Enabling IWA in the Authentication Policy

You can configure Privileged Access Service to bypass already configured authentication rules and default authentication profiles when IWA is configured. This option is configured by default.

To enable IWA in the authentication policy:

  1. Log in to Admin Portal.

  2. Click Access > Policies and select the relevant policy set.

  3. Click Login Policies > Delinea Services.

  4. Click the Enable authentication policy controls drop-down and select Yes.

  5. Select a default authentication profile (in the Default Profiledropdown) for Privileged Access Service to use if IWA is not available and other authentication conditions are not met.

    See Creating Authentication Profiles for more information on authentication profiles.

  6. Enable the Allow IWA connections option (enabled by default) in the “Other Settings” area.

  7. Click Save.

Using IWA with Identity Cookie

This is an optional configuration. When you enable Integrated Windows Authentication (IWA), Privileged Access Service can write a cookie in the current browser after a successful IWA-based log in. Privileged Access Service checks the browser for this cookie when the user logs in to the Admin Portal. As long as the cookie is there, the user is not prompted for multi-factor authentication.

To use IWA with identity cookie:

  1. Open the relevant Login Policy (Login Policies > Delinea Services).

  2. Enable the Set identity cookie for IWA connections option in the “Other Settings” area.

    This option tells Privileged Access Service to write a cookie in the current browser after a successful IWA-based log in.

  3. Click Save.

Using IWA to Authenticate Application Access

This is an optional configuration. You can configure Privileged Access Service to use IWA to override all application specific authentication requirements. For example, you can configure the Box application to require two authentication challenges if users are accessing the application from inside the network. However, you can tell Privileged Access Service to ignore those authentication requirements if IWA is available.

To allow IWA for applications that require authentication:

  1. Open the relevant Login Policy (Login Policies > Delinea Services).

  2. Enable the IWA connections satisfy all MFA mechanisms option.

  3. This option tells the Privileged Access Service to allow IWA to override all application specific authentication requirements.

  4. Click Save.