There is a number of services/applications that use user agents that cannot negotiate NTLM properly because these services/applications are non-NTLM aware. If you have policy for authenticating these services/applications (for eg, 'Any' 'Any' 'Authenticate' policy), the user will be prompted for authentication credentials and/or may receive some authentication errors, depending on the policy configured.

The solution is to disable authentication for these known user agents that are non-NTLM aware. The following is a list of user agents that can be excluded from authentication based on user agent header in the HTTP requests. Please note that this is not a complete list and there are other non-NTLM aware user agents as well that are not on this list and that could also could be added to the 'Do not Authenticate" list if you see authentication related issues.

 
User-Agent="Microsoft-CryptoAPI"

User-Agent="MSUpdate"

User-Agent="AVUpdate"

User-Agent="iTunes"

User-Agent="iphone"

User-Agent="ipad"

User-Agent="Stocks"

User-Agent="CFNetwork"

User-Agent="Shockwave Flash"

User-Agent="Windows-Media-Player"

User-Agent="NSPlayer"*

User-Agent="Windows-Media-Player"

User-Agent=".*flash"

User-Agent="Office"

To exclude these user agents from authentication, add a combined source object in the VPM Web Authentication layer and add the non-NTLM aware user agents from the list above to the Request Header-> Header Name -> Choose 'User-Agent' -> Enter 'User-Agent' field. Use the user agent names exactly as they appear in the list.