Create a Microsoft IIS IWA application

1. Sign in to the Access Gateway Admin UI console.
2. Click the Applications tab.
3. Click +Add.
4. Select Microsoft IIS IWA from the left column menu, and click Create.
   

   If the Microsoft IIS, OWA, or SharePoint IWA applications are disabled, ensure that there's a valid Kerberos service configured in settings.

5. If required, expand the Essentials pane and enter:
   

   Field	Value
   Label	The name of the application, as shown in your Okta Tenant. For example:Microsoft IIS Application
   Public Domain	The externally facing URL of the application. For example: https://iis.idaasgateway.net
   Protected Web Resource	Fully qualified URL to the Microsoft backing application.
   Group	The group containing users who can access the application.

6. [Optional] Assign load balancers

   Only use Access Gateway as the load balancer. See Load balancing.

   1. Expand the Protected Web Resource tab.
   2. Enable Load Balancing By Access Gateway.

      A table of hostnames and weights representing the target load balancing instances appears. This table is initially empty. Click edit to modify an entry in the table, or click delete to delete an entry.

   3. Choose either HTTP or HTTPS as the URL scheme. Each protected web resource that you add inherits this scheme.
   4. Optional. Enable and specify Host Header value.
   5. Complete the following steps to add a host, repeat as required:
      1. Click Add protected web resource.
      2. Enter a fully qualified hostname:port combination (for example, https://backendserver1.atko.com:7001).
      3. Enter a weight from 1 to 100. Enter 0 to specify that a host is disabled.

         Weights represent the percentage of requests that will be routed to this host.

         For example, two hosts of weights 2:1 would result in requests being routed ~66% to the host weighted 2 and ~33% to the host weighted 1.

      4. Click Okay.

   6. Optional. Configure health checks, which use GET operations to confirm that back-end resources are functional.

      New requests aren't routed to resources that have been labeled unhealthy by the health checks.

      1. Enable Load Balancer Health Check.
      2. Click Edit to modify health check settings.
      3. Modify settings as required.

         Field	Value	Default
         Path	The URI path to the resource used in health check.	/
         Method	The HTTP method used.	Always GET
         Status code	The HTTP status code used to determine health.	200
         Interval	The interval between health checks in seconds.	10
         Request timeout	The health check request timeout in seconds.	1
         Healthy threshold	The number of requests that must succeed before a host is considered healthy.	3
         Unhealthy threshold	The number of requests that must fail before a host is considered unhealthy.	3

      4. Click Save to save changes or click Cancel to exit without saving.

   All apps, including the Access Gateway Admin UI console app, require a self-signed or signed certificate.

   Include signed certificates wherever you terminate SSL. You can terminate SSL at Access Gateway or any other network component, like a load balancer.

   If you terminate SSL at a load balancer, on the Access Gateway Admin UI console app, you also need to use a certificate that is trusted by the load balancer.

   If you terminate SSL on the Access Gateway Admin UI console application, you must use a signed certificate, which must be on the Access Gateway node and be associated with the Access Gateway Admin UI console application.

   • See Certificate use for details about certificates.
   • See Certificate management for a task flow for obtaining and assigning certificates.
7. Expand the Certificates tab.

   By default, when you create the app, the system generates a self-signed wildcard certificate and assigns it to the app.

8. Optional. Click Generate self-signed certificate. A self-signed certificate is created and automatically assigned to the app.
9. Optional. Select an existing certificate from the list. Use the Search field to narrow the set of certificates by common name. Use the page forward and backward arrows to navigate through the list.
10. Click Next
11. In the Application pane, enter:
    

    Field	Value
    Kerberos Realm	Enter the name of the associated realm

12. Click Next.
13. In the Attributes pane:

    1. Click Add attribute to add an attribute what corresponds to sAMAccountName.

    2. Verify he following:
       

       Field	Value
       Data Source	IDP
       Field	IDP attribute that correlates with the users sAMAccountName
       Type	Header
       name	iwa_username

    3. Click Save.
       
14. Click Done.

The application is added and the Application list page is displayed.

Next steps

Test Kerberos application