Gateway proxy authentication pop-up login dialog
If the USS Gateway is prompting users to log in rather than using Kerberos for single-sign-on then this article will help troubleshoot the most common reasons.
- On The USS Gateway UI AD Section please verify that the Domain is Joined and the Keys are created. Use the debug option to test join. The bottom of the debug output should state an error if there is one.
- Ensure the time on your USS Gateway server is within 5 minutes of the time set on your Active Directory server. Even a second over 5 minutes can cause the prompt.
- Ensure the timezone on your USS Gateway server matches the timezone set on your Active Directory.
- In your browser proxy settings, if you are using AD Authentication then you need to ensure that you have the Fully Qualified Domain Name (FQDN) of your USS Gateway server set, rather than inputting the IP Address of the server. Please also ensure this is all inputted in lower case.
- Ensure that your users have logged off and logged back in to the Windows domain at least once since you enabled AD Authentication. This is required so that the user can obtain a Kerberos ticket from the domain controller.
- Go to your USS Gateway settings, navigate to the Authentication section and ensure that the connection to the domain is still successful by pressing the Test Domain button. Please also ensure keys have been created using List Keys.
Issue present for some but not all users
- Ensure the user has logged out and logged back in to windows at least once since you enabled AD Authentication.
- Ensure the users password has not expired or flagged to 'change on next logon' on the Active Directory.
kliston command prompt on the affected device and compare it to a
klistoutput of a machine that is working. There should be a Kerberos ticket for the USS gateway hostname.
- Remove the user from the domain and rejoin the domain.
- A Kerberos ticket could be cached on the users machine. Navigate to Control Panel -> User Accounts -> Credentials Manager -> Windows Credentials and if you see a ticket related to your USS Gateway hostname, delete that. The user will then need to log out and log back in to Windows to attempt to obtain a new Kerberos ticket.
- Try logging in as the failing user account on a different machine. If this works, it suggests a problem with the machine account in Active Directory.
- In a system with multiple Domain Controllers, check to see if users are only being prompted for auth details if they are connecting via a particular DC - this may indicate an issue with the DC, rather than the domain account, eg a timing mismatch between the DC and the USS Gateway proxy.