You can configure SafeNet Trusted Access (STA) to automatically authenticate users with the Kerberos protocol applied by Integrated Windows Authentication if they first open their session from a Windows domain-joined device with their user name and domain password. In this case, for STA policies and scenarios that require password authentication, a user does not have to re-enter their password each time they access a protected application. However, if the policy requires multiple authentication factors (for example, password and token-based authentication), the additional factors are still required.

Each authentication attempt using Integrated Windows Authentication is recorded as using Kerberos credentials.

This feature is available with the STA and STA Premium subscription plans only.

Integrated Windows Authentication includes the following tasks:

• Configure Integrated Windows Authentication

• Add Integrated Windows Authentication to a policy

• Configure browser settings for your users

Configure Integrated Windows Authentication

1. On the STA Access Management console, select the Settings tab.

2. Select Integrated Windows Authentication.

   

3. Select Setup and then follow the AD configuration instructions that are displayed.

   You can copy or email the instructions to use as a reference.

4. Select Next.

   The STA setup instructions display.

   

5. Select Upload and follow the prompts to upload the AD Keytab file that was generated in step 3.

   The Keytab file details display.

6. Under User Mapping, select the SafeNet Trusted Access attribute to which the user authenticated by the Kerberos ticket will be mapped.

   The system uses this mapping to validate that the user information found in the Kerberos ticket maps to the STA user that has requested the authentication.

   The attribute choices include: STA user ID, UPN, email address, aliases, and custom names.

7. Under User ID Management > User ID Automation, select the login method:

   • None - Requires that the user enter their User ID and click Login.

   • Autofill - Prefills the Username field with the User ID that is extracted from the Kerberos ticket. The user must click Login to submit the login request.

   • Auto submit - Prefills the Username field with the User ID that is extracted from the Kerberos ticket and submits the login request.

8. Under User ID Management > User ID Format, select the format of the User ID that is extracted from the Kerberos ticket and presented as the username at login:

   • UPN - For example, username@example.com.

   • User account name - For example, username only.

9. Click Finish.

   The Enable Integrated Windows Authentication prompt displays.

10. Click one of the following options:

    • Enable - Implements Integrated Windows Authentication for all users.

      When Enable is selected:

      • If either Autofill or Auto submit is selected (see step 7), Integrated Windows Authentication becomes immediately active for all users.

      • Policies can be configured to allow Integrated Windows Authentication as an alternative to a password login. For details, see Add Integrated Windows Authentication to a policy.

    • Keep Disabled - Saves the Integrated Windows Authentication configuration in a disabled state.

    Ensure that end-user browser settings are set correctly for your users before selecting Enable.

Add Integrated Windows Authentication to a policy

To add Integrated Windows Authentication as an authentication method within a policy scenario:

1. On the STA Access Management console, select the Policies tab, select a policy and then click .

   The policy details display.

2. Select Password and one of the following options:

   • Once per session

   • Every access attempt

3. Select Allow Integrated Windows Authentication (Kerberos) and then click Save.

Configure browser settings for your users

The settings in this section must be configured on the browser of end-users whom authenticate with Integrated Windows Authentication.