Unlike session-based authentication, IWA relies on authenticating client-server connections, which are then given access to protected content. PingAccess handles these connections differently, although configuration in the Admin UI is identical to normal applications. This document is intended to clarify IWA connection handling in PingAccess and help administrators avoid common mistakes in this configuration.


For IWA to work, every node in the network architecture must support bound connections, including load balancers, gateways, and proxies. If a network component in front of PingAccess improperly re-uses an authenticated connection, PingAccess might break this connection to prevent session stealing.

The AWS ELB does not support IWA.

NTLM is no longer supported in PingFederate, however NTLM connections are treated the same as Kerberos connections in PingAccess.