000022203 - Microsoft Internet Authentication Service (IAS) stops authenticating when RSA Authentication Agent - Domain Authentication Host is installed on Domain Controller

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022203
Applies ToRSA Authentication Manager 6.0
RSA Authentication Agent 6.0
Microsoft Windows 2000 Server SP4
Microsoft Windows Server 2003 SP1
Microsoft Internet Authentication Service (IAS)
IssueMicrosoft Internet Authentication Service (IAS) stops authenticating when RSA Authentication Agent - Domain Authentication Host is installed on Domain Controller
Microsoft Internet Authentication Service (IAS) is running on the same machine
Error: "Access Denied, bad user password"
CauseIAS attempts to do IWA (Integrated Windows Authentication) (formerly named NTLM or Windows NT Challenge/Response authentication) directly against the DC, this is blocked by the Domain Authentication Agent which by default blocks third party kerberos authentication requests and requests from machines for which the identity is unknown.
ResolutionTo correct this issue, set "Ignore blank name from third party authentication requests" on the Domain Agent Host Advanced Domain Options tab.
Legacy Article IDa27366

Attachments

    Outcomes