In Windows SSO realm, BCAAA windows server needs to query their DC for user logon information, with username and IP address. so the SSO realm can determine the username bases on the IP address of the user.
One of the problem is the BCAAA server cannot authenticate to the DC, therefore it can not query any user logon info from the DC, result as the BCAAA can't determine the username, Win SSO realm failed.
In the BCAAA server packet capture, it showed the windows try to login to the DC with null user name as "\":
tcp port 445 protocol: SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \
So the DC return access-denied:
TCP port 445 Protocol: SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
BCAAA log shows error message:
"Cannot query domain controller 10.10.10.10; status=5:0x5:Access is denied."
One of the main reason is the BCAAA has not been setup correctly, for a designated domain username and password, it was set to "Local system account".