000015125 - AxM 6.X and IIS Agent v4.8: What are IE browser requirements for Integrated Windows Authentication (IWA)?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015125
Applies ToClearTrust Web Agent IIS V4.8 Agent
IssueAxM 6.X and IIS Agent v4.8: What are IE browser requirements for Integrated Windows Authentication (IWA)?
When the user is redirected to the /iwa/ct_home.asp page (that is defined for IWA authentication type in IIS), the user will be issued a 401.  If the site is not in the local intranet zone, then the automatic IWA authentication will fail with a 401.2 "unauthorized" error message.  (NOTE: The user will also see a 401 popup authentication prompt .  If they manually enter their domain credentials at this prompt, they will then get authenticated.)
Cause

IWA authentication type requires that the site be within the local intranet zone.   A failure to detect the site as a local intranet site will cause a failure in the RSA Access Manager IWA authentication method.

There are Internet Explorer setting that controls the IWA behavior, specifically the "Automatic Logon only in Intranet zone" security checkbox.  By default, this is enabled.  Note that this is a rather odd setting.  Other IE Security settings are either enabled or disabled for a zone.  For this specific setting, if it is enabled in any zone, it actually requires that the site be in the ?Local Intranet?  zone.   There is no other specific security setting required for IWA.  There is also one more general setting that must be enabled that affects all zones, and that is under Internet Options, Advanced, Enable IWA (which btw is enabled by default).

In summary, the site must be identified as being in the users Internet Explorer ?Local Intranet? zone for IWA to work.   If you are having a problem,  you must look to the users specific computer and their IE settings.   For IE to correctly detect that a particular site is an ?Local Intranet? site, the user must have a valid domain logon to the domain that contains that site.  This is not only a requirement for IWA authentication to succeed, it is also a prerequisite for the browser to detect the correct zone - and to actually present the IWA challenge.

Resolution

Ensure the following options are set in the IE browser:

1. Internet Options, Advanced, "Enable IWA"
2. Internet Options, Security, Trusted Sites (optionally add the site if it is not detected)
3. Internet Options, Security, Local Intranet, Advanced, "Enable logon in intranet zone only"

Ensure the users computer is logged into the domain.

Legacy Article IDa49064

Attachments

    Outcomes