To bypass authentication prompts from the ProxySG or ASG, then enable IWA single sign-on (SSO). When SSO is configured correctly, the user agent or browser will automatically provide the client's domain credentials when challenged by the appliance.
Although you cannot guarantee that SSO will work in all situations, make sure you have taken the following steps to enable it:
- Configure the IWA realm to allow Kerberos and/or NTLM credentials. When using Basic credentials, the user will always be prompted to authenticate.
- Ensure that users are logging in to their workstations using domain credentials rather than local credentials. The appliance can only use domain credentials to authenticate users.
- Ensure that the client browsers support IWA SSO.
- Make sure the client browsers are configured to automatically provide credentials to the appliance.
- Create a DNS "A" record that maps the appliance fully qualified domain name (FQDN) with its IP address. In explicit deployments, the DNS A record should map the FQDN in the browser explicit proxy configuration; in transparent deployments, the DNS A record should map the Virtual URL in the IWA realm configuration to the IP address of the appliance.
- Ensure that clients are using the DNS server you configured. To test this, ping the FQDN you specified in the DNS configuration from a client system and ensure that it resolves to the correct IP address.