PingAccess

IWA Integration

Integrated Windows Authentication (IWA) is a process that allows users to authenticate with Windows credentials using the Kerberos or (legacy) NTLM protocols.

Unlike session-based authentication, IWA relies on authenticating client-server connections, which are then given access to protected content. PingAccess handles these connections differently, although configuration in the Admin UI is identical to normal applications. This document is intended to clarify IWA connection handling in PingAccess and help administrators avoid common mistakes in this configuration.

For IWA to work, every node in the network architecture must support bound connections, including load balancers, gateways, and proxies. If a network component in front of PingAccess improperly re-uses an authenticated connection, PingAccess might break this connection to prevent session stealing.

The AWS ELB does not support IWA.

NTLM is no longer supported in PingFederate, however NTLM connections are treated the same as Kerberos connections in PingAccess.

Setting up IWA using PingFederate

About this task

Set up an application to be protected with Kerberos authentication using PingFederate’s Kerberos Adapter, while PingFederate is protected by PingAccess:

Steps

  1. Configure your Kerberos adapter in PingFederate.

    For more information, see Configure a Kerberos adapter instance in the PingFederate documentation.

  2. Add a new site in PingAccess.

    1. Go to Applications → Sites and click Add Site.

    2. In the Name field, enter a desired name for the site.

    3. In the Targets field, enter one or more hostname:port pairs for the site.

      The host and port to point to PingFederate on port 9031.

    4. Click Save.

    For more information, see Adding sites.

  3. Add a new application in PingAccess.

    1. Go to Applications → Applications and click Add Application.

    2. In the Name field, enter a desired name for the site.

    3. In the Context Root field, specify the first part of the URL path for the application and its resources.

    4. In the Virtual Host field, enter the host desired for the target application.

    5. In the Destination list, select Site.

    6. In the Site list, select the PingFederate site previously created.

    7. Configure the remaining fields as desired. Click Save.

    For more information, see Adding an application.

  4. Enable the application.

    Result:

    The protected application can utilize the Kerberos protocol for authentication through PingAccess, using PingFederate.

Setting up IWA directly

About this task

Set up PingAccess to manage an application that already uses IWA for authentication.

Steps

  1. Add a new site in PingAccess.

    1. Go to Applications → Sites and click Add Site.

    2. In the Name field, enter a desired name for the site.

    3. In the Targets field, enter one or more hostname:port pairs for the site.

    4. Click Save.

    For more information, see Adding sites.

  2. Add a new Application in PingAccess.

    1. Go to Applications → Applications and click Add Application.

    2. In the Name field, enter a desired name for the site.

    3. In the Context Root field, specify the first part of the URL path for the application and its resources.

    4. In the Virtual Host field, enter the host desired for the target application.

    5. In the Destination list, select Site.

    6. In the Site list, select the site for this application.

    7. Configure the remaining fields as desired. Click Save.

    For more information, see Adding an application.

  3. Enable the application.

    Result:

    The protected application can utilize the Kerberos protocol for authentication through PingAccess.