This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 identity server is capable of running in multiple platforms. But the IWA authenticator is designed only for the Windows server. And enabling IWA authenticator may sometime conflict with other authenticators. Because of these reasons IWA authenticator is not enabled in WSO2 Identity Server by default. However the authenticator can be enabled in WSO2 Identity Server with some configurations.


  • Web Server
    • Windows Server 2003 or later
    • An Active Directory configured in the Windows server
    • WSO2 Identity Server 5.1.0
    • Microsoft Windows Operating System (XP, Vista, 7)
    • Internet Explorer 7+ , Mozilla Firefox, Google Chrome (or any other web browser that support IWA)
    • Following are the steps to configure IWA in WSO2 Identity Server.

To configure IWA in WSO2 Identity Server:

  1. Download the WSO2 Identity Server from the product page.
  2. Extract the ZIP file in the file system.
  3. Open the <wso2is_home>/repository/conf/user-mgt.xml file and configure it to use your Active Directory as the user store (WSO2 is configured to use a built-in LDAP server by default). 
  4. Start the WSO2 Identity Server with <wso2is_home>/bin/wso2server.bat and check whether the user store is configured properly before the IWA is activated.
  5. Start from this step if you have WSO2 Identity Server already configured to use Active Directory.
  6. Stop the WSO2 Identity Server if the server is already running.
  7. Open the <wso2is_home>/repository/conf/security/authenticators.xml file and add the following lines inside the <Authenticators> tag.

    Code Block
    <Authenticator name="IWAUIAuthenticator" disabled="false">

    This indicates to the WSO2 Identity Server that "IWAUIAuthenticator" is to be enabled with a priority level of 5.

  8. Open the <wso2is_home>/repository/conf/tomcat/web.xml file and add the following lines just before "</web-app>".

    Code Block
      <display-name>Security Constraint for IWA</display-name>
        <web-resource-name>Protected Area</web-resource-name>

    This prevents unauthorized access to the WSO2 Identity Server and redirects the requests to the authenticator to authenticate them.

  9. Open the <wso2is_home>/repository/conf/tomcat/carbon/META-INF/context.xml and add the following lines just before "</Context>".

    Code Block
    <Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both"/>
    <Realm className="waffle.apache.WindowsRealm"/>

    This uses Valve and Realm from Waffle library which is used to negotiate authentication.

  10. Start the WSO2 Identity Server. Now the server is configured to use the IWA authenticator.


Access the WSO2 Identity Server from a client machine (the user should be logged in to the domain of the server) by entering the WSO2 Identity Server's URL (e.g., from your client browser. You are logged into the WSO2 Identity Server without having to enter your password. The following is a part of the server log when the user is logged with IWA:

Sometimes you may not be logged in automatically and you may be prompted to enter the username and password. The reason for that could be one of the following.

  • The browser is either unable to do the IWA authentication or it is not configured to use the IWA authentication properly. The web server should be added to the trusted websites of the browser.
    • For Internet explorer, go to “Tools → Internet Options” and in the “security” tab select local intranet.
    • Click the Sites button. Then add the URL of WSO2 Identity Server there.

    • For Firefox, type “about:config” in the address bar, ignore the warning and continue, this displays the advanced settings of Firefox. In the search bar, search for the key "network.negotiate-auth.trusted-uris" and add the WSO2 Identity Server URL there.

  • The user may be attempting to access the WSO2 Identity Server from outside the domain of the user.
  • The user may not have the sufficient permission within WSO2 Identity Server to log in to the system.