You may see issues where a user tries to browse, but they are presented with an authentication pop up within the browser. 




If you see this, then there are a number of things you can do to troubleshoot.


Please ensure you try all the steps until you find the one that resolves your issue. If you still have an issue after checking all the steps, then please contact technical support


  • Ensure the time on your USS Gateway server is within 5 minutes of the time set on your Active Directory server. Even a second over 5 minutes can cause the prompt.
  • Ensure the timezone on your USS Gateway server matches the timezone set on your Active Directory.
  • In your browser proxy settings, if you are using AD Authentication then you need to ensure that you have the Fully Qualified Domain Name (FQDN) of your USS Gateway server set, rather than inputting the IP Address of the server. Please also ensure this is all inputted in lower case.
  • Ensure that your users have logged off and logged back in to windows at least once since you enabled AD Authentication. This is required so that the user can obtain a kerberos ticket from the domain controller (this ticket is what removes the prompt).
  • Go to your USS Gateway settings, navigate to the Authentication section and ensure that the connection to the domain is still successful by hitting the Test Domain button. Please also ensure keys are created


Please check the following steps if the issue is presenting itself for only a number of users rather than everyone


  • Ensure the user has logged out and logged back in to windows at least once since you enabled AD Authentication.
  • Ensure the users password has not expired or flagged to 'change on next logon' on the Active Directory
  • Run klist on command prompt on the users machine where it is not working and compare it to a klist output of a machine that is working.
  • Remove the user from the domain and rejoin the domain
  • A kerberos ticket could be cached on the users machine. Navigate to Control Panel -> User Accounts -> Credentials Manager -> Windows Credentials and if you see a ticket related to your USS Gateway hostname, delete that. The user will then need to log out and log back in to windows to attempt to pull down a new kerberos ticket
  • Try logging in as the failing user account on a different machine. If this works, it suggests a problem with the machine account in Active Directory.
  • In a system with multiple Domain Controllers, check to see if users are only being prompted for auth details if they are connecting via a particular DC - this may indicate an issue with the DC, rather than the domain account, eg a timing mismatch between the DC and the Censornet proxy.