We're running Web Agent, and when a specific user tries to login with Windows Authentication, this user needs to provide its credentials manually and it shouldn't.
There's only 1 user affected by this issue.
How can we solve this ?
Active Directory has the same CN value for a given computer and user.
If we have a user account and a computer account with the same name and the computer account is created before the user account, then the authentication fails. But if we have a user account and a computer account with the same name, and the user account is created before the computer account, the authentication works without any issue.
From Microsoft documentation, this looks like a known issue :
Using different naming attributes for users to avoid naming collisions to ensure data integrity, Active Directory requires that relative
distinguished names be unique in a container. By default, the user class uses Common-Name (cn) as the naming attribute, which ties the
test for uniqueness to the user name. The combination of these two restrictions can result in naming collision problems in large
deployments. For example, a very large company might want to create user accounts in the same OU where, as a result of the high incidence
of certain common names, many user objects have identical first and last names and, therefore, identical relative distinguished names. In
this scenario, it is helpful to be able to use a different naming attribute that guarantees uniqueness, such as an employee ID that is
created by the human resources department. The inetOrgPerson object class is a general-purpose object class that holds attributes about
people, and it is defined in RFC 2798, Definition of the inetOrgPerson LDAP Object Class. A solution is provided in the Windows Server 2003
schema so that administrators can delete inetOrgPerson (which uses cn as the naming attribute in the default schema) and re-create it using
any attribute as the naming attribute. For example, instead of cn, the attribute emplID can be used as the naming attribute. You can choose
the attribute and select one that will guarantee that there are no naming collisions. For more information about inetOrgPerson, see
Active Directory Schema Technical Reference.
How Active Directory Searches Work
Configure the authentication on an Attribute for which the same name will note be found in the Computer branch to solve the issue.
KB : TEC1569732