You may refer below links for detail. This doc is step by step guide on how to configure Workspaces(BridgeIT) to logon with Token Only policy.
Server YONG161en has joined a domain called bjsupportdomain:
Now the BridgeIT use Explicit only by default. If you do not want to use it, you may delete it. The example here is I delete the default BridgeIT.
Create a new Framework called servicedesk.Framework2.
Choose Logon Policy: Token only
The user credential used to login STS should be a Windows Administrator account of the server hosting STS.
Make sure the Test STS Connection result is Succeeded.
Check the check box below "Create linked BridgeIT instance".
Open the new application called BridgeIT and it should look like:
If you decide to create the bridgeIT manually instead of Check "Create linked BridgeIT instance", you may Create a new BridgeIT application and it should look excactly the same with the automatically generated one.
Open Concole, Set an user called eric_en with Network Logins: bjsupportdomain\administrator
Login BridgeIT with predefined Network Login credential and Token only policy to confirm it works.
1. You may not login Workspace with sa if you use token only logon policy. You may get below error:
2. Please make sure the STS Authentication looks like below:
Anonymous Authentication: Disabled
Windows Authentication: Enabled
The BridgeIT, Framework, Framework2, WebAccess Authentication should look like below:
Anonymous Authentication: Enabled
Windows Authentication: Disabled
3. Check the "LogonPolicy" and "StsIssueTokenUrl" in tps.config is correct. They should be located:
4. For more detail troubleshooting log you may refer to this doc: Diagnostic logging using Configuration Center