The Kerberos server which is handling the authentication for IIS in this environment is running a non-Windows operating system.
IIS has Windows Authentication enabled by default, which sends User credentials as well as Group membership. It has been noted that some Kerberos servers running on a non-Windows operating system will properly process the User credentials, but ignore/fail-to-process Group Membership. The end result of this is that the User is allowed to log into the Web Interface successfully, but all Policies and Roles which are not explicitly applied to the User do not get applied.
WORKAROUND
In IIS, disable the default Windows Authentication and enable Basic Authentication.
NOTE: User credentials in the credential prompt in the Web Interface must now be entered in the format domain\username
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy