Add Integrated Windows authentication (IWA) authentication to AD Connect wit IIS.
- Create a service account in AD Connect to use for the IIS application pools on the PingOne for Enterprise AD ConnectAD Connect hosts.
Create an SPN (Service Principal Name) in Active Directory for the HTTP service
that's bound to the service account. For example:
setspn –U –S HTTP/pingone.example.com example\svc.adciis
On each AD Connect host, set the AD Connect application pool that you want to run under the
service account credentials.
In IIS Manager,
- Click Advanced Settings in the Actions bar on the right, scroll down to Identity and click the edit button.
- Select Custom Account, click Set and enter the SPN credentials.
- In the Actions bar on the right, click Recycle to recycle the application pool.
- If you're using a high availability configuration, check the SNAT (Secure Network Address Translation) requirements for your network load balancing. Also verify that the IP address of the originating client is preserved by the SNAT configuration.