IWA authentication does not work after enabling Enhanced Protected Mode security setting in IE
Last Updated January 09, 2019
After enabling Enhanced Protected Mode settings from Internet Explorer (IE) --> Internet Options --> Advanced --> Security --> Enable Enhanced Protected Mode , IWA authentication via proxySG / ASG / SGVA shows on of the following behaviors
Intermittent authentication pop up
No authentication pop , but browser does not provide NTLM credential or Kerberos ticket to proxySG for referral URLs
Not able to browse any website . IE shows "Can't reach this page" (in Transparent mode)
Not able to browse any website . IE shows "The proxy server isn't responding" (in Explicit mode)
Enhanced Protected Mode is a security feature that was introduced in Windows 8 . Also present in windows 10 as well.. This security feature restricts the browser (IE) from providing computer and personal data (i.e NTLM credential / kerberos ticket etc which is required for IWA authentication) . More details can be found on this Microsoft article . When this security feature is enabled , Internet explorer no longer participates in NTLM / kerberos negotiation with proxySG, hence IWA authentication shows one of the behaviors stated above.
When proxySG / ASG / SGVA is deployed with IWA authentication , Enhanced Protected Mode security settings needs to disabled in IE security settings. By default this feature is turned off. The purpose of this feature is already served by the SG. such as
By default proxySG / ASG / SGVA does not pass any Authorization and Proxy-Authorization headers to OCS (server on the internet) . Reference article TECH244708
Using proxySG with Content analysis service or using ASG it can protect against any known malware / viruses / threats etc
By configuring appropriate proxySG policy can prevent users from navigating vulnerable or malicious websites.
Note - Having Enhanced Protected Mode enabled in IE does not affect IWA authentication behavior of Chrome of Firefox.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe