When Integrated Windows Authentication (IWA) is used, users on Windows clients are not prompted for the ADFS login name and password when they access servers on the corporate intranet. IWA is available for basic SAML authentication, Notes federated login, and Web federated login.

Before you begin

Compete the following prerequisites:

• In the Web SSO Configuration document that your servers use, make sure that theWindows single-sign on integration (if available) field is set toDisabled.
• (Notes federated login only): In the Client Settings tab of the IdP configuration document for the ID vault server, set Enable Windows single sign-on toYes.
• Make sure that client computers from which users log in are in the same Active Directory domain as the ADFS server, unless Active Directory Trust relationships are in place.

IWA uses the Kerberos token that is issued when a user logs in to a Windows workstation to authenticate users to ADFS. This type of authentication is also known as SPNEGO authentication.

Complete the steps in this section to enable IWA on ADFS.

Creating ADFS service principal names (SPNs)
To enable Integrated Windows Authentication (IWA) on ADFS, create service principal names (SPNs) to associate ADFS with a login account. SPNs allow clients to request authentication without having login account names.

Enabling Integrated Windows Authentication on ADFS 2.0
Complete this task to enable Integrated Windows Authentication (IWA) on Active Directory Federation Services (ADFS) 2.0.

Enabling Integrated Windows Authentication for ADFS 3.0 or 4.0
Complete this task to enable Integrated Windows Authentication (IWA) on Active Directory Federation Services (ADFS) 3.0 or 4.0.

Configure browsers for Integrated Windows Authentication
Ensure that browsers are configured to support Integrated Windows Authentication (IWA).

Help on Help

All Help Contents

Help on Help