Web Client Prompts for Additional Credentials After Windows Single Sign-on Is Configured

Metastorm

The information in this article applies to:

Product: Metastorm BPM (e-Work)
Version: 6.x 7.x

Issue

• After Single Sign-on (SSO) is configured, the web client prompts for additional credentials.

Resolution

• Although it isn't required, see if the Metastorm BPM (e-Work) website is listed as a trusted site in the browser (Tools --> Internet Options --> Security --> Trusted Sites). If it is, click on Custom Level... and make sure Automatic logon with current username and password is selected.

• Verify that DNS is configured correctly for the Metastorm server, i.e., the correct mapping exists between the IP address and machine name. Flush the DNS cache. If the issue continues, proceed with the next 3 items.

• Windows 2000, XP, and Server 2003 web clients can attempt to use the Kerberos authentication mechanism when provided with the "Negotiate" option by IIS. It is possible that IIS is not configured correctly, which can cause the client's credentials to be rejected during certain e-Work operations. This may be seen by the user as the client requesting windows credentials not for the webserver's DNS name but for its SPN (e.g MYSERVER.MYDOMAIN.COM rather than MYSERVER).

• The following Microsoft documents should help in resolving this issue:

  1. IIS 6 Security
  2. HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
  3. IIS 6 Resource Kit

• As a fallback option, it is possible to configure a web server to request NTLM authentication. This can be done as follows:

  1. Open a command prompt
  2. Navigate to 'C:\\InetPub\\AdminScripts'
  3. Enter the following: cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

• All clients should now authenticate using the NTLM protocol. For more information see How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication.