Require Windows Integrated Authentication Credentials Assertion

The Require Windows Integrated Authentication Credentials assertion requires the presence of credentials from a Windows domain in the request.
gateway91
The
Require Windows Integrated Authentication Credentials
assertion requires the presence of credentials from a Windows domain in the request.
As this assertion is a credential source, ensure that there no other conflicting credential sources in the policy (for example, the Require HTTP Basic Credentials assertion).
The Require Windows Integrated Authentication Credentials assertion places the realm of the client (which should be an expected value for the identity provider) into the
kerberos.realm
context variable. This enables policy decisions based on this aspect of the client credential and is useful in situations where the client can be from multiple domains/realms. For example: 
EAST.MYCOMPANY.COM
WEST.MYCOMPANY.COM
The realm is displayed when using the Manage Kerberos Configuration task. Ensure that the realm has been validated by this task before an Kerberos authentication is attempted.
This assertion supports both the Kerberos and NTLM protocols for Windows Integrated Authentication. To allow a service policy to automatically handle both protocols, you should structure your policy so that both the Require Windows Integrated Authentication Credentials and Require NTLM Authentication Credentials assertions are present in the policy (in that order):
NTLM_for_Windows_Integrated.png
The policy fragment above does not support delegated credentials use case. It is intended to support authentication of the user credentials using available authentication assertions only.
Using the Assertion
  1. Add the assertion to the policy development window. For more information, see Adding an Assertion. The assertion is added to the policy window; no further configuration is required.
  2. Move the assertion to the place in the policy list where enforcement should occur.
  3. Optionally use the Authenticate User or Group assertion to limit access to specific users from an LDAP Identity Provider.
    Note:
    If you do this, be sure the Active Directory server has been configured as an LDAP provider.