Q: How do I setup IWA on Windows
A: When your client machines are domain-joined and you want your SSO to be seamless, you need to use Integrated Windows Authentication (IWA). IWA will only work when your client machines can contact your internal Single Sign On Host Server either through VPN or when on the corporate network in the office. See below for additional information.
IWA for Windows Clients
Note: Firefox requires your IWA service to be using https.
- Open Firefox and navigate to about:config
- Edit the following settings:
Firefox with NoScript:
- Click the link NoScript
- Click Options > Whitelist
- In the "Address of website" box
- Type <yourdomain.local> (domain of IWA server) then click Allow
- Type "getsilo.com" (without the quotes) then click Allow
- Click Advanced > ABE > SYSTEM
- Copy this configuration into your Ruleset then click OK
- # Prevent Internet sites from requesting LAN resources.
Accept from LOCAL
Site https://getsilo.com/for/<your org id>
Accept from https://getsilo.com/for/<your org id>
Accept from https://<yourIWAServer.yourdomain.local>
See http://www.specopssoft.com/configuring-chrome-and-firefox-for-windows-integrated-authentication/ for all the details.
The simplest way to test this is with a batch script.
cd\Program Files (x86)\Google\Chrome\Application
chrome.exe -auth-server-whitelist="InternalSSOHostserver.domain.com" -auth-negotiate-delegatewhitelist="InternalSSOHostserver.domain.com" -auth-schemes="digest,ntlm,negotiate""
Microsoft Internet Explorer
- Internet Options
- Local intranet
Custom Level > Scroll to bottom of list > Ensure User Authentication Logon is set for "Automatic Logon only in Intranet Zone" > OK
Type http://InternalSSOHostserver.domain.com then click Add, type https://InternalSSOHostserver.domain.com then click Add
It appears that Edge does IWA automatically from our limited testing with ADFS as the SSO IdP.
Please contact Support if you have any additional questions and/or require further information.