Gaia, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1
Platform / Model
Identity Awareness Agent does not authenticate via Kerberos SSO from RAS or branch offices.
Kerberos is working as long as the client is connected to the LAN.
If traffic is allowed only via Access Role, authentication is not working.
After running into a timeout, the Identity Awareness Agent displays a message box and asks for credentials. This log in is working fine.
The client needs access to the Domain Controllers via a rule without Access Role to get a Kerberos Ticket. Only then the Identity Awareness Agent is able to use this ticket to authenticate to the gateway.