As a part of our series of articles focusing on troubleshooting IAM system issues, this week we have a post about Windows authentication. In each article, we will present the reported issue, what we found during troubleshooting, and how the problem was remedied.
|Issue||Windows Authentication: Unable to Determine Appropriate Challenge|
|Symptoms||A customer was attempting to configure Windows authentication on IIS. After completing the setup, they tested the authentication by accessing the protected resource. The request failed and the browser displayed a message stating “too many redirects”.|
|Troubleshooting||We examined the web agent logs and discovered an error message of “unable to determine appropriate challenge”. This message appears when the web agent is unable to determine how to challenge the user for credentials. We reviewed the authentication scheme setup and did not find any configuration issues. We then verified that the folder for the protected realm was set for only Windows authentication and that anonymous authentication was disabled on the web server.|
|Condition||A Windows authentication scheme is being used to secure a realm.|
|Cause||To function correctly, Windows authentication requires that the NTLM virtual directory have Windows authentication enabled in IIS. The customer had disabled anonymous authentication as required, but had not enabled Windows authentication for the virtual directory (/siteminderagent/ntlm/).|
|Remedy||We enabled windows authentication on the NTLM virtual directory.|
As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.