When to use an IWA-BCAAA authentication realm instead of an IWA-Direct authentication realm.

book

Article ID: 171565

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to explain in which cases it is desirable to use an IWA-BCAAA realm instead of IWA-Direct for Authentication. Normally we recommend using IWA-Direct over IWA-BCAAA due to performance differences and less points of failure, but in some cases it may still be the only option available.

Resolution

Use IWA-BCAAA if all of the following conditions apply to your environment:

  • NTLM is used for authentication (as there is issues with Kerberos authentication as explained in TECH244714)
  • The MaxConcurrentAPI settings have been modified in all the involved servers as per article TECH246270
  • Surrogates (IP or Cookie) cannot be used
  • SGOS version is prior to 6.5.2.X

In some environments it may be required to deploy IWA-BCAAA due to existing security policies. If this is the case, ensure that the version of BCAAA supports Kerberos as explained article mentioned above and that the MaxConcurrentAPI settings are set properly as well.

In order to avoid authentication-related issues, it is always advisable to run the latest General Availability SGOS version within the current branch (6.5, 6.6 or 6.7).