CAUSE 1
The Kerberos server which is handling the authentication for IIS in this environment is running a non-Windows operating system.
IIS has Windows Authentication enabled by default, which should be sending User credentials as well as Group membership. It has been noted that some Kerberos servers running on a non-Windows operating system will properly process the User credentials, but ignore/fail-to-process Group Membership. The end result of this is that the User is allowed to log into the Web Interface successfully, but all Access Templates and Roles which are not explicitly applied to the User do not get applied.
It may also be possible to reconfigure the Kerberos server running on the non-Windows operating system so that it processes Windows Authentication properly. For assistance with this option, please contact the vendor of your Kerberos solution or consult their documentation.
CAUSE 2
If the Kerberos server which is handling authentication for IIS in this environment is running a Windows operating system, it is not passing a complete group membership list in the Kerberos authentication token.
Consult Microsoft resources or contact Microsoft for assistance with this issue.
WORKAROUND
In IIS, disable the default Windows Authentication and enable Basic Authentication.
NOTE: User credentials in the credential prompt in the Web Interface must now be entered in the format domain\username
Basic Authentication should not be used over HTTP. Basic Authentication should only be used over SSL, and over when absolutely necessary. Using Basic Authentication over HTTP will result in the transmission of passwords via plain-text.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center