Configuring Integrated Windows Authentication

Steps

  1. Go to Configure > My Proxy > Basic > General. In the Authentication section, click Integrated Windows Authentication On, and click Apply.
  2. Configure the Global authentication options.
  3. Join the Windows domain. To join the domain:
    • Content Gateway must be able to resolve the domain name.
    • Content Gateway system time must be synchronized with the domain controller’s time, plus or minus 1 minute.
    • The correct domain Administrator name and password must be specified.
    • There must be TCP/UDP connectivity to the domain controller(s) (ports 88, 389, 445).
    • If backup domain controllers are configured, they and their Kerberos Distribution Center (KDC) services must be reachable by Content Gateway on the network.
    1. In the Domain Name field, enter the fully qualified domain name.
    2. In the Administrator Name field enter the Windows Administrator user name.
    3. In the Administrator Password field enter the Windows Administrator password.

      The name and password are used only during the join and are not stored.

    4. Select how to locate the domain controller:
      • Auto-detect using DNS
      • DC name or IP address

        If the domain controller is specified by name or IP address, you can also specify backup domain controllers in a comma separated list, no spaces.

    5. In the Content Gateway Hostname field, confirm that the hostname is the correct hostname and that it is no more than 15 characters (no more than 11 characters on appliances). If it is longer, it must be shortened if IWA is to be used. The length restriction results from the 15 character limit on NetBIOS hostnames.
      Warning: Do not change the hostname after the domain is joined. If the hostname is changed, IWA immediately stops working and will not work again until the domain is unjoined and then re-joined with the new hostname.
    6. Click Join Domain. If there is an error, ensure that the conditions outlined above are met and then see Failure to join the domain.
      Important:

      All clients subject to authentication must be joined to the domain.

      Browsers and other proxy clients must be configured to specify the FQDN of Content Gateway as an intranet site or trusted site.

    7. Restart Content Gateway and run some test traffic through the proxy to verify that authentication is working as expected. If there is a problem, see Troubleshooting Integrated Windows Authentication.