How to configure Integrated Windows authentication

Privileged Access Service lets you accept an Integrated Windows authentication (IWA) connection as sufficient authentication for users with Active Directory accounts when they log in to the Centrify portals. Privileged Access Service uses Kerberos SSO for authentication. With IWA enabled, the browser uses the current user's Active Directory information to prove its knowledge of the password through a cryptographic exchange with the in-process web server built into the connector. IWA is not available to Privileged Access Service account users.

If you have multiple connectors enabled for IWA, Privileged Access Service prioritizes connection with the connectors in the following order:

  1. Connectors from the same IP address as the user’s client machine
  2. Randomly chooses a connector if more than one is from the same IP address as the user’s client machine. Multiple machines inside your network may appear as the same IP externally.
  3. Chooses the best subnet match
  4. Randomly chooses a connector if none of the above are available

To use IWA, users must be inside the external corporate IP range and specify their tenant URL in the portal URL in the following form:

  • Admin Portal: https://<companyName>.centrify.com/manage?customerID=ABC1234