57.8 Validating WNA with Access Manager Protected Resources

Integrated Windows Authentication (IWA) is associated with Microsoft products that use SPNEGO, Kerberos, and NTLMSSP authentication protocols included with certain Windows operating systems.

The term Integrated Windows Authentication (IWA) is used for the automatic authentication process that happens between Microsoft Internet Information Services, Internet Explorer, and Microsoft's Active Directory.


IWA is also known by other names such as HTTP Negotiate authentication, NT Authentication, NTLM Authentication, Domain authentication, Windows Integrated Authentication, Windows NT Challenge/Response authentication and Windows Authentication.

WNA authentication occurs internally. When integrated with Access Manager:

  • The user is redirected to the Access Manager for authentication.

  • The OAM Server requests authentication with a www-negotiate header when the resource is protected by Access Manager with a challenge method of WNA.

  • The browser configured for Integrated Windows Authentication (IWA) sends the Kerberos SPNEGO token to the OAM Server for decryption.

  • The OAM Server decrypts the received user SPNEGO token (using keytab) and redirects the user back to the Agent with the cookie and gets access to the resource.

Use this procedure to validate WNA with Access Manager protected resources.

  1. Log in to a Windows system in the Active Directory domain as a domain user.
  2. Sign in to the Windows OS client using the Windows domain credentials stored in a hosted Active Directory that is registered with Access Manager.
  3. Open an Internet Explorer browser window, and enter the URL for the OAM-protected application in your environment.
  4. Confirm that you are logged in to the application with your Windows domain credentials with no additional login.