Skip links

Windows Authentication: Unable to Determine Appropriate Challenge

As a part of our series of articles focusing on troubleshooting IAM system issues, this week we have a post about Windows authentication. In each article, we will present the reported issue, what we found during troubleshooting, and how the problem was remedied.

IssueWindows Authentication: Unable to Determine Appropriate Challenge
SymptomsA customer was attempting to configure Windows authentication on IIS. After completing the setup, they tested the authentication by accessing the protected resource. The request failed and the browser displayed a message stating “too many redirects”.
TroubleshootingWe examined the web agent logs and discovered an error message of “unable to determine appropriate challenge”. This message appears when the web agent is unable to determine how to challenge the user for credentials. We reviewed the authentication scheme setup and did not find any configuration issues. We then verified that the folder for the protected realm was set for only Windows authentication and that anonymous authentication was disabled on the web server.
ConditionA Windows authentication scheme is being used to secure a realm.
CauseTo function correctly, Windows authentication requires that the NTLM virtual directory have Windows authentication enabled in IIS. The customer had disabled anonymous authentication as required, but had not enabled Windows authentication for the virtual directory (/siteminderagent/ntlm/).
RemedyWe enabled windows authentication on the NTLM virtual directory.

As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.

JOIN OUR NEWSLETTER

If you want to know our recent offer please subscribe to our newsletter