Chained authentication failure in Microsoft Internet Explorer
When Kerberos is chained together with LDAP or AR System for authentication and you try to log on to BMC Atrium SSO Console in Microsoft Internet Explorer (IE) browser, the authentication fails. You can detect the issue by removing the Kerberos module from the authentication chain. The authentication works correctly when Kerberos is removed.
Resolution
You might face this issue due to an optimization feature that Microsoft added to IE that causes IE to not send user-entered credentials to the BMC Atrium Single Sign-On server. When you disable this optimization, the credentials are sent and the user is successfully authenticated.
Note
You can also avoid this issue by using Mozilla Firefox or other compatible browsers.
To resolve this issue from the client side
Use the Registry Editor (Regedt32.exe) to add a value to the following registry key:
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/
Note
The registry key shown here is one path; it has been wrapped for readability.
- Add the following information for the new registry value:
Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1
For more information about disabling the optimization feature, refer to the knowledge base (KB) article from Microsoft, You cannot post data to a non-NTLM-authenticated Web site.
Note
You should ignore the instructions about disabling Kerberos or Integrated Windows Authentication mentioned in the KB article.
Comments
Log in or register to comment.