This article outlines the steps for troubleshooting Integrated Windows Authentication (IWA) with the Centrify Identity Service
Applies to: Centrify Identity Service & Centrify Privilege Service
This article outlines the steps to enable, configure and troubleshoot Integrated Windows Authentication (IWA) to provide single sign-on. IWA to Centrify portals is available only after installing the Centrify Connector for integration with Active Directory.
Note: Starting with the cloud release of 16.7, use of HTTPS will be the default setting for IWA for any new cloud connector installation. For additional information, please see knowledge article KB-7074.
Administrators can configure a cloud connector to provide silent authentication when users log in to Cloud Manager and Centrify web portals. The cloud connector provides silent authentication when the following are true:
The cloud connector is enabled to provide silent authentication (this is the default)
When the computer is inside the firewall
The user specifies a login suffix (see Using login sufix) in the URL.
For example, to log in with silent authentication to the Centrify User portal, the end user would enter the following URL syntax:
Place a check next to the desired connector and choose "Modify" from the Actions menu
Select “Enable Web Server” to use IWA or remove the selection to disable IWA
Administrators can also set IWA port values in the Cloud Connector settings from within the Cloud Manager. In the default configuration, the Cloud Connector uses HTTPS for Integrated Windows Authentication using port 8443 and a 10-second browser timeout value to determine if the computer is inside our outside the firewall. The IWA timeout value can also be increased if required on slow or congested networks.
To change the Integrated Windows Authentication port number:
Login to the Cloud Manager portal at https://cloud.centrify.com/manage and select Settings from the top menu and then Cloud Connectors from the options list
Right-click the server and click Modify
Click the Port Number field and enter the new port number (Note The Enable Setting box must be checked to change the port number) NOTE: Port 80 is the standard port. If you change the port number to a non-standard number (for example, 111), Firefox and Chrome may require additional configuration because these browsers block some non-standard ports. Do not change the port number unless you know about the implications. See the Centrify User Suite Installation and Configuration Guide for more information.
Verify IWA Functionality
Administrators can verify the Connector server is providing IWA functionality using any client browser connected to the corporate LAN, including the Connector host itself.
To verify IWA functionality for the Connector host, enter the following URL into the address field of a client browser:
http://<hostname>:portnumber/iwa/ping (where <hostname> is the computer name of the Connector host - example: https://testdc01:8443/iwa/ping (NOTE: using the FQDN of the Connector server (hostname.domain.com) will bypass IWA as it is assumed the request is internet-based and not for the internal network. Adding the Connector hostname to the IE security zone “Local Intranet” will ignore the domain suffix and allow IWA to function)
If IWA is successful, a page will be displayed with the text: " Centrify Cloud Services IWA Host".
If IWA is not functioning, a page error will be displayed.
Review Client Login URL
To invoke IWA on a client system, login to either the Centrify User Portal (http://cloud.centrify.com/my) or Cloud Manager (http://cloud.centrify.com/manage) portals with a URL that includes the appended string value "?customerid=". The URL should automatically append "IWA=true" to the end . It may be necessary to verify if IWA is enabled for the browser in use. The Customer ID value can include either the cloud tenant Customer ID (example: ABC1234) or a login suffix defined in the Cloud Manager settings.
If your organization leverages a customer tenant URL, it may be necessary to replace “cloud.centrify.com” with the appropriate tenant ID or suffix name. The tenant ID is available and displayed in the browser URL after successful login to either the Cloud Manager or User portals.
Enable IWA in Internet Options > Advanced Settings > Security
Add the fully qualified hostname of the server running the connector service to the local intranet zone if using a login URL that contains the FQDN of the Connector host http://<connectorhostname.domain.com>
Check for "Automatic logon only in Intranet zone" selected in Internet Options > Security > Local intranet > Custom Level > User Authentication
If you have the Centrify Identity Service for Mac agent installed, silent authentication automatically works in the Safari web browser. For more information about Centrify products on the Mac, see the Centrify Suite for Mac OS X Administrator’s Guide.
Review Cloud Manager Settings for Corporate IP Range
The configuration of a Corporate IP Range allows Administrators to specify public IP addresses that should be included with an organizations intranet. Connections made from these address have the following privileges:
Active Directory users can login to the Centrify User portal or the Cloud Manager with silent authentication (IWA must be enabled)
If authentication policy controls are enabled, these users can be exempt from the additional authentication requirements
There are two cloud service features that look to the Corporate IP range:
Silent authentication for Cloud Manager and Centrify user portal logins:
If the computer’s address is outside the IP range you specify here, Active Directory users are prompted to enter their credentials. (This feature is not available to users with cloud accounts)
Note This feature uses Integrated Windows authentication. See Configuring Connector servers in the Cloud Manager online help for more about Integrated Windows authentication
If you do not specify a range, all IP addresses are treated as possibly "on premise".
Multifactor login authentication:
Users logging in to the portals from computer’s with an address that is outside the IP range are prompted to provide an additional authentication factor
If you do not specify an IP range, all IP addresses are treated as "off premise” and all users—including those on your intranet—are prompted for an additional authentication factor
For IWA to function correctly, the client browser must be able to contact the Connector host via DNS by hostname within the IWA timeout value specified in the Cloud Manager settings. In some multi-domain environments, it may be necessary to add DNS records for the Connector host in the root domain for correct resolution by clients in a child domain or accessing the corporate LAN via VPN
Mac computers may need to add additional DNS search domains or server entries via advanced network settings if unable to ping the host running the cloud connector service. To add a DNS domain or server entry:
On the Mac, open System Preferences
Highlight the desired network interface (Ethernet, Wi-Fi) and choose Advanced
Select the DNS tab and add entries as needed
Review Connector Logs
If the above IWA tests fail, review of the cloud connector logs located at C:\Program Files\Centrify\Cloud Management Suite\Log.txt.* should provide specific details around the login attempt failure. Search the connector log for the username used for login and look for any errors or exceptions in the log.