The purpose of this article is to explain in which cases it is desirable to use an IWA-BCAAA realm instead of IWA-Direct for Authentication. Normally we recommend using IWA-Direct over IWA-BCAAA due to performance differences and less points of failure, but in some cases it may still be the only option available.

Use IWA-BCAAA if all of the following conditions apply to your environment:

• NTLM is used for authentication (as there is issues with Kerberos authentication as explained in TECH244714)
• The MaxConcurrentAPI settings have been modified in all the involved servers as per article TECH246270
• Surrogates (IP or Cookie) cannot be used
• SGOS version is prior to 6.5.2.X

In some environments it may be required to deploy IWA-BCAAA due to existing security policies. If this is the case, ensure that the version of BCAAA supports Kerberos as explained article mentioned above and that the MaxConcurrentAPI settings are set properly as well.

In order to avoid authentication-related issues, it is always advisable to run the latest General Availability SGOS version within the current branch (6.5, 6.6 or 6.7).