search cancel

IWA authentication does not work after enabling Enhanced Protected Mode security setting in IE

book

Article ID: 173341

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

After enabling Enhanced Protected Mode settings from Internet Explorer (IE) --> Internet Options --> Advanced --> Security --> Enable Enhanced Protected Mode , IWA authentication via proxySG / ASG / SGVA shows on of the following behaviors 

  • Intermittent authentication pop up
  • No authentication pop , but browser does not provide NTLM credential or Kerberos ticket to proxySG for referral URLs
  • Not able to browse any website . IE shows "Can't reach this page"  (in Transparent mode)
  • Not able to browse any website . IE shows "The proxy server isn't responding" (in Explicit mode)

Cause

Enhanced Protected Mode is a security feature that was introduced in Windows 8 . Also present in windows 10 as well.. This security feature restricts the browser (IE) from providing computer and personal data (i.e NTLM credential / kerberos ticket etc which is required for IWA authentication) . More details can be found on this Microsoft article .  When this security feature is enabled , Internet explorer no longer participates in NTLM / kerberos negotiation with proxySG, hence IWA authentication shows one of the behaviors stated above. 

Resolution

When proxySG / ASG / SGVA  is deployed with IWA authentication , Enhanced Protected Mode security settings needs to disabled in IE security settings. By default this feature is turned off. The purpose of this feature is already served by the SG. such as

  • By default proxySG / ASG / SGVA does not pass any Authorization and Proxy-Authorization headers to OCS (server on the internet) . Reference  article TECH244708
  • Using proxySG with Content analysis service or using ASG it can protect against any known malware / viruses / threats etc
  • By configuring appropriate proxySG policy can prevent users from navigating vulnerable or  malicious websites.

Note - Having Enhanced Protected Mode enabled in IE does not affect IWA authentication behavior of Chrome of Firefox.