Hi Michael,
When implementing IWA fallback to Form feature, you need to consider :
- Insure that the browsers are configured properly to trust the URLs
and for automatic login;
- Insure CA Access Gateway (SPS) and Policy Server are the same level
in 12.8;
- Only implement IWA or Kerberos Authentication Scheme, not both at
the same time;
Further notes on this :
Authentication Chain with IWA Authentication Scheme Fallback to Form not happening PCs outside company domain
https://knowledge.broadcom.com/external/article?articleId=108650 IWA authchain not working with domain joined machine when not in network
https://knowledge.broadcom.com/external/article?articleId=113093 IWA to form fallback shows undesirable pop up authentication prompt
https://knowledge.broadcom.com/external/article?articleId=190084 IWA Fail back form login popup windows
https://knowledge.broadcom.com/external/article?articleId=189624 Issues configuring NTLM Windows Authentication
https://knowledge.broadcom.com/external/article?articleId=140591 Google Chrome not working with Windows authentication
https://knowledge.broadcom.com/external/article?articleId=115852 chrome IWA
https://knowledge.broadcom.com/external/article?articleId=110055I hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 08-18-2020 06:46 PM
From: Michael Shaw
Subject: IWA Fallback to Forms on Access Gateway - Browser Pop-up
Hi,
I am using the Authentication Chain feature in Single Sign On 12.8 to implement integrated windows authentication (IWA) through Access Gateway, with fallback to HTML forms login. When IWA fails, the fallback feature is not fully working- users are getting prompted with a browser pop-up to enter their credentials instead of going to the HTML form secondary authentication scheme.
Has anyone implemented the fallback in a way that avoids the browser pop-up?
Also, we are currently using a Windows Authentication scheme as the method for IWA and are thinking of trying Kerberos instead - does anyone know if using Kerberos bypasses the browser pop-up and sends users directly to the form?
Thank you