Setting Integrated Windows Authentication (IWA)

Setting Integrated Windows Authentication (IWA)

By Vino on ‎01-20-2016 10:11 AM - last edited ‎12-13-2018 11:02 AM



The Centrify Identity Platform lets you accept an Integrated Windows Authentication (IWA) connection as sufficient authentication for users with Active Directory accounts when they login to Centrify Admin Portal or the Centrify User Portal. 


Note: Integrated Windows Authentication is not available for Centrify Directory users, only Active Directory users.


For Integrated Windows Authentication to work:

1Install a Centrify Connector inside your network.

2. Download the Centrify IWA root CA certificate.

download IWA root certificate.png

Make sure you select the link "Download your IWA root CA certificate" and not the Download button above the link.

3. Install the IWA root CA certificate on the endpoint as a Trusted Root Certificate Authority. You can 

4. Log into the Centrify portal with your custom login URL or default tenant URL:

Replace "yourcompany" with your custom name or default tenant ID. 






Verify if the IWA root certificate is installed on the endpoint
1. Open a web browser on the endpoint machine
2. Navigate to the following address: https://<yourconnectorhostname>:<httpsport>/iwa/ping
Note: Replace <YourConnectorHostname> and <TheHttpsPortConfigured> with the corresponding values. For example: https://2008WindowsServer:8443/iwa/ping
3. Look for the green certificate vs red error box in the browser.

4. Make sure you deployed the IWA root CA certificate and not the Connector Host Certificate.


Verify policies are enabled to allow IWA
IWA is enabled by default, but check to make sure the setting has not been disabled.
1. In the Admin Portal, go to Core Services > Policies and select the policy set.
2. Expand Login Policies, and select Centrify Services.
3. In the right pane scroll down to Other Settings.
4. Make sure Allow IWA connections (bypasses login authentication rules and default profile) and Set Identity Cookie for IWA connections are both enabled. If you do not set this option, the cookie is not written in the browser after a successful IWA-based login.
5. Click Save


Verify the IWA service is enabled in your Centrify Connector Configuration

The IWA service is enabled by default, but check to make sure the setting has not been disabled.

1. In the Admin Portal, go to Settings > Network > Centrify Connectors.

2. Double-click on your Connector and go to IWA Service and make sure Enable Web Server is checked.



Make sure the browser is configured to allow IWA


Make sure there are no web servers on the Centrify Connector system

Even if there is no port conflict and the web server is using a different port than the connector, the certificate validation can fail.


By Ben_APD
on ‎01-31-2018 10:55 AM

After trying all of the above steps, Centrify Support (Thanks Andrea D.) figured out that our issue was with the Centrify Connector service properties (services.msc) which was set to log in as our domain service account and not Local System account. After change was made, IWA SSO worked perfectly. 

Showing results for 
Search instead for 
Do you mean 

Community Control Panel