All versions of Centrify Identity ServiceProblem:
During the IWA process, a NTLM window is prompted even user has a valid Kerberos ticket, regardless the browser in use. Is there any additional configuration needed for Kerberos authentication to happen, such that IWA can silently log the user in?Cause:
This issue happens when Cloud Connector service account is not using the **LocalSystem** account.
If that scenario, the authentication method returns by cloud connect host would be NTLM instead of Negotiate (Try Kerberos first and then fall back to NTLM if Kerberos fails), therefore user will be prompted with the NTLM authentication window.
If Cloud Connector service account is LocalSystem, the authentication method (i.e. WWW-Authenticate) returns Negotiate by cloud connect host:
If Cloud Connector service account is an AD user account (e.g. Domain Admin account), WWW-Authenticate returns NTLM even the required Service Principal Name is in place under the cloud connector service account( e.g. if the FQDN of Cloud Connector is proxy1.mydom.com, at least HTTP/proxy1 and HTTP/proxy1.mydom.com are needed).
1. Ensure the corresponding SPN has been added to the service account's servicePrincipalName attribute:
For example, If connector machine name is proxy1.mydomain.com, two SPNs needed would be HTTP/proxy1 and HTTP/proxy1.mydomain.com
2. Add the registry key "winAuthSvcClientCredType" on the cloud connector host for it to return "Negotiate" as the authentication protocol for IWA.
To add the registry key:
- Go to the machine(s) where the Cloud Connector is installed and open regedit.exe
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\Cloud\
- Right-click on “Cloud” and create a new "String Value":
- Value Name: winAuthSvcClientCredType
- Value data: Windows
- Restart the Cloud Connector service to allow the change to take effect.
To ensure the environment maintains a constant connection to the Cloud - it is advised to wait approximately 15 minutes after the first Cloud Connector is restarted before applying the change on the next one.