Troubleshoot IWA

Troubleshoot issues with login form appearing with Integrated Windows Authentication (IWA), username and password browser popping up with IWA, user's browser cannot reach the IWA identity provider (IdP), keytab cannot be assigned to IWA IdP.

These are some of the issues you might encounter with Integrated Windows Authentication (IWA) after you make the configuration in Windows Active Directory (AD) controller and have EAA IdP configured for IWA:

  • The login form appears even when the Use IWA is set to when-applicable:

    • Check the access logs for the IP address of the user device. It should be within the range of any one of the on premise subnets. If not modify the on premise subnets.

    • Check the user agent string regular expression for Browsers in the IWA Settings. Does it match the end user's browser name? If not, modify the regular expression.

    • Is the user off premise? If so, the device cannot reach the active directory domain controllers for kerberos authentication. User should try IWA after connecting to their on premise subnet.

  • Browser pop-up for username and password appears.

    • Browser does not trust IdP URL and prompts the user with a browser-based login form.

    • Browser is not configured to treat the IdP hostname as a host available on local area network. Add the IdP URL as a local intranet site.

    • The keytab uploaded into the Enterprise Application Access is older than the last keytab that was generated for the IdP service principal name on the Active Directory controller. Add a new keytab file with the updated version in EAA.

    • The SPN for the service account registered with the AD was incorrect.

    • No keytab uploaded for the users domain.

    • There is a clock skew between the device clock, Active Directory clock, and EAA IdP system clock. EAA IdP uses the publicly available NTP servers to synchronize the system clock. If the enterprise is using a local clock, make sure that the local clock does not drift from the public NTP service clocks.

    • Device appears to be on premise, however it is unable to reach the on premise Active Directory controller due to firewall or routing issues.

  • End user's web browser is pointing to IdP URL for IWA, but you see 401 error. The reasons are:

    • The end user configured Use-IWA set to Always and is not in any of the subnets configured in IWA (for example not on a domain joined device).

    • User's computer cannot find the AD domain controller for the IdP Service Principal Name (SPN).

    • User is in the realms specified in the keytabs but keytabs configured incorrectly in AD domain control, even if all settings of use-IWA set to when-applicable are correct.

  • Keytab cannot be assigned to the IWA configured IdP. The reasons are:

    • If the keytab was generated for a different SPN than the FQDN, CNAME in the IdP. Make sure that SPN is derived from FQDN, CNAME.

    • Keytab name is the incorrect one. Add the keytab file with the correct name for this IdP.

    • You might have uploaded keytabs for only some of the domains. If you have multiple forests with trusted relationships, upload all the keytabs to the IWA IdP.