Configuring IWA Single Sign On for multiple Windows domains with WSO2 Identity Server

Configuring IWA Single Sign On for multiple Windows domains with WSO2 Identity Server

Integrated Windows Authentication (IWA) is a popular authentication mechanism that is used to authenticate users in Microsoft Windows servers. WSO2 Identity Server provides support for IWA from version 4.0.0 onward. This article gives a detailed guide to setup IWA authentication for a multiple windows domains environment with WSO2 Identity Server 5.2.0.

Let’s assume you have the WSO2 Identity Server on wso2.com domain and you have a user from abc.com domain.

First, you need to add a DNS host entry in the Active Directory (AD) to map the IP address of the WSO2 Identity Server to a hostname. You can follow the steps here.

When adding the DNS entry, generally the first part of the hostname is given. The AD will append the rest with its AD domain. For example, if the AD domain is wso2.com after you add a DNS host entry, the final result will be similar to the following:

idp.wso2.com

Then open the carbon.xml file found in the <IS_HOME>/repository/conf folder and set the hostname in the tag.

<HostName>idp.wso2.com</HostName>
<MgtHostName>idp.wso2.com</MgtHostName>

Configuring the Service Provider

Then start the server and configure the Travelocity app as a service provider. You can find the configuration steps from here.

Then you need to configure IWA as the local authentication.

  • Expand the Local & Outbound Authentication Configuration section and do the following.
  • Select Local Authentication.
  • Select IWA from the drop down list in the Local Authentication.

fireshot-capture-48-wso2-management-console_-https___localhost_9443_carbon_appl222

  • Click update once you have done all the configurations.

Now you need to configure domain trust between the two domains in order to make this work.

Configuring domain trust between two domains

You need to configure an external trust between wso2.com and abc.com domains in order to make NTLM token exchange work properly. You need do the following steps.

First, you need to add the IP address of wso2.com domain as a preferred DNS in abc.com domain and vice versa.

  • Right-click the Start menu and select Network Connections.

screen-shot-2015-08-04-at-1-35-34-pm

  • Right-click the network connection you’re using and select Properties.

screen-shot-2015-08-04-at-1-35-46-pm

  • Highlight ‘Internet Protocol Version 4 (TCP/IPv4)’ and click Properties.

screen-shot-2015-08-04-at-1-36-02-pm

  • Select Use the following DNS server addresses and type the appropriate IP address in the Preferred DNS server.

screen-shot-2015-08-04-at-1-34-27-pm

  • Click OK, then Close, then Close again. Finally, close the Network Connections window.

Now you can configure external trust between wso2.com and abc.com as below.

Now we need to Create a one-way, outgoing, external trust for both sides of the trust as below.

Create a One-Way, Outgoing, External Trust for Both Sides of the Trust

  1. Open Active Directory Domains and Trusts from the wso2.com Server Manager.
  2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties.
  3. On the Trusts tab, click New Trust, and then click Next.
  4. On the Trust Name page, type the NetBIOS name of the domain, and then click Next. (You can find the NetBIOS name as here.)
  5. On the Trust Type page, click External trust, and then click Next.
  6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
  7. For more information about the selections that are available on the Direction of Trust page, see “Direction of Trust” in here.
  8. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.
  9. For more information about the selections that are available on the Sides of Trust page, see “Sides of Trust” in here.
  10. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain.
  11. On the Outgoing Trust Authentication Level–Local Domain page, do one of the following, and then click Next:
    1. Click Domain-wide authentication.
  12. On the Trust Selections Complete page, review the results, and then click Next.
  13. On the Trust Creation Complete page, review the results and then click Next.
  14. On the Confirm Outgoing Trust page, do one of the following:
    1. If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users.
    2. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain.
  15. On the Completing the New Trust Wizard page, click Finish

You should be able to see abc.com domain has been added in outgoing trusts as below once you completed the above steps successfully. Also, wso2.com will be added automatically as an incoming trust in abc.com Active Directory Domain Trusts configurations.

iwsdomaintrust

Now you are almost done with configurations. In order to log into your app (eg: Travelocity) as a user in the abc.com domain, you need to add the hostname of IS Server to the host file on the client machine as below.

  • Open the Notepad as an Administrator. From Notepad, open the following file:
C:\Windows\System32\drivers\etc\hosts
  • Add the new host entry
Eg: 192.168.57.45      idp.wso2.com
  • Click File > Save to save your changes.

Also, make sure to configure the following browser settings before accessing your app.

Internet explorer

  • Go to “Tools → Internet Options” and in the “security” tab select local intranet.

iwa_ie1

  • Click the sites button. Then add the URL of WSO2 Identity Server there.

iwa_ie2

Firefox

  • Type “about:config” in the address bar, ignore the warning and continue, this will display the advanced settings of Firefox.
  • In the search bar, search for the key “network.negotiate-auth.trusted-uris” and add the WSO2 Identity Server URL there.
https://idp.wso2.com

iwa_for_firefox

Now you should be able to log into Travelocity using IWA as a user in abc.com domain.

travelocityiwa

You can find the latest release of WSO2 Identity Server from here and read more from following references.

References

  1. http://wso2.com/library/articles/2013/04/integrated-windows-authentication-wso2-identity-server
  2. https://docs.wso2.com/display/IS520/Configuring+Single+Sign-On
  3. https://docs.wso2.com/display/IS520/Configuring+IWA+Single-Sign-On
  4. https://docs.wso2.com/display/IS520/Integrated+Windows+Authentication
  5. https://technet.microsoft.com/en-us/library/cc794775(v=ws.10).aspx
  6. https://technet.microsoft.com/en-us/library/cc816837(v=ws.10).aspx
  7. https://technet.microsoft.com/en-us/library/cc794894(v=ws.10).aspx
  8. https://technet.microsoft.com/en-us/library/cc794933(v=ws.10).aspx
  9. https://en.wikipedia.org/wiki/Integrated_Windows_Authentication
  10. https://support.opendns.com/hc/en-us/articles/228007207-Windows-10-Configuration-Instructions