User IE browser got prompt for login randomly with IWA authentication



When using IE with IWA authentication, with transparent proxy setup, occasionally, a few users would be prompt for login when using IE6 or IE7. The proxy authentication realm was IWA with Kerberos method enabled. It happens randomly. This is what the request would look like in a packet capture

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
WWW-Authenticate: NEGOTIATE    <<<<----This line caused the problem.
WWW-Authenticate: NTLM
WWW-Authenticate: BASIC
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Set-Cookie: BCSI-CS0A010717=2; Path=/
Connection: close
Content-Length: 863

The browser was confused by this authentication method: WWW-Authenticate: NEGOTIATE  
Therefore the browser did not response with NTLM credential to proxy, but prompts the user to login instead.

WWW-Authenticate: NEGOTIATE is used for Kerberos authentication

Note : Not every browser was prompting users for authentication


Open the web management interface and go to Authentication / IWA realm / IWA servers

Uncheck the “Allow Kerberos credentials” setting and only enable BASIC and NTLM, then click "Apply"

Additional Information
Bug Number
InQuira Doc IdKB3650

Article Feedback

Did this Article solve your issue?
Additional Comments:
Previous MonthNext Month