Skip to main content
Kofax

Windows prompting for credentials when logging into KTA using windows authentication (SSO)

Problem

You find windows is prompting for credentials when logging into KTA with windows authentication (SSO) enabled.  And in the browser dev tools network tab you are finding LogOnUsingWindowsAuthentication 401 HTTP errors.

How to verify the cause of the Windows credentials prompt

Please find the steps below to verify the cause of Windows prompting for credentials.

  1. Is IIS configured to use windows authentication within the TotalAgilty application (Feature View > Authentication)?
  2. Check using the KTA Configuration tool web tab to confirm KTA is configured to use windows authentication?
  3. Is "Enable Integrated Windows authentication" checked in Internet options > Advanced tab?
  4. Is the KTA URL added as a local intranet or trusted site zone with Medium-low security? 
  5. Does the windows prompt occur on for different browsers (IE, Edge, Chrome, Firefox)?

If the above are all yes, it could be possible it is using Keberos Windows authentication and it is not configured correctly.

Steps to troubleshoot Keberos Windows authentication

Download the attached KerberosAuthenticationTester on the machine which is prompting for credentials to confirm its using Kerberos (as negotiated can be either NTML or Kerberos). Use a URL which is failing in the browser with the 401 HTTP error: eg https://hostname/TotalAgility/Servic...uthentication3

 

Checked the below Microsoft KB for understanding when an SPN is required: https://docs.microsoft.com/en-us/archive/blogs/jaws/spn-configurations-for-kerberos-authentication-a-quick-reference

 

For test purposes on your TEST machine, a test can be to set “useAppPoolCredentials” = true, which is typically recommended when Kerberos is enabled. Then try logging onto KTA using the hostname URL: https://machinename/TotalAgility/forms. Note: Using this config, when browsing the URL with machine name, Use Kernal Mode and Use App pool credentials indicates typically no additional SPN’s are needed and the HOST SPN will be sufficient.

 

The below article takes you through the required steps and permutations of SPN's:

https://blogs.msdn.microsoft.com/web...ith-iis-7-07-5

 

Also, below is a useful Kerberos troubleshooting guide: https://docs.microsoft.com/en-gb/tro...os-failures-ie

 

For resolving this windows authentication issue on the customer's domain, please note this is domain security and each customer will have their security requirements to adhere to.