Skip to main content

Configure Microsoft Entra Domain Services for SecureAuth IWA service

To enable Windows SSO for your integrated resources in the SecureAuth® Identity Platform, you must have a Microsoft Entra (formerly Azure AD) Domain Services subscription. Then, in Microsoft Entra Domain Services, create a service account in a custom organizational unit (OU) and link the Service Principal Name (SPN).

In the service account, you link the Service Principal Name (SPN) using setspn commands to that account. The SPN is a name in the Microsoft Entra Domain Services to uniquely identify your instance.

For more information about Windows SSO integration, see Windows SSO integration with Microsoft Entra ID.

Assign SPN in Microsoft Entra Domain Services domain

Set up and assign the SPN to a service account in Microsoft Entra domain for the SecureAuth IWA service. You will need to enter this service account name and password in the Identity Platform Microsoft Entra ID data store settings to allow Windows SSO integration.

  1. Have or create a virtual machine in the same network as Microsoft Entra Domain Services.

  2. Join the virtual machine to the Microsoft Entra domain.

  3. Install the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools on the machine.

    1. To install, go to Apps > Optional Features. Or, search for this in the Windows menu.

    2. Reboot the machine.

    azure_ad_sa_iwa_rsat.png

  4. To create a service account, you need to create a custom organizational unit (OU).

    For more information, see this Microsoft article: Create an Organizational Unit (OU) in a Microsoft Entra Domain Services managed domain.

  5. Create a Service Account and assign the Service Principal Name (SPN) using the setspn commands to that account.

    azure_ad_sa_iwa_aadds.png

    • To view a list of SPNs, use this command:

      setspn.exe -L ServiceAccountName

    • To assign an SPN to the service account, use this command:

      setspn -a HTTP/<SecureAuth IWA service URL> ServiceAccountName

    • To search for duplicate SPNs, use this command:

      setspn -x

Next steps

In the Identity Platform, configure the data store settings for Microsoft Entra ID to Allow Windows SSO integration and provide the service account name and password for this SPN-assigned Microsoft Entra service account name.Add Microsoft Entra ID data store

In this section: