User IE browser got prompt for login randomly with IWA authentication


<< Back to Knowledge Search

Solution

Overview

When using IE with IWA authentication, with transparent proxy setup, occasionally, a few users would be prompt for login when using IE6 or IE7. The proxy authentication realm was IWA with Kerberos method enabled. It happens randomly. This is what the request would look like in a packet capture

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
WWW-Authenticate: NEGOTIATE    <<<<----This line caused the problem.
WWW-Authenticate: NTLM
WWW-Authenticate: BASIC
realm="TEST"
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Set-Cookie: BCSI-CS0A010717=2; Path=/
Connection: close
Content-Length: 863

 
The browser was confused by this authentication method: WWW-Authenticate: NEGOTIATE  
Therefore the browser did not response with NTLM credential to proxy, but prompts the user to login instead.

WWW-Authenticate: NEGOTIATE is used for Kerberos authentication

Note : Not every browser was prompting users for authentication

Cause
Resolution

Open the web management interface and go to Authentication / IWA realm / IWA servers

Uncheck the “Allow Kerberos credentials” setting and only enable BASIC and NTLM, then click "Apply"
 

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3650
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5
Topic      BCAAA
Article Number      000014434
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat