The purpose of this article is to explain in which cases it is desirable to use an IWA-BCAAA realm instead of IWA-Direct for Authentication. Normally we recommend using IWA-Direct over IWA-BCAAA due to performance differences and less points of failure, but in some cases it may still be the only option available.
Use IWA-BCAAA if all of the following conditions apply to your environment:
In some environments it may be required to deploy IWA-BCAAA due to existing security policies. If this is the case, ensure that the version of BCAAA supports Kerberos as explained article mentioned above and that the MaxConcurrentAPI settings are set properly as well.
In order to avoid authentication-related issues, it is always advisable to run the latest General Availability SGOS version within the current branch (6.5, 6.6 or 6.7).