OnReject Redirect does not work with Windows Authentication

Document ID : KB000004067
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are observing a use case where unauthenticated users are getting a "Page cannot be displayed" error, instead of being redirected to the configured custom error page.

Scenario:
1. User logs in to their Desktop with their Windows domain credentials.
2. Next, the user accesses resources protected by Windows Authentication Scheme.
3. This user does not exist in the user store, and as such cannot be authenticated.
4. This triggers an OnReject-Redirect response to redirect the user to a custom error page.
5. User is supposed to be redirected to error page BUT instead gets "Page cannot be displayed"

How can we solve this issue?

Resolution:

The IIS web server, not the Policy Server, performs authentication based on the credentials it receives from the Internet Explorer web browser. Therefore, you cannot use the OnAuthAttempt authentication event to redirect users who does not exist in the user store.

Additional Information:

Please refer to Policy Server Configuration Guide for further information:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/windows-authentication-schemes