ProxySG & Advanced Secure Gateway

 View Only

 Multiple LDAP Authentication when open Microsoft Teams

Aditya Faturrohman's profile image
Aditya Faturrohman posted Jun 14, 2022 04:49 AM
Hi Broadcom Team,

we have some problem, we get a user always receive pop ups notification when open microsoft teams, the users already input username and password but in a few times pop up notifications always comes again. do you know  what we can do to check it?

Thank you.

Best Regards,
Furil's profile image

Initially those kind of application are not expected to be used via proxy. You have an example with webex :

To put it simply, is it possible to bypass authentication instead and propose the customer to filter the source via IP addresses instead of having authenticated user (only for microsoft team)? Just in case you do not know, you should have an application object available for use where common application like webex (...) are listed.

And another KB for microsoft team this time :

FInally regading your question about the authentication debug, I usually use the policy trace for a specific connection for instance and check the transaction. I mean first check if you can see the userID listed in one of the transaction, if not then look for the user IP and check the layer one by one.

You can also check the event https://proxyMGTIPaddress:8082/Eventlog/download/events.log

Look if you have some "Schannel error", the Schannel is what is used by the proxy to forward the authentication request to the DCs. If you have one then it is possible that you have too many authentication request from proxySG to DCs.

If you still see nothing, check the log via the LSA debug; filter on userID which does have an issue (ask him for a test in live) : https://x.x.x.x:8082/lsa/debug

I am also new on the solution itself, i hope someone from Broadcom can also help and confirm those statement just in case ! :)

Best regards,
Sylvain LAURENT's profile image
Alternatively, if you use WinSSO instead of IWA, the user will not be prompted. But this requires users to have stable IP addresses (i.e. not fit for laptops using VPNs)