Hi All!
I have IWA configured for our on-premise portal and we are having a problem where users are being prompted to enter their Windows credentials before accessing portal. From the documentation that I have read, users should pass right through and not have to log in at all as long as they have a user account (which they do). From the Documentation:
When you use IWA, logins are managed through Microsoft Windows Active Directory. Users do not sign in and out of the portal website; instead, when they open the website, they are signed in using the same accounts they used to log in to Windows.
Does anyone else experience this? Is there a workaround or an IIS setting that I'm missing?
I can add the URL as a Trusted Site but I don't see this as a viable solution.
Thanks!
Andrew,
On IIS have you enabled windows authentication and disabled anonymous access? also what browser are you using?
Yes I have enabled only Windows Authentication. This is happening in both Chrome and IE. I haven't tried Firefox as of yet because it is not a favored browser in our org. Most users are Chrome and IE
Is the prompt coming from the Portal or your firewall / load balancer?
It is coming from the browser/windows so I'm assuming that would be firewall. It is not from Portal.
Check which security zone your Portal is showing up in for the clients. Credentials don't get automatically passed through for all security zones.
It's in the "Internet" zone which I find odd because it is located on our intranet. It is NOT public facing.
Although the article is dated, the overall information is still accurate today: https://support.microsoft.com/en-us/help/258063/internet-explorer-may-prompt-you-for-a-password .
There are several ways to address the issue if the problem is tied to browser security zones. One way is to ensure the site is in the local intranet zone, which allows credential passing by default. Another option is to enable credential passing in the internet zone, which I strongly discourage. If you are not able to manually change IE security settings because of group policy, you will have to reach out to your IT department to ask about why your site is showing up in the internet zone.
Hi Joshua - Thanks for mentioning browser settings (security zones) - It was key in getting ours working with (first) IE, Edge, and Chrome. This video was really helpful, but doesn't cover it as I recall (maybe its implied and I'm lacking).
Anyway, Thanks! So, Firefox remains an issue for us though. It appears accepting AD credentials is somehow tied to Firefox cached site data or browsing history. Is there a Firefox config similar to IE internet options>Security> zones?
Thanks
-Nick
FF does not rely on the Windows security zones or certificate stores. If you search the web, you will find numerous blog posts and forums that describe enabling FF for IWA.