Configuring Windows Authentication for Active Directory

Last Updated : Jun 18, 2026 |

About this task

Windows authentication is only supported if you are using a single authentication directory. If you are using multiple authentication directories, Windows Authentication is disabled.

Before you begin

Ensure that the LDAP server you use is the Domain Controller with the appropriate Active Directory version as the server type.

Procedure

  1. On the Avaya Aura® Web Gateway web administration portal, navigate to General Network Settings > LDAP Configuration.

    The system displays the Enterprise LDAP Server Configuration page.

  2. In the Server Address and Credentials section, do the following:
    1. In the Windows Authentication field, click Negotiate.
    2. In the Confirm Action pop-up window, click OK.
    3. The UIDAttributeID must be userPrincipalName.
    4. Ensure that the other settings on the Server Address and Credentials page are appropriate for the LDAP configuration of your Domain Controller.
  3. In the Configuration for Windows Authentication section, do the following:
    Tip:

    To complete the following fields, use the same values you entered when setting up the Windows Domain Controller.

    1. In Service Principal Name, type HTTP or REST_FQDN.

      For example, type HTTP or aads.example.com.

    2. To import the tomcat.keytab file transferred from the Windows Domain Controller, in Import keytab file, click Import.

      In cluster deployments, the file is transferred to all nodes in the cluster. An additional option is available to send the file to specific nodes in a cluster.

      You can use the following command to generate a tomcat.keytab file.

      ktpass /out c:\tomcat.keytab /mapuser <Domain User Login>@<Kerberos realm> /princ HTTP/<FRONT-END FQDN>@<Kerberos realm> /ptype KRB5_NT_PRINCIPAL /pass +rndPass /crypto all /kvno 0

      In the following example, <Domain User Login> is csa_user, <Kerberos realm> is EXAMPLE.COM, and <FRONT—END FQDN> is csa.example.com.

      ktpass /out c:\tomcat.keytab /mapuser csa_user@EXAMPLE.COM /princ HTTP/csa.example.com@EXAMPLE.COM /ptype KRB5_NT_PRINCIPAL /pass +rndPass /crypto all /kvno 0
    3. In Kerberos Realm, type the Kerberos realm, which is usually in uppercase letters.

      For example, EXAMPLE.COM.

    4. In DNS Domain, type the DNS domain of the Domain Controller.

      For example, example.com.

    5. In KDC FQDN, type the FQDN of the Domain Controller.

      This value also includes the DNS domain at the end.

      For example, ad.example.com.

    6. In KDC Port, do not change the default setting , which is 88.
    7. In a cluster deployment, click Send Keytab File to send the tomcat.keytab file to a specific node.

      This option is useful if the import to a node failed or if you add a new node to your cluster.

  4. Save the settings to restart the server.

    The settings you specified are used to generate the files needed to configure the Tomcat JAASRealm and the corresponding Sun JAAS Login module for GSS Bind.