---
title: IWA Integration
description: Integrated Windows Authentication (IWA) is a process that lets users authenticate with Windows credentials using either the Kerberos or (legacy) NTLM protocol.
component: pingaccess
version: 9.0
page_id: pingaccess:agents_and_integrations:pa_iwa_integration
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/agents_and_integrations/pa_iwa_integration.html
revdate: August 19, 2025
section_ids:
  setting-up-iwa-using-pingfederate: Setting up IWA using PingFederate
  about-this-task: About this task
  steps: Steps
  result: Result:
  setting-up-iwa-directly: Setting up IWA directly
  about-this-task-2: About this task
  steps-2: Steps
  result-2: Result:
---

# IWA Integration

Integrated Windows Authentication (IWA) is a process that lets users authenticate with Windows credentials using either the Kerberos or (legacy) NTLM protocol.

Unlike session-based authentication, IWA relies on authenticating client-server connections, which are then given access to protected content. PingAccess handles these connections differently, but the configuration process for applications protected by Kerberos or NTLM in the PingAccess admin console is the same as usual.

This document describes IWA connection handling in PingAccess and is meant to help administrators avoid common configuration mistakes.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | * For IWA to work, every node in the network architecture must support bound connections, including load balancers, gateways, and proxies.

  If a network component in front of PingAccess improperly reuses an authenticated connection, PingAccess might break the connection to prevent session stealing.

* The AWS ELB doesn't support IWA.

* PingFederate no longer supports NTLM. However PingAccess treats NTLM connections the same as Kerberos connections. |

## Setting up IWA using PingFederate

### About this task

Set up an application to protect with Kerberos authentication using PingFederate's Kerberos Adapter. In this scenario, PingAccess protects PingFederate.

### Steps

1. Configure your Kerberos adapter in PingFederate.

   You can find the configuration steps in [Configure a Kerberos adapter instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_kerberos_adapt_instance.html) in the PingFederate documentation.

2. Add a new site in PingAccess:

   1. Go to **Applications > Sites** and click **[icon: plus, set=fa]Add Site**.

   2. In the **Name** field, enter a desired name for the site.

   3. In the **Targets** field, enter one or more hostname:port pairs for the site.

      The host and port should point to PingFederate on port `9031`.

   4. Click **Save**.

   You can find more configuration information in [Adding sites](../pingaccess_user_interface_reference_guide/pa_adding_sites.html).

3. Add a new application in PingAccess:

   1. Go to **Applications > Applications** and click **[icon: plus, set=fa]Add Application**.

   2. In the **Name** field, enter a desired name for the site.

   3. In the **Context Root** field, enter the first part of the URL path for the application and its resources.

   4. In the **Virtual Host** field, enter the host desired for the target application.

   5. In the **Destination** list, select **Site**.

   6. In the **Site** list, select the PingFederate site previously created.

   7. Configure the remaining fields as desired. Click **Save**.

   You can find more configuration information in [Adding an application](../pingaccess_user_interface_reference_guide/pa_adding_an_app.html).

4. Enable the application.

   #### Result:

   The protected application can use the Kerberos protocol for authentication through PingAccess, using PingFederate.

## Setting up IWA directly

### About this task

Set up PingAccess to manage an application that already uses IWA for authentication.

### Steps

1. Add a new site in PingAccess:

   1. Go to **Applications > Sites** and click **[icon: plus, set=fa]Add Site**.

   2. In the **Name** field, enter a desired name for the site.

   3. In the **Targets** field, enter one or more hostname:port pairs for the site.

   4. Click **Save**.

   You can find more configuration information in [Adding sites](../pingaccess_user_interface_reference_guide/pa_adding_sites.html).

2. Add a new Application in PingAccess.

   1. Go to **Applications > Applications** and click **[icon: plus, set=fa]Add Application**.

   2. In the **Name** field, enter a desired name for the site.

   3. In the **Context Root** field, enter the first part of the URL path for the application and its resources.

   4. In the **Virtual Host** field, enter the host desired for the target application.

   5. In the **Destination** list, select **Site**.

   6. In the **Site** list, select the site for this application.

   7. Configure the remaining fields as desired. Click **Save**.

   You can find more configuration information in [Adding an application](../pingaccess_user_interface_reference_guide/pa_adding_an_app.html).

3. Enable the application.

   #### Result:

   The protected application can use the Kerberos protocol for authentication through PingAccess.