Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Chained authentication failure in Microsoft Internet Explorer

When Kerberos is chained together with LDAP or AR for authentication and you enter your credentials for login in Internet Explorer (IE) browser, the authentication fails. You can detect the issue by removing Kerberos module from the authentication chain. The authentication works correctly when Kerberos is removed from the authentication chain. You might be facing this issue due to an optimization feature that Microsoft have added to IE that causes IE to not send the user entered credentials to the BMC Atrium Single Sign-On server.

Tip

The problem can be avoided by using Mozilla Firefox or other compatible browsers.

Resolution

By disabling this optimization, the credentials are sent and the user is successfully authenticated. 

Steps to follow from the KB article

To resolve this issue from the client side, use Registry Editor (Regedt32.exe) to add a value to the following registry key:

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/

Note

The above registry key is one path; it has been wrapped for readability.

Add the following registry value:

Value Name: DisableNTLMPreAuth
 Data Type: REG_DWORD
 Value: 1

For more information about disabling the optimization feature, refer to the knowledge base (KB) article from Microsoft, Restricting data to be posted to specific website.

Note

The KB also mentions about disabling Kerberos or Integrated Windows Authentication which should be ignored.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*