A domain user would need to be assigned to run the BCAAA service on the Windows server.
This domain user have certain rights that needs to be assigned in order for IWA authentication to work.
Release : 6.7.x and 7.x
Component : Authentication
In the Local Security Policy of the server on which BCAAA is running, modify the user rights assignment for the BCAAA domain user to have the following rights:
1. Full access to the directory where you installed BCAAA
2. Act as part of the operating system
3. Logon as a service