Q:  How do I setup IWA on Windows


A:  When your client machines are domain-joined and you want your SSO to be seamless, you need to use Integrated Windows Authentication (IWA). IWA will only work when your client machines can contact your internal Single Sign On Host Server either through VPN or when on the corporate network in the office. See below for additional information.


IWA for Windows Clients


Mozilla Firefox


Note: Firefox requires your IWA service to be using https.

  1. Open Firefox and navigate to about:config
  2. Edit the following settings:

  

SettingValue
network.negotiate-auth.delegation-urishttps://<yourIWAServer.yourdomain.local>
network.automatic-ntlm-auth.trusted-urishttps://<yourIWAServer.yourdomain.local>
network.automatic-ntlm-auth.allow-proxiesTrue
network.negotiate-auth.allow-proxiesTrue

Firefox with NoScript:
 
If your end users are utilizing the popular NoScript add-in, use these instructions to configure NoScript for IWA
  1. Click the link NoScript
  2. Click Options > Whitelist
  3. In the "Address of website" box
    1. Type <yourdomain.local> (domain of IWA server) then click Allow
    2. Type "getsilo.com" (without the quotes) then click Allow
    3. Click Advanced > ABE > SYSTEM
    4. Copy this configuration into your Ruleset then click OK
Google Chrome

See http://www.specopssoft.com/configuring-chrome-and-firefox-for-windows-integrated-authentication/ for all the details. 

The simplest way to test this is with a batch script.

 

cd\Program Files (x86)\Google\Chrome\Application

chrome.exe -auth-server-whitelist="InternalSSOHostserver.domain.com" -auth-negotiate-delegatewhitelist="InternalSSOHostserver.domain.com" -auth-schemes="digest,ntlm,negotiate""

 

Microsoft Internet Explorer

  1. Tools
  2. Internet Options
  3. Security
  4. Local intranet

  5. Custom Level > Scroll to bottom of list > Ensure User Authentication Logon is set for "Automatic Logon only in Intranet Zone" > OK

  6. Sites

  7. Advanced

  8. Type http://InternalSSOHostserver.domain.com then click Add, type https://InternalSSOHostserver.domain.com then click Add


Microsoft Edge


It appears that Edge does IWA automatically from our limited testing with ADFS as the SSO IdP.


Additional Notes  

Please contact Support if you have any additional questions and/or require further information.