Skip to Content

Security provider - Integrated Windows authentication

Integrated Windows Authentication (IWA) is a form of Single Sign-on (SSO) authentication for Microsoft Active Directory networks. When using IWA, the user is identified when signing into the Active Directory domain. That identity flows from the browser to the web server using the Negotiate authentication protocol, which itself is a wrapper for the Kerberos and NTLM authentication protocols.

In modern deployments, SAML SSO and WS-Federation are preferred to IWA. IWA works best when users have signed into Windows desktops on the intranet or have connected remotely via a VPN. SAML SSO and WS-Federation can be used by users connecting remotely without first establishing a VPN connection and usrs connecting to cloud applications. Though most modern browsers support IWA, it may not be enabled by default. In contrast, support for SAML SSO and WS-Federation is universal because these protocols do not rely on HTTP authentication.


Integrated Windows Authentication (IWA) is not enabled by default.

IWA supports user provisioning. However, IWA does not support group membership.


The Integrated Windows Authentication (IWA) security provider does not define any parameters.

Additional information

Integrated Windows Authentication maps user identities using the "down-level logon name" format. When creating an identity, use the DOMAIN\UserName format.

When a user has been authenticated with Windows Integrated Authentication (IWA), the Sign Out button will not be available. IWA is inherently tied to the user's desktop session.