IWA Configuration

The Delinea Platform enables you to accept Integrated Windows Authentication (IWA) as sufficient authentication for Active Directory user accounts to log in to the platform. The platform uses Kerberos SSO for authentication. With IWA enabled, the browser uses the current user's Active Directory information to prove its knowledge of the password through a cryptographic exchange with the in-process web server built into the Delinea Connector.

If you have multiple connectors enabled for IWA, the platform connects with the connectors according to the following priorities:

Any connector using the same IP address as the user’s client machine.
If multiple connectors are using the same IP address as the user’s client machine, the platform chooses one of them randomly. Multiple machines inside your network may appear as the same IP externally.
If a connector does not use the same IP address as the user’s client machine, the platform chooses the best subnet match.
If none of the previous scenarios apply, the platform chooses a connector randomly.

Prerequisites

Before you start configuring IWA on the platform, make sure you have done the following:

Your company has at least one Delinea Connector with the web server enabled.
That connector must be joined to Active Directory in the forest to which users are authenticating.

Enabling IWA Service on the Delinea Connector

IWA is disabled by default when you install the Delinea Connector. To enable the connector, you must provide a certificate to the connector that will be present on endpoints.

To configure IWA and import the certificate:

Click Settings from the left navigation, then click Connectors.
Select the relevant connector or add a new one.

Select the IWA service tab, then click Edit.

You can modify the following settings:

Setting	Description
Enable web server	The default value is Enabled. This setting supports IWA and Office clients. If you disable the web server, you cannot change the DNS Hostname, HTTP Port Number and HTTPS Port number values.
DNS Hostname	The default is the name of the connector’s host computer. You can enter a DNS short name here or the fully qualified domain name in the IE local intranet zone.
IWA Detection Timeout	The length of time IWA will wait for response from the connector. Default: 10 seconds.
HTTPS Port Number	The default port is 8443. Port 8443 is the standard port. If you change the port number to a non-standard number, Firefox and Chrome may require additional configuration, because these browsers block some non-standard ports. Do not change the port number unless you know about the implications.
Connector Host Certificate	To activate IWA, you must provide a .pfx or .p12 certificate that is either trusted or self-signed. We strongly advise that the certificate be trusted by a Certificate Authority (CA). After you upload the certificate, if needed, you can conveniently download the public key certificate.

Click Save.
Click Settings > Corporate IP Range.
Click Create IP Range to enter your corporate IP range. IWA will not work for users whose computers are outside of the defined corporate IP range.
Click Add.
Reboot your Delinea Connector if you have uploaded a certificate.

Obtaining a Delinea Connector IWA Host Certificate

To activate IWA, you must provide a trusted certificate issued by a Certificate Authority, or a self-signed .pfx or .p12 certificate. After you upload the certificate, you can download the public key certificate when needed. You can obtain an IWA Connector Host Certificate using any of the following processes:

(Private Preview customers only) Request the Delinea Platform to generate a certificate for you. See Using an Automatically Generated Delinea Connector IWA Host Certificate.
Obtain a certificate from a trusted external certificate authority (CA) such as Symantec or GoDaddy. See Importing a Certificate.
Generate your own certificate using an internal CA. This would not require trusting it on each endpoint, presuming you have other mechanisms in place to ensure that those endpoints trust their CA. As such, this may be as good as, or better than (depending on the company infrastructure) a trusted external CA.
Generate a self-signed certificate, which would require trusting it on each endpoint it is used on (or through other policy/management infrastructure). See Generating a Self-Signed Delinea Connector IWA Host Certificate.

Using an Automatically Generated Delinea Connector IWA Host Certificate

This feature is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

Click Settings from the left navigation, then click Connectors.
Click the name of the machine where Delinea Connector is installed.
Select the IWA service tab, then click Edit.
In DNS hostname, enter the FQDN of the Connector machine.
In IWA detection timeout, accept the default value or provide your desired value.
In the HTTPS port number field, enter 8443. For MFA on PCS, endpoints that need to do MFA must be able to contact the Connector on 8443 and 8080.
Next to Connector host certificate, click Generate certificate.
Click +Generate certificate.

Wait for the platform to generate the certificate. A message like "Certificate successfully generated" appears, with the certificate details such as thumbprint, valid dates, and more.
In Web Server, click Enabled.
Click Save.

