Proxy admin installed new BCAAA server on WIndows 2019.
Users accessing this proxy are required to authenticate to AD via this BCAAA server.
The BCAAA server IP address has been added as a Primary target in one of the current IWA realms.
Testing the new target works using the "Test Configuration" tool inside the Proxy UI IWA Realm i.e. the user provided can be successfully validated.
However, when the realm is added to a Proxy authentication policy, all authentications fail from the browser.
BCAAA logs report that the username or password is incorrect.
Active Directory user store.
BCAAA server running on Windows 2019 servers.
Proxy server with IWA realm pointing to BCAAA server.
User testing on the BCAAA server host, and not a regular host.
Enable option 2 from the following Microsoft authentication KB to 'Disable the authentication loopback check'.
When initially troubleshooting, we found the issue only occured for the admin on the WIndows 2019 server. After checking from a regular Windows workstation, we confirmed all worked fine. This was a security feature that was initially added to Windows 2003, but was carried into later versions of Windows Server, and in our use case prevented traffic from the local user to logon to Proxy successfully using the FQDN or host header.
Enabling and capturing the BCAAA debug logs show
2025/06/04 17:07:56.531 [3188] REQ: contextKey=0x2
2025/06/04 17:07:56.531 [3188] REQ: contextKey=0x MAR 0
2025/06/04 17:07:56.531 [3188] REQ:key=0x2 _pContextLink=0x1475E30 phContext=0x1475E38 phContextNew=0x1475E38 TS=1749056876
2025/06/04 17:07:56.531 [1252] WSARecv: ERROR_IO_PENDING=0x3e5
2025/06/04 17:07:56.531 [1252] Recv: WaitForMultipleEvents 0x1476098=0x27c
2025/06/04 17:07:56.531 [3188] REQ:_hContext=0xACE6B000ABE8C0 *phContextNew=0xACE6B000ABE8C0
2025/06/04 17:07:56.531 [3188] REQ: outputBuffer.pvBuffer=0x1751120 .cbBuffer=100256
2025/06/04 17:07:56.531 [3188] AcceptSecCtxt: pCtx=1475e30 tLen=688 tId=89c3 sn=89c3 ct=0
2025/06/04 17:07:56.531 [3188] AcceptSecCtxt returns 0x8009030c LastError 1326
2025/06/04 17:07:56.531 [3188] hContext=0x1475e38:ace6b000abe8c0
2025/06/04 17:07:56.532 [3188] [4032:3188] Failed NTLM Authentication for user: 'EXAMPLE\user'; status=1326:0x52e:The user name or password is incorrect.