On-call subscription not working with AD accountsIssue Whenever an AD account user is trying to access the subscribe link received from the subscription email, when they click on it and enter the AD account credentials instance keeps on asking for credentials and does not download the calendar invite. Navigate to "My Group schedules" under "On-Call Scheduling"Open the list scheduled groupsClick on the "Send Subscriptions" UI actionFrom On-Call calendar subscription email click on the "Subscription" link, asking credentials popup will appear and after providing the AD credentials still asking the credentials and not downloading calendar xml file.ReleaseAll the releases starting from London.CauseWhen we click on subscription URL from the On-Call calendar subscription email preview HTML , there is an API call that is being made when the popup shows up.API call would look something like below. "/api/now/on_call_rota/rotaUserICalendar/11e7bd5adb0a7f00e75d4672399619e7/5f3c836bdb3784d0d11ac19115961959/555accfb1b74c0106fdf7510cd4bcb8e" when the popup is displayed.Resolution Below error messages can be seen from the instance app node logs after providing the AD credentials in the popup with response_code=401. �2020-04-12 22:19:07 (653) Default-thread-4 SYSTEM txid=fa968fc3db00 WARNING *** WARNING *** LDAP: LDAP Auth through MID server is not supported!2020-04-12 22:19:07 (692) Default-thread-4 SYSTEM txid=fa968fc3db00 Logging event: SNC.Auth.LDAP.Login.Failed with parm1: user_name=xyz and parm2: ldapconfigsysid=879256771bec3f006fdf7510cd4bcbea,remoteAddr=157.46.230.1412020-04-12 22:19:07 (692) Default-thread-4 SYSTEM txid=fa968fc3db00 *** Script: Basic authentication failed for user: xyz2020-04-12 22:19:07 (693) Default-thread-4 SYSTEM txid=fa968fc3db00 WARNING *** WARNING *** Failed authorization by script include 'BasicAuth'2020-04-12 22:19:07 (694) Default-thread-4 SYSTEM txid=fa968fc3db00 #700809 [REST API] RESTAPIProcessor : User Not Authenticated2020-04-12 22:19:07 (694) Default-thread-4 SYSTEM txid=fa968fc3db00 DEBUG: Session inactivity timeout changed for unauthorized session. Inactive_interval=300 seconds2020-04-12 22:19:07 (694) Default-thread-4 SYSTEM txid=fa968fc3db00 *** End #700809 /api/now/on_call_rota/rotaUserICalendar/11e7bd5adb0a7f00e75d4672399619e7/5f3c836bdb3784d0d11ac19115961959/555accfb1b74c0106fdf7510cd4bcb8e, user: guest, total time: 0:00:00.000, processing time: 0:00:00.000, SQL time: 0:00:00.020 (count: 24), business rule: 0:00:00.000 (count: 2), source: 157.46.230.141 , type:rest, method:null, api_name:null, resource:null, version:null, user_id:5136503cc611227c0183e96598c4f706, response_status:401 This API call only supports basic authentication. If SSO is in use, basic authentication is still required to subscribe with the URL.We can confirm that this is expected behavior. Please see the below details. ServiceNow documentation (Configure and send on-call calendar subscription URL) mentions that "The subscription URL supports basic authentication. This means that the end user must provide their instance credentials to authenticate themselves to view their on-call events. Currently, only the Calendar application on Mac OS X 8.0 onwards and the Outlook application on Windows 2013 onwards support basic authentication for calendar subscriptions. If SSO is in use, basic authentication is still required to subscribe with the URL." Doc URL: Here. Therefore, even if SSO is in use, the end-users must provide their instance credentials to authenticate themselves to view their on-call events.