The previous implementation for test/basic authentication was going to a KDC from the user's domain and using Kerberos in the back end to authenticate the user. It's failing because the appliance thinks that domain is offline because the appliance must have been unable to connect to a DC from the user's domain when it tried.
In SGOS 184.108.40.206 and later, the appliance does NTLM on the back-end for basic/test authentication (just like BCAAA). It takes the basic credentials and issues an NTLM request. The appliance acts as the NTLM client. In that case, for basic and test authentication, the appliance will be sending an NTLM request to a DC from its domain, and that DC will forward the request to a DC from the user's domain (foreign domain in this case). It won't matter if the appliance thinks the user's domain is offline, because it won't have to talk directly to the DC in the user's domain.
The new implementation in 220.127.116.11 and later that uses NTLM doesn't require the appliance to connect directly to a DC from the user's domain.
This is fixed in SGOS 18.104.22.168 or later.
Make sure that appliance can also talk directly to the DCs in the foreign domain.
Imported Document ID: 000022630
Subscribing will provide email updates when this Article is updated. Login is required.