This scenario occurs in mixed deployments of workgroup users and Active Directory users in which you do not want workgroup users who are not part of the AD domain to be prompted for authentication. You can achieve this by having the same username and password of your workgroup users in AD. In this case, installing BCAAA on the DC works fine without prompting users for authentication. However, when you install BCAAA on a member server, the workgroup users will be prompted for authentication.
On the BCAAA agent debug logs when the BCAAA agent running on a member server:
2011/10/25 08:46:29.354  AcceptSecCtxt: pCtx=fd9148 tLen=252 tId=a7 sn=a7 ct=0
2011/10/25 08:46:29.354  AcceptSecCtxt returns 0x8009030c LastError 1326
On the Netlogon logs when the BCAAA agent running on a member server:
10/26 22:17:36 [LOGON] SamLogon: Network logon of ZULTEST12345678\zul2 from ZULTEST12345678 Returns 0xC0000064
The BCAAA debug logs and the Netlogon logs above shows that the respond from the Microsoft AD had an error that is related to the 'Domain_NOT_Trusted'.
On the BCAAA agent debug logs when the BCAAA agent running on a DC:
2011/10/25 05:17:02.214  AcceptSecCtxt: pCtx=3f55f8 tLen=252 tId=68 sn=68 ct=0
2011/10/25 05:17:02.505  AcceptSecCtxt returns 0x0 LastError 0 <---
On the Netlogon logs when the BCAAA agent running on a DC:
10/26 22:23:17 [LOGON] ZDOMAIN: SamLogon: Network logon of ZULTEST12345678\zul2 from ZULTEST12345678 Returns 0x0
The BCAAA debug logs and the Netlogon logs above show that the response from Active Directory have no issues. However, AD assumes that the workgroup user was authenticating in the local domain of the DC, which is the AD domain and not the workgroup domain. This is not the case when the BCAAA agent is running on the member server.
This is expected behavior from AD when a user authenticates from the member server: the workgroup or the domain that the user is coming from will be checked. So in this case, the workgroup name is not the domain name, thus AD responds correclty by giving the user an error because the user does not belong to the AD domain.Therefore, it is expected behavior for a workgroup user who is not an AD domain user to receive an authentication pop-up when the BCAAA agent runs on a member server.