[Detailed Guide] VMware vSphere Integrated Windows Authentication

You may have noticed that support for IWA continues to be available in vSphere 7.0 and will be phased out in future releases. Don’t worry, let's take a look at how to configure IWA for vSphere.

Zelia

By Zelia / Updated on October 30, 2024

Share this: instagram reddit

What is Integrated Windows Authentication?

Integrated Windows Authentication (IWA) is a method of authentication that is used in Microsoft Windows operating systems. It allows you to authenticate to network resources, such as web applications or file shares, using your Windows credentials without the need to enter your username and password explicitly. When you access a resource that requires authentication, IWA uses your logged-in Windows session to automatically authenticate them.

In addition, It also offers benefits like a seamless login experience, centralized user management, improved security, enhanced compliance, increased productivity, etc.

vsphere-integrated-windows-authentication

It's worth noting that IWA is primarily designed for Windows-based environments and works best when both the client and server are part of the same Windows domain. However, with the right configuration and support, it is possible to use IWA across different platforms and with non-Windows clients.

How to set up vSphere 7 Integrated Windows Authentication

Prerequisites:
✔ Install the Windows Authentication server feature on the application server in order to enable IWA.
✔ Set the type of security to use for your license server site to use IWA in vSphere 7.

Next, I will demonstrate how to enable vSphere 7 Integrated Windows Authentication.

Step 1. Select a site in the tree view, and click Tools >> Enable Integrated Windows Authentication.

enable-integrated-windows-authentication

Step 2. Set the application pool identity to a domain user or a local user.

Note: This user will be added to the SPFUsers group so that it will have permission to run the SDx Server application pools.

Of course, in addition to the above method, you can also choose to set up Integrated Windows Authentication manually. You need to perform the following actions on your SDx Server virtual directory in IIS:

Step 1. Manually set the application pool identity to a domain user or local user in the SPFUsers group.

Step 2. Set the following setting to IWA Enabled (all others disabled):

  • Anonymous Authentication setting
  • ServerRequest.asmx setting
  • Ping.html setting, Ping.html setting
  • SPFBaseService.asmx setting
  • SPFGeneralService.asmx setting
  • SPFService.asmx setting

Step 3. Set NTLM as the top provider in Windows Authentication.

Note: If you are using the Intergraph Authorization Server (which was discontinued as of Update 23), you must also edit the Authentication web.config file and set the Enable Cookie Authentication setting to False. This does not need to be performed if you are using any other authorization server.

How to migrate from vSphere 7 Integrated Windows Authentication

Once the account has been created and it has been verified that LDAPS is functioning, we may begin configuring AD via LDAP in vCenter. We must first remove this since we will be adding the LDAPS source using the same domain name as the IWA source, which will result in an error.

Step 1. Log in to vCenter Web Client >> Menu >> Administration >> Single Sign-On >> Configuration. In Identity Sources, select IWA and click Remove. Then a confirmation message will appear, please click OK.

select-iwa-and-click-remove

confirm-to-remove-identity-source

Step 2. Click ADD in the Identity source page and select Active Directory over LDAP.

add-identity-source

Step 3. Enter the required details of Identity Source.

enter-required-details

Step 4. If you have a certificate issue from an internal certificate authority, you will be selecting the CA cert for LDAPS as this should trust any cert issued by the CA on your domain controllers.

select-ca-cert-for-ldaps

Step 5. Click ADD to complete the AD over LDAP identity source.

complete-ad-over-ldap-identitty-source

Exploring vSphere’s backup solutions with ease

As organizations increasingly rely on virtualization technologies like vSphere with Integrated Windows Authentication to streamline their IT infrastructure, it becomes crucial to consider data backup strategies to ensure the protection and availability of critical information.

While vSphere offers robust management capabilities, including high availability and fault tolerance, data backup serves as an essential layer of defense against potential data loss or system failures. By implementing a reliable data backup solution, organizations can safeguard their virtualized environments, enabling quick recovery and minimizing downtime in the event of unexpected disruptions.

vSphere backup software – AOMEI Cyber Backup, safeguards your virtual environment, which enables you to backup multiple VMs either managed by vCenter Server, or on a standalone ESXi host. In addition, it offers you the following benefits:

Agentless Backup: Create complete and independent image-level backup for VMware ESXi and Hyper-V VMs.
Flexible vSphere Backup: Batch backup large numbers of VMs managed by vCenter Server, or multiple VMs on a standalone ESXi host.
Multiple Storage Destinations: Backup to local drive, or network destinations like Windows Share or NAS.
Automated Execution: Create backup schedules to automate backups daily, weekly, and monthly.
Role Assignment: Allows one administrator to create sub-accounts with limited privileges.

AOMEI Cyber Backup supports VMware ESXi 6.0 and later versions. Next, I will show you how to perform vSphere VM backup and restore via AOMEI Cyber Backup. You can click the following button to download the 30-day free trial.

Download Free TrialVMware ESXi & Hyper-V
Secure Download

*You can choose to install this VM backup software on either Windows or Linux system.

Steps to perform vSphere backup and restore with AOMEI Cyber Backup

Step 1. Bind Devices: Access to AOMEI Cyber Backup web client, navigate to Source Device >> VMware >> + Add VMware Device ;to Add vCenter or Standalone ESXi host. And then click >> Confirm.

bind-device

Step 2. Create Backup Task: Navigate to Backup Task >> + Create New Task, and select VMware ESXi Backup as the Backup Type. Set the Task Name, Device, Target, Schedule and Cleanup as needed.

vmware-esxi-backup

  • Task Name: Change the task name or use the default name with an ordinal.
  • Device: Batch backup multiple VMs on vCenter or standalone host within one backup task.
  • Target: Select to back up to a local path, or to a network path like NAS.
  • Schedule (optional): Perform full, differential, or incremental backup, and automate execution according to the frequency you specified.

schedule-type

  • Cleanup (optional): Automatically delete the old backup copies that exceed the retention period you specified.

backup-cleanup

Step 3. Run Backup: Now you can click Start Backup and select Add the schedule and start backup now, or Add the schedule only.

start-backup

Step 4. Start Restore: Choose to Restore to original location or Restore to new location to create a new VM in the same or another datastore/host directly from the backup, saving the trouble of re-configuring the new VM.

restore-to-new-location

Conclusion

The changes to vSphere 7 Integrated Windows Authentication can simplify the authentication experience and enhance integration with Active Directory, improve security protocols.

It is vital to emphasize the importance of backing up vSphere VMs and provide valuable best practices for Integrated Windows Authentication (IWA) in vSphere 7.

Zelia
Zelia · Editor
Zelia is an editor from AOMEI Technology.She mainly writes articles about virtual machine. Writing is one of her hobbies and she wants her articles to be seen by more people. In her spare time, she likes to draw and listen to music, and it is a pleasure for her to focus on her own world.