Why do I see a "401 Unauthorized" error during NTLM/Kerberos authentication?

Views:

Troubleshooting Checklist:

LDAPS Port: If NTLM authentication uses LDAPS (port 636 or 3269), ensure the "Secure connection: Use LDAPS" checkbox is selected. The configuration in under ZTSA → Internet Access and AI Secure Access Configuration → Global Settings → Single Sign-On with Active Directory(On-Premises) → Enable single sign-on using NTLM v2 authentication → Secure connection → Use LDAPS.
Domain Join: Verify the endpoint is joined to the AD domain. Run the following commands on the client machine. Ensure Device state > DomainJoined is YES.
- dsregcmd /status
Client Settings: Ensure that the On the client computer, allow automatic logon in Intranet zone by adding the FQDN of the authentication proxy to your Intranet parameter is configured in the client machine. Refer to OLH step-5 , Configuring the Active Directory server for Kerberos or NTLM single sign-on
AD Settings: Verify the following modifications:
- Domain controller: LDAP server signing requirements
- Domain controller: LDAP server channel binding token requirements
- Refer to step-5 in Configuring NTLM or Kerberos single sign-on with Active Directory (on-premises) | Trend Micro