ProxySG & Advanced Secure Gateway

  • Private Community
 View Only

  • 1.  IWA Direct Ad server password Rotation

    Posted Feb 20, 2026 07:44 PM

    We want to evaluate solutions to rotate password on IWA Direct Ad server, what would be the technical viabilities (pros & cons) & Business Implications



    -------------------------------------------


  • 2.  RE: IWA Direct Ad server password Rotation

    Posted Feb 23, 2026 04:18 AM

    Hi,
    AFAIK: You have a user (&password) with which you use to join the proxy into the AD. (The proxy uses this account to make itself a domain member.)
    This domain member 'account' is separate from this generation account.
    The AD and the proxy as domain members automatically refresh the connection data in the background without you being able to see anything.
    This continues until you install a major release on the proxy, for example. Or trigger a domain leave.
    After that, you need this generation account again to rejoin the proxy.
     
    Conclusion: You won't notice the password rotation until you have an on-call assignment one evening and need to rejoin the proxy – and then realise that the password from the generation account no longer works.

    Best regards,
    Klaus


    Original Message


  • 3.  RE: IWA Direct Ad server password Rotation

    Posted Feb 23, 2026 06:19 AM

    Hi Klaus,

    Thanks for your response, we have tested two scenarios ,

    Scenario one:

     changing the password on Domain Controller & simultaneously on the IWA realm account on Proxy SG side, it works & could see User authentication is going via Kerberos.

    Scenario Two:

    Changing the password only on the Domain Controller side, when we immediately test the access through that proxy it seem to be working fine (may be because of cached Kerberos old credential TGT's) after two hours we tried the same , then authentication was breaking & resulting in Appliance Error, and it was not fall back to NTLM , we tried another thing by manually disabling the Kerberos option from IWA Direct AD realm configuration in proxy & keeping NTLM+ Basic, then user auth was taking NTLM & internet is accessible , in the web authentication layer we have set the mode as AUTO. now my question is when the Kerberos broken why it was not fall back to NTLM automatically, until we mauanlly disable the Kerberos option in the IWA Real on the proxy side.

    Additional question, where can we see the logs when we change the password on both Domain controller & Proxy Sg side.

    -------------------------------------------

    Original Message