Importing a Certificate

If you are using internal or third-party CAs, you need to import those certificates to the platform. You can import wild card certificates.

To import a certificate to the platform:

From the left navigation menu, click Settings, then click Connectors.
Click the name of the machine where Delinea Connector is installed.
Select the IWA Service tab.
Click Edit.
Confirm that the Enabled box next to Web Server is selected.
In Connector host certificate, click Upload certificate to import an internal or third-party certificate. You can upload the same certificate to all Delinea Connectors in the same domain. If you do this, make sure you upload the same certificate to all IWA configured connectors. Ensure the subject of the certificate explicitly matches the hostname of the connector, or matches by using a wildcard in the subject.
Click Select file.
Browse to and select the host certificate file (.pfx or .p12 formats are supported).
Click Open.
Enter the password you used when running the PowerShell script to generate the certificate.
Click Save.
You must restart the Delinea Connector after importing the certificate.

Certificate Metadata:

Thumbprint: A unique cryptographic hash value that identifies the certificate's content.
Not valid before and after: The validity period specifies when the certificate becomes active ("Not valid before") and when it expires ("Not valid after").
Issuer: The entity that issues the digital certificate, providing assurance about the accuracy of the subject's information.
Subject: Identifies the entity to which the certificate is issued, including details such as common name, organization, and location.
Public key certificate: Upon uploading the certificate, if necessary, you can download the public key certificate for distribution to your endpoints.

Generating a Self-Signed Delinea Connector IWA Host Certificate

Run the script below as an administrator on the server running the Delinea Connector.
Change the file path to the desired location.
Copy and save the password.

Copy

$domain_name = $env:userdnsdomain;
                $dns_name = $env:computername + '.' + $domain_name;
                $date_now = Get-Date;
                $extended_date = $date_now.AddYears(3);
                $user = $env:userprofile
                $mycert=New-SelfSignedCertificate -DnsName $dns_name -CertStoreLocation cert:/LocalMachine/My -NotAfter $extended_date;$mycert
                $pass = Read-Host 'What is your password?' -AsSecureString;
            Export-PfxCertificate -Cert $mycert -FilePath $user\Desktop\cert-selfsigned.pfx -Password $pass

Click Settings from the left navigation, then click Connectors.
Click the name of the machine where Delinea Connector is installed.
Select the IWA service tab, then click Edit.
In DNS hostname, enter the FQDN of the Connector machine.
In IWA detection timeout, accept the default value or provide your desired value.
In the HTTPS port number field, enter 8443. For MFA on PCS, endpoints that need to do MFA must be able to contact the Connector on 8443 and 8080.
In Connector host certificate, click Upload certificate.
Click Select file.
Browse to and select the host certificate file (.pfx or .p12 formats are supported).
Click Open.
Enter the password you used when running the PowerShell script to generate the certificate.
Click Save.
Click Edit again.
Next to Web Server, select Enabled.
Click Save.
You must restart the Delinea Connector after importing the certificate.

Click the following link if you wish to Create Delinea Connector Certificate from Internal MS CA.

Downloading the Delinea Connector IWA Host Certificate

If you are not already on the connector detail page, click Settings from the left navigation, then click Connectors. and click the name of the machine where Delinea Connector is installed.
Click the IWA service tab.
In Public key certificate, click Download root certificate to download the Connector host certificate.
Click the Agent proxy tab and verify that the agent is enabled on the proxy server.

Distributing the Delinea Connector IWA Host Certificate for Agent Installation

On the host server, open Group Policy Management (Start > Run > gpmc.msc).
Refer to the example screen shot to perform the tasks below it:
Expand the forest (for example, delinea-se.lab).
Expand the domain (for example, delinea-se.lab).
Right click Group Policy Objects, and select New.
In the New GPO dialog, enter a name.
Click OK.
Right-click the name of the GPO you just created, and select Edit.
On the host machine, open the Group Policy Management Editor.
Select Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
Right-click Trusted Root Certification Authorities and select Import.

