Solutions

User IE browser got prompt for login randomly with IWA authentication

Solutions ID:    KB3650
Version:    4.0
Status:    Published
Published date:    01/13/2010
Updated:    04/23/2010
 

Problem Description

When using IE with IWA authentication, with transparent proxy setup, occasionally, a few users would be prompt for login when using IE6 or IE7. The proxy authentication realm was IWA with Kerberos method enabled. It happens randomly. This is what the request would look like in a packet capture

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
WWW-Authenticate: NEGOTIATE    <<<<----This line caused the problem.
WWW-Authenticate: NTLM
WWW-Authenticate: BASIC
realm="TEST"
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Set-Cookie: BCSI-CS0A010717=2; Path=/
Connection: close
Content-Length: 863

 
The browser was confused by this authentication method: WWW-Authenticate: NEGOTIATE  
Therefore the browser did not response with NTLM credential to proxy, but prompts the user to login instead.

WWW-Authenticate: NEGOTIATE is used for Kerberos authentication

Note : Not every browser was prompting users for authentication

Resolution

Open the web management interface and go to Authentication / IWA realm / IWA servers

Uncheck the “Allow Kerberos credentials” setting and only enable BASIC and NTLM, then click "Apply"
 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question