User authentication appears to fail when a restricted user tries to access the web through the proxy. In this scenario the user's account is restricted in Active Directory to log in to specific workstations.

The proxy constantly reports that the authentication fails for this user going to any site.

The reason for this is that the computer the BCAAA agent is installed on, or the Proxy in AD(in the case of IWA Direct) has not be added to the list of approved workstations for the user. Any time a user is asked to authenticate by the proxy, its credentials are handed off to the BCAAA agent which then processes the authentication against Active Directory, or, in the case of IWA Direct, the Proxy performs the authentication against Active Directory.

This means that it is the BCAAA workstation or the Proxy that authenticates, not the user's workstation.

Because of this, it is necessary to ensure the member server running BCAAA, or the Proxy (for IWA Direct) is added to the list of workstations in Active Directory that the user is allowed to log in to, otherwise all Proxy authentication attempts will fail.