The authentication challenge and response process for the IWA  direct realm to establish a secure channel to the IWA server. This does not apply to  BCAAA.

1. The client makes a request to the ProxySG. The ProxySG replies with a 407 HTTP response code
(explicit mode), which prompts the client to resend the request, this time including the authentication
credentials.

2. The client resends the original request. This time, the client includes the Type 1 message, encoded in
base 64. The ProxySG responds to the client with the Type 2 message. The client receives the Type 2
message, which contains the challenge, and calculates, using the user’s password, the Type 3
message for that challenge.

3. The client sends the Type 3 message to the ProxySG as a base 64-encoded string. The ProxySG uses
the Windows Netlogon service (Schannel) o pass the information to the domain controller for the final
validation. If the Type 3 message contains the correct encryption to the challenge, the domain
controller authenticates the user and passes the information to the ProxySG. After a successful
authentication, the connection between the ProxySG and the client is authenticated. The ProxySG then
sends the HTTP request to the OCS, the OCS sends the HTTP response to the ProxySG, and the
ProxySG sends the HTTP response to the client.