Unable to logon to an Ivanti Management Portal

Version 3

    Problem

    Consider the following scenario:
    • Microsoft Internet Explorer is used.
    • One of the management portals of the following products or components are opened.
      • Ivanti Automation
      • Ivanti Identity Director
      • Ivanti Workspace Control
      • Ivanti Identity Broker
      • RES Reporting
    • The management portal is authenticated by the Ivanti Identity Broker using Windows Authentication.
    In this scenario, a credential dialog box from the browser is shown. Although the correct credentials are entered, access is not granted.
    When Ivanti Identity Broker is used and the certificate is trusted by the browser then no popups should be shown.

     

    Cause

    Automatic logon is not allowed by the Security Settings of Microsoft Internet Explorer.

    Except for the High and Low security setting the default is Automatic logon only in Intranet zone.
    The zone that is being used for a site can be verified in the properties of the page in Internet Explorer by pressing <Alt> and choosing for File > Properties.


    On the IIS server where the WinAuth component is installed, there are additional security mechanisms preventing automatic logon as well.
    • Built-in administrator groups cannot be resolved. This also applies to the group Domain Admins.
    • Loopback check security feature.

    Solution

    Configure automatic logon in Security Settings by using one of these options.
    • Add the site to the Local Intranet zone under the Security tab of Internet Options and make sure that the default settings are used.
    • Change the security setting User Authentication > Logon to Automatic logon with current user name and password on the Internet zone.
    The following configuration needs to be in place to use a management portal with Microsoft Internet Explorer on the IIS server where the WinAuth component is installed.
    • Configure a custom AD group in Groups with Management Portal Access in the Settings section of the Ivanti Identity Broker management portal.
    • Configure the registry entry BackConnectionHostNames to disable the loopback check security feature.
    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    Value: BackConnectionHostNames
    Type: REG_MULTI_SZ
    Data: <FQDN of the SiteName and Enter>

    Source:

    https://support.microsoft.com/en-us/help/896861/you-receive-error-401.1-when-you-browse-a-web-site-that-uses-integrated-authentication-and-is-hosted-on-iis-5.1-or-a-later-version