Configure Microsoft Entra Domain Services for SecureAuth IWA service
To enable Windows SSO for your integrated resources in the SecureAuth® Identity Platform, you must have a Microsoft Entra (formerly Azure AD) Domain Services subscription. Then, in Microsoft Entra Domain Services, create a service account in a custom organizational unit (OU) and link the Service Principal Name (SPN).
In the service account, you link the Service Principal Name (SPN) using setspn commands to that account. The SPN is a name in the Microsoft Entra Domain Services to uniquely identify your instance.
For more information about Windows SSO integration, see Windows SSO integration with Microsoft Entra ID.
Assign SPN in Microsoft Entra Domain Services domain
Set up and assign the SPN to a service account in Microsoft Entra domain for the SecureAuth IWA service. You will need to enter this service account name and password in the Identity Platform Microsoft Entra ID data store settings to allow Windows SSO integration.
Have or create a virtual machine in the same network as Microsoft Entra Domain Services.
Join the virtual machine to the Microsoft Entra domain.
Install the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools on the machine.
To install, go to Apps > Optional Features. Or, search for this in the Windows menu.
Reboot the machine.
To create a service account, you need to create a custom organizational unit (OU).
For more information, see this Microsoft article: Create an Organizational Unit (OU) in a Microsoft Entra Domain Services managed domain.
Create a Service Account and assign the Service Principal Name (SPN) using the
setspn
commands to that account.To view a list of SPNs, use this command:
setspn.exe -L ServiceAccountName
To assign an SPN to the service account, use this command:
setspn -a HTTP/<SecureAuth IWA service URL> ServiceAccountName
To search for duplicate SPNs, use this command:
setspn -x
Next steps
In the Identity Platform, configure the data store settings for Microsoft Entra ID to Allow Windows SSO integration and provide the service account name and password for this SPN-assigned Microsoft Entra service account name.