Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7727: IWA prompts for NTLM authentication instead of SSO into portal

App Access Service ,  

24 July,18 at 04:52 PM

Applies to: All versions of Centrify Identity Service

Problem:

During the IWA process, a NTLM window is prompted even user has a valid Kerberos ticket, regardless the browser in use. Is there any additional configuration needed for Kerberos authentication to happen, such that IWA can silently log the user in?

Cause:

This issue happens when Cloud Connector service account is not using the **LocalSystem** account. 

If that scenario, the authentication method returns by cloud connect host would be NTLM instead of Negotiate (Try Kerberos first and then fall back to NTLM if Kerberos fails), therefore user will be prompted with the NTLM authentication window.

If Cloud Connector service account is LocalSystem, the authentication method (i.e. WWW-Authenticate) returns Negotiate by cloud connect host:

User-added image


If Cloud Connector service account is an AD user account (e.g. Domain Admin account), WWW-Authenticate returns NTLM even the required Service Principal Name is in place under the cloud connector service account( e.g. if the FQDN of Cloud Connector is proxy1.mydom.com, at least HTTP/proxy1 and HTTP/proxy1.mydom.com are needed). 

User-added image         User-added image


Resolution:

1. Ensure the corresponding SPN has been added to the service account's servicePrincipalName attribute:

For example, If connector machine name is proxy1.mydomain.com, two SPNs needed would be HTTP/proxy1 and HTTP/proxy1.mydomain.com

2. Add the registry key "winAuthSvcClientCredType" on the cloud connector host for it to return "Negotiate" as the authentication protocol for IWA.

To add the registry key:

  1. Go to the machine(s) where the Cloud Connector is installed and open regedit.exe 
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\Cloud\
  3. Right-click on “Cloud” and create a new "String Value":
    • ​Value Name: winAuthSvcClientCredType
    • Value data: Windows

      User-added image
  4. Restart the Cloud Connector service to allow the change to take effect.
NOTE: To ensure the environment maintains a constant connection to the Cloud - it is advised to wait approximately 15 minutes after the first Cloud Connector is restarted before applying the change on the next one.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.