# Setting up integrated windows authentication

{% hint style="info" %}
Integrated Windows Authentication is only supported on standalone Access Manager instances. It can not be used in clustered or load balanced deployments.
{% endhint %}

The following guide will assist you in configuring your application to use Integrated Windows Authentication (IWA).

{% hint style="warning" %}
Note, that we recommend that you use a strong authentication mechanism such as OpenID Connect, where you have the ability to enforce multifactor authentication on users attempting to access your application. Access Manager fully supports modern OIDC providers such as [Azure AD](https://docs.lithnet.io/ams/2.0/configuration/setting-up-authentication/setting-up-authentication-with-azure-ad) and [Okta](https://docs.lithnet.io/ams/2.0/configuration/setting-up-authentication/setting-up-authentication-with-okta).
{% endhint %}

## Part 1: Configure the SPN

Lithnet Access Manager uses kernel-mode authentication, which means the computer account, rather than the service account is used to authenticate the client. This means that the Kerberos service principal name must be applied to the computer account, rather than the service account.

If your web URL hostname is different to your machines AD hostname, then you'll need to register an SPN for this hostname.

Run the following command to set the SPN. Replace {dnsName} with the hostname web clients will use to access the service and {computerNetBIOSName} with the AD computer name

```
setspn -s HTTP/{dnsName} {computerNetBIOSName}
```

For a website called `accessmanager.lithnet.local` running on computer `AMSWEB01`, the command would be

```
setspn -s HTTP/accessmanager.lithnet.local AMSWEB01
```

## Part 2: Configure Lithnet Access Manager

![!](https://2384577883-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGiL0iwWnyPOkaGqdhRTp%2Fuploads%2Fgit-blob-b9ec9ea945d1defe8ae4c0ce433d28f6e92c07ab%2Fui-page-authentication-iwa.png?alt=media)

1. Open the Lithnet Access Manager Service Configuration Tool
2. Select the `App configuration\User authentication` page
3. Select `Integrated windows authentication` as the authentication provider
4. Select `Negotiate` for the authentication scheme.

{% hint style="danger" %}
The use of NTLM and basic auth is not recommended and are provided for testing purposes only.
{% endhint %}

To restrict clients to the use of Kerberos only, disable incoming NTLM authentication for the server using [group policy](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic).