When configuring IWA direct authentication with a ProxySG appliance, the appliance must be added to the domain. This configuration is managed under
Management Console -> Authentication -> Windows Domain
When you click Join, you're prompted to enter a DNS Domain Name, Username and Password.
This process sometimes fails with the error, Access Denied.
In the majority of cases when a new configuration results in this Access Denied error, the username being used to join does not have enough privileges on the Active Directory itself to perform such a function.
To remedy this, go to the Active Directory and increase the username privileges to enable it to join. As an administrator with the highest level of privileges, the user should be able to join; however, the privileges do not have to be administrator for the user to be able to join; It can be less than administrator and still be allowed to join.
For example, if the user account being used to join the ProxySG appliance to the Domain is configured on the Windows Domain or Active Directory and is a member of the Domains/Users group only, it will not be able to join. If the user is also member of Domain Admins, then it will be able to join.