Setting up IWA on the Avaya Aura Device Services administration portal

Last Updated : Jun 10, 2026 |

About this task

This procedure describes the changes you must perform on the Avaya Aura® Device Services administration portal to configure IWA.

To configure IWA for multiple domains, you must repeat this procedure for each active directory that requires the use of IWA.

Note:

If you upgrade Avaya Aura® Device Services to a later release, set up IWA, and then downgrade Avaya Aura® Device Services, IWA remains configured and enabled.

Before you begin

Generate a tomcat.keytab file for the active directory that you plan to use for IWA. If you want to configure IWA for multiple domains, you must generate a tomcat.keytab file for each active directory.

Procedure

  1. On the Avaya Aura® Device Services administration portal, click LDAP Configuration.
  2. Select the required Active Directory.
  3. In the Server Address and Credentials area, do the following:
    1. In the Windows Authentication menu, select Negotiate.
    2. In the Confirm Action dialog box, click OK.
    3. In UID Attribute ID, type userPrincipalName.

      If this field is not set to userPrincipalName, you might encounter license issues and other unpredictable behavior.

    4. Ensure that the other settings are appropriate for the LDAP configuration of your Domain Controller.
      Important:

      The LDAP server you use must be the domain controller with the appropriate Active Directory version as the server type.

  4. In the Configuration for Windows Authentication area, complete the following information using the same values you provided when setting up the Windows Domain Controller:
    1. In Service Principal Name (SPN), type HTTP/<FRONT—END FQDN>.

      For example, HTTP/aads.example.com.

    2. Click Import to import the tomcat.keytab file transferred from the Windows Domain Controller.

      In cluster deployments, the file is transferred to all nodes in the cluster. An additional option is available to send the file to specific nodes in a cluster.

    3. In Kerberos Realm, type the Kerberos realm, which is usually in all uppercase letters. For example, EXAMPLE.COM.
    4. In DNS Domain, type the DNS domain of the Domain Controller.

      For example, example.com.

    5. Optional Select the Use SRV Record check box.
    6. Optional If Use SRV Record is not selected, in KDC FQDN, type the FQDN of the Domain Controller.

      This value also includes the DNS domain at the end. For example, ad.example.com.

    7. Optional In KDC Port, retain the default value of 88.

      This field is only visible if Use SRV Record is not selected.

    8. Optional In a cluster deployment, click Send Keytab File to send the tomcat.keytab file you imported in step 4.b to a specific node.

      This option is useful if the import to a node failed or if you add a new node to your cluster.

  5. Click Save to retain the settings and restart the server.

    The updated settings are used to generate the files needed to configure the Tomcat JAASRealm and the corresponding Sun JAAS Login module for GSS Bind.