|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
problem access iis 6We have a iis 6.0 in a w200 member server in our domain, we also have sql2005 in the same computer. We deployed a BI solution (integration, analysys and reporting services), reporting services uses IIS as a frontend. The problem is the next , i have integrated authentication selected in the default site (is the site used to acces the reports folder), when clients access the site via netbios name they don't get prompted for authentication, and work in the reports they have permissions. When users user the fqdn of the machine they get prompted for credentials, they use their domain account and use the resources they have access to. I checked the setspn for the principal name registered in kerberos and all seen ok Registered ServicePrincipalNames for CN=COMPUTER,CN=Computers,DC=DOMAIN,DC=ORG: HTTP/computer.domain.org HOST/computer HOST/computer.domain.org i can't understand why if i use computer/reports it user integrated authentication and when i use computer.domain.org/reports it prompts. A kerberos issue?? -- information is like sex if good is fantastic if not.... oh... better than nuthin' jason wrote on Thu, 12 Feb 2009 09:01:01 -0800:
Show quoteHide quote > Dear friends, It's an IE security feature - you would need to get your users to put > We have a iis 6.0 in a w200 member server in our domain, we also have > sql2005 in the same computer. We deployed a BI solution (integration, > analysys and reporting services), reporting services uses IIS as a > frontend. > The problem is the next , i have integrated authentication selected in > the default site (is the site used to acces the reports folder), when > clients access the site via netbios name they don't get prompted for > authentication, and work in the reports they have permissions. When > users user the fqdn of the machine they get prompted for credentials, > they use their domain account and use the resources they have access > to. > I checked the setspn for the principal name registered in kerberos and > all seen ok > Registered ServicePrincipalNames for > CN=COMPUTER,CN=Computers,DC=DOMAIN,DC=ORG: > HTTP/computer.domain.org > HOST/computer > HOST/computer.domain.org > i can't understand why if i use computer/reports it user integrated > authentication and when i use computer.domain.org/reports it prompts. > A kerberos issue?? http://computer.domain.org into their Trusted Sites zone for IE to automatically use integrated auth without prompting. If the FQDN contains a .. then it will prompt, if it doesn't then it won't. -- Dan > It's an IE security feature - you would need to get your users to put No way, i tried to put in trusted sites the fqdn of the computer and it > http://computer.domain.org into their Trusted Sites zone for IE to > automatically use integrated auth without prompting. If the FQDN contains a > .. then it will prompt, if it doesn't then it won't. > > -- > Dan > > Dan, continues to prompt for authentication (if i put the right credentials i can acces). i also changed the app pool user to localsystem (more security privileges). I used also authdiag and all seem correct. If i use ip or the netbios name all goes well. Any help? Hi Jason,
Trust site zone shouldn't work. You have to add the site to Local Intranet zone. IE will perform automatically integrated windows authentication with IIS only in case the site is in local intranet zone, or if you access it with http://servername which is considered a local site. All the details can be found in below article: Internet Explorer May Prompt You for a Password http://support.microsoft.com/?id=258063 Let me know if there is any further issue. Have a nice day. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Jason,
Any update on this issue. If problem still persists, please don't hesitate to update here. We are glad to help further. Have a nice weekend. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. dear WenJun
I added the site to intranet zone and the problem is gone. thanx a lot! -- Show quoteHide quoteinformation is like sex if good is fantastic if not.... oh... better than nuthin' ""WenJun Zhang[msft]"" wrote: > Hi Jason, > > Any update on this issue. If problem still persists, please don't hesitate > to update here. We are glad to help further. > > Have a nice weekend. > > Sincerely, > > WenJun Zhang > > Microsoft Online Community Support > > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msd***@microsoft.com. > > ================================================== > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. > > MSDN Managed Newsgroup support offering is for non-urgent issues where an > initial response from the community or a Microsoft Support Engineer within > 2 business day is acceptable. Please note that each follow up response may > take approximately 2 business days as the support professional working with > you may need further investigation to reach the most efficient resolution. > The offering is not appropriate for situations that require urgent, > real-time or phone-based interactions. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx > ================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > You are welcome Jason.
Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. jason wrote on Mon, 16 Feb 2009 04:12:01 -0800:
Show quoteHide quote >> It's an IE security feature - you would need to get your users to put Oops, I should have written Intranet Zone. I see WenJun gave you the correct >> http://computer.domain.org into their Trusted Sites zone for IE to >> automatically use integrated auth without prompting. If the FQDN >> contains a .. then it will prompt, if it doesn't then it won't. >> -- >> Dan > Dan, > No way, i tried to put in trusted sites the fqdn of the computer and > it continues to prompt for authentication (if i put the right > credentials i can acces). i also changed the app pool user to > localsystem (more security privileges). I used also authdiag and all > seem correct. If i use ip or the netbios name all goes well. > Any help? answer. Unfortunately I had no newsgroup access last week so couldn't post a reply earlier. -- Dan  
Other interesting topics
Unable to upload files over 1MB
SSL vs Windows Integrated Security dynamic client authentication Managing IP restrictions in IIS 6.0 - nightmare! One Virtual Directory, Many SSL Certificates? https and Local System account IIS 7.0 Full install on Vista Ult. 64-bit SP1 Virtual Server acces URLScan for RPC over HTTP Server extension error SSL client-side certificate |
|||||||||||||||||||||||
