Integrated Windows Authentication browser requirements

If you have problems with IWA, verify the following:

  • Internet Explorer
    • Add the URL to Local intranet zone
      AD SSO might not work if your browser does not consider the server as a Local intranet site. Make sure you add your service domain URL (e.g. verba.company.com) to Local intranet zone in Internet Explorer. This step is usually not required, because Internet Explorer is able to recognize local intranet sites.

      Go to Tools > Internet Options > Security
      Select the Local intranet icon and click Sites
      Click Advanced and add the URL of the server (for example: http://verbaserver.com).

    • Strange error pages with HTTP Status 401
      Internet Explorer users may occasionally receive strange error pages after logged in to Verba using Single Sign On. Unfortunately, the cause of the issue is an Internet Explorer feature and can be solved on the client computer only. Microsoft has confirmed that this is a problem with the Microsoft products.
      The only workaround currently is to disable NTLM Pre-Authentication on the client computer:

      Use Registry Editor (Regedt32.exe) to add a value to the following registry key: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/

      Add the following registry value:

      Value Name: DisableNTLMPreAuth

      Data Type: REG_DWORD

      Value: 1

      A description and the same workaround from Microsoft can be read here: http://support.microsoft.com/kb/2749007 

    • Ensure that "Enable Integrated Windows Authentication" is checked (by default it is).
      Go to Tools > Internet Options > Advanced
      Scroll down to the Security section
      Find "Enable Integrated Windows Authentication" and ensure that it is checked.
  • Firefox
    • If SSO does not work (ie. an unexpected login box appears, or HTTP 401 error comes up), probably the Verba server has to be added to the trusted SSO servers.
      At the address field, type about:config
      In the Filter, type network.n
      Double click on network.negotiate-auth.trusted-uris
      This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser
      Enter a comma-delimited list of trusted domains or URLs (for example: http://verbaserver.com).
  • Chrome
    • Everything should work properly without any configuration.

 

If you are facing issues using the IWA login via Chrome and IE as well, please consider using the hostname of the server instead of the IP address.