This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Download the WSO2 Identity Server from the product page.
  2. Extract the ZIP file in the file system.
  3. Open the <wso2is_home>/repository/conf/user-mgt.xml file and configure it to use your Active Directory as the user store (WSO2 is configured to use a built-in LDAP server by default). See Configuring Primary User Stores  on how to configure a primary user store and then go to Active Directory user store configuration section to get Active Directory specific configurations.
  4. Start the WSO2 Identity Server with <wso2is_home>/bin/wso2server.bat and check whether the user store is configured properly before the IWA is activated.
  5. Start from this step if you have WSO2 Identity Server already configured to use Active Directory.
  6. Stop the WSO2 Identity Server if the server is already running.
  7. Open the <wso2is_home>/repository/conf/security/authenticators.xml file and add the following lines inside the <Authenticators> tag.

    Code Block
    <Authenticator name="IWAUIAuthenticator" disabled="false">

    This indicates to the WSO2 Identity Server that "IWAUIAuthenticator" is to be enabled with a priority level of 5.

  8. Open the <wso2is_home>/repository/conf/tomcat/web.xml file and add the following lines just before "</web-app>".

    Code Block
      <display-name>Security Constraint for IWA</display-name>
        <web-resource-name>Protected Area</web-resource-name>

    This prevents unauthorized access to the WSO2 Identity Server and redirects the requests to the authenticator to authenticate them.

  9. Open the <wso2is_home>/repository/conf/tomcat/carbon/META-INF/context.xml and add the following lines just before "</Context>".

    Code Block
    <Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both"/>
    <Realm className="waffle.apache.WindowsRealm"/>

    This uses Valve and Realm from Waffle library which is used to negotiate authentication.

  10. Start the WSO2 Identity Server. Now the server is configured to use the IWA authenticator.