac computers may need to add additional DNS search domains or server entries via advanced network settings if unable to ping the host running the cloud connector service. To add a DNS domain or server entry:
  1. On the Mac, open System Preferences
  2. Select Network
  3. Highlight the desired network interface (Ethernet, Wi-Fi) and choose Advanced
  4. Select the DNS tab and add entries as needed
 
 
 
Review Connector Logs
 
If the above IWA tests fail, review of the cloud connector logs located at C:\Program Files\Centrify\Cloud Management Suite\Log.txt.* should provide specific details around the login attempt failure. Search the connector log for the username used for login and look for any errors or exceptions in the log.
 
 
 
Additional Troubleshooting
 

For additional information not covered in this guide or troubleshooting assistance, please review the Centrify Online Help or Customer Support Portal at https://www.centrify.com/support/customer-support-portal/

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.