Non-domain users were getting 401 Unauthorized error after login through RSSO (Kerberos with AR authentication in Chaining)

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy Single Sign On


    APPLIES TO:

    RSSO 9.x, 18.x, 19.x



    PROBLEM:

    Kerberos was configured as primary authentication & AR was added in chaining mode. Customer was expecting that if user is not part of domain, it should authenticate via AR authentication.

    Domain users were able to login successfully through Kerberos but for non-domain users, It was throwing an error : 401 Unauthorized.

    Configured the browser with below steps which resolved issue on Firefox but still It was not working on IE Browser :
    https://docs.bmc.com/docs/rsso1908/kerberos-authentication-process-879743267.html#Kerberosauthenticationprocess-ConfiguringthebrowserConfiguringthebrowser


    CAUSE:

    Browser specific issue.


    SOLUTION:

    - We can't control browser related issues. That's why we introduced "Included IP Range(s)" field in RSSO settings for Kerberos in RSSO 19.02 & later versions.
    - You can specify a range of IP addresses. Only the clients whose IP address match with the IP addresses configured will be authenticated by Kerberos authentication.
    - All other requests coming from the IP addresses that are not configured in this field are passed on to the next IdP in the authentication chain.
    - Here is the document for the same :
      https://docs.bmc.com/docs/rsso1908/kerberos-authentication-process-879743267.html
    - If you are on older version of RSSO then you will have to upgrade to 19.02 or latest version to use this feature. 
     


    Article Number:

    000174992


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles