PingAccess

IWA Integration

Integrated Windows Authentication (IWA) is a process that lets users authenticate with Windows credentials using either the Kerberos or (legacy) NTLM protocol.

Unlike session-based authentication, IWA relies on authenticating client-server connections, which are then given access to protected content. PingAccess handles these connections differently, but the configuration process for applications protected by Kerberos or NTLM in the PingAccess admin console is the same as usual.

This document describes IWA connection handling in PingAccess and is meant to help administrators avoid common configuration mistakes.

  • For IWA to work, every node in the network architecture must support bound connections, including load balancers, gateways, and proxies.

    If a network component in front of PingAccess improperly reuses an authenticated connection, PingAccess might break the connection to prevent session stealing.

  • The AWS ELB doesn’t support IWA.

  • PingFederate no longer supports NTLM. However PingAccess treats NTLM connections the same as Kerberos connections.

Setting up IWA using PingFederate

About this task

Set up an application to protect with Kerberos authentication using PingFederate’s Kerberos Adapter. In this scenario, PingAccess protects PingFederate.

Steps

  1. Configure your Kerberos adapter in PingFederate.

    You can find the configuration steps in Configure a Kerberos adapter instance in the PingFederate documentation.

  2. Add a new site in PingAccess:

    1. Go to Applications > Sites and click Add Site.

    2. In the Name field, enter a desired name for the site.

    3. In the Targets field, enter one or more hostname:port pairs for the site.

      The host and port should point to PingFederate on port 9031.

    4. Click Save.

    You can find more configuration information in Adding sites.

  3. Add a new application in PingAccess:

    1. Go to Applications > Applications and click Add Application.

    2. In the Name field, enter a desired name for the site.

    3. In the Context Root field, enter the first part of the URL path for the application and its resources.

    4. In the Virtual Host field, enter the host desired for the target application.

    5. In the Destination list, select Site.

    6. In the Site list, select the PingFederate site previously created.

    7. Configure the remaining fields as desired. Click Save.

    You can find more configuration information in Adding an application.

  4. Enable the application.

    Result:

    The protected application can use the Kerberos protocol for authentication through PingAccess, using PingFederate.

Setting up IWA directly

About this task

Set up PingAccess to manage an application that already uses IWA for authentication.

Steps

  1. Add a new site in PingAccess:

    1. Go to Applications > Sites and click Add Site.

    2. In the Name field, enter a desired name for the site.

    3. In the Targets field, enter one or more hostname:port pairs for the site.

    4. Click Save.

    You can find more configuration information in Adding sites.

  2. Add a new Application in PingAccess.

    1. Go to Applications > Applications and click Add Application.

    2. In the Name field, enter a desired name for the site.

    3. In the Context Root field, enter the first part of the URL path for the application and its resources.

    4. In the Virtual Host field, enter the host desired for the target application.

    5. In the Destination list, select Site.

    6. In the Site list, select the site for this application.

    7. Configure the remaining fields as desired. Click Save.

    You can find more configuration information in Adding an application.

  3. Enable the application.

    Result:

    The protected application can use the Kerberos protocol for authentication through PingAccess.