The Welcome screen opens to the Certificate Import Wizard.
Click Next.
For File to Import, click Browse.
Click the filename of the host certificate you downloaded earlier.
Click Open.
Click Next.
Be sure that you see Trusted Root Certification Authorities in Certificate Store Selected by User.
Click Next.
Click Finish.
Wait for the Certificate Import Wizard to appear.
Click OK.
Close the Group Policy Management Editor.
In Group Policy Management, right-click the domain you created.
Select Link an Existing GPO...
Select the IWA Host Certificate.
Click OK.

Verifying IWA Over HTTPS

You can test the validity of the Delinea Connector host certificate as follows:

Open a web browser from an endpoint machine.
Navigate to the following address:

https://<connector_hostname>:<https_port>/iwa/sitecheck.
Replace <connector_hostname> and <https_port> with the corresponding values. For example:

https://2019WindowsServer:8443/iwa/sitecheck.
Look in the browser navigation bar for an indication that the connection is secure. This appears differently depending on your browser. In some browsers, a green padlock icon appears. In other browsers, a different icon appears in this location, which you can click to get the security status.

If the browser indicates that the connection is secure, and the page opens and shows "result":"success" followed by the token, IWA is verified. The IWA service on the Delinea Connector, and the Identity Policy setting allowing the use of IWA, are both enabled and working.

Troubleshooting:
- If the page does not open, IWA service on the Delinea Connector might be disabled. To enable it, use the IWA Settings tab in the Connector page. Also check the IWA Settings tab in the Identity Policy page to be sure IWA is enabled.
- If the page opens but shows a result that is not “success,” the Identity Policy setting for the use of IWA connections might be disabled. To enable it, use the IWA Settings tab on the Identity Policy page.
- If the page opens with an SSL or security error, the Connector certificate might not be fully configured. Make sure the certificate has been imported to the Trusted Root Certification Authorities, as described in Distributing the Delinea Connector IWA Host Certificate for Agent Installation.

Allowing IWA Connections for Users in the Default Policy

You can configure the platform to bypass already configured authentication rules and default authentication profiles when IWA is configured.

Click Access from the left navigation, then select Identity Policies.
Click to open the Default Policy.
Select the Authentication tab.
Scroll to Other Settings. Confirm that all three options for IWA connections are selected. If not, click Edit and set them:
- Allow IWA connections: Required. Configures the platform to bypass already-configured authentication rules and default authentication profiles when IWA is configured.
- Set Identity Cookie for IWA Connections: Optional. When you enable IWA, the platform can write a cookie in the current browser after a successful IWA-based log in. The platform checks the browser for this cookie when the user logs in to the platform. As long as the cookie is there, the user is not prompted for multi-factor authentication.
- IWA Connections satisfy all MFA mechanisms: Optional. This option tells the platform to allow IWA to override all application specific authentication requirements.
Click Save.

Using IWA With Identity Cookie

This is an optional configuration. When you enable Integrated Windows Authentication (IWA), the platform can write a cookie in the current browser after a successful IWA-based login. The platform checks the browser for this cookie when the user logs in to the Admin Portal. As long as the cookie is there, the user is not prompted for multi-factor authentication.

To use IWA with identity cookie:

Click Access from the left navigation, then select Identity Policies.
Click an identity policy to open it.
Select the Authentication tab.
Scroll down to Other Settings and select the Set identity cookie for IWA connections checkbox. This option tells the platform to write a cookie in the current browser after a successful IWA-based log in.
Click Save.

Using IWA to Authenticate Application Access

This is an optional configuration. You can configure the platform to use IWA to override all application-specific authentication requirements. For example, you can configure the Box application to require two authentication challenges if users are accessing the application from inside the network. However, you can tell the platform to ignore those authentication requirements if IWA is available.

To allow IWA for applications that require authentication:

Click Access from the left navigation, then select Identity Policies.
Click an identity policy to open it.
Select the Authentication tab.
Scroll down to Other Settings and select the IWA connections satisfy all MFA mechanisms checkbox. With this option, the platform allows IWA to override all application specific authentication requirements.
Click Save.

Disabling IWA

IWA is not required for manual authentication using the platform. If you cannot use IWA on the corporate network, you can disable it.

To disable Integrated Windows Authentication:

Click Settings from the left navigation, then select Connectors.
Click the name of the machine where Delinea Connector is installed.
Select the IWA Service tab and click Edit.
In Web Server, deselect the Enabled checkbox.
Click OK.