|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Win2K3, IIS6, and IE6 - Can't get IWA/NTLM to workI have a Win2K3 Server with IIS6 on it. In the Default website, I have a directory (/iwaprotected) with just a default.asp in it. The machine is a member of domain "whatever.com". When I use IE6 (on the same physical machine) to connect to http://<FQDN_of_my_server>/iwaprotected/default.asp, I get a popup login window. However, when I try to login using a valid user (e.g., "whatever\testuser" or "testu***@whatever.com") and password, the popup just re-displays. After 3 times, I get an 401.1 error. I know that the username/password are valid, because I can login to the Windows domain using them. I've tried this with "Enable Integrated Windows Authentication" checkbox in IE6 both checked and unchecked, with same results. I've also accessed the same website from another machine using the same FQDN, and get the same behavior Does anyone have any idea about why this might be happening? Is there something that might prevent IE6 from being able to pass the user's credentials? Thanks, Jim Hi,
Does user actually have permissions to the content? E.g. is Domain Users group assigned at least Read permissions on the content of the website? IIS will always honor NTFS permissions. For Integrated authentication to work, site must be in Local Intranet zone. Site entered in format http://<FQDN_of_my_server>/ would by default be in Internet zone and not in Intranet zone - and Integrated authentication will not work. -- Show quoteHide quoteMike Microsoft MVP - Windows Security "ohaya" <oh***@cox.net> wrote in message news:%23NV019AGHHA.3616@TK2MSFTNGP02.phx.gbl... > Hi, > > I have a Win2K3 Server with IIS6 on it. In the Default website, I have a > directory (/iwaprotected) with just a default.asp in it. The machine is a > member of domain "whatever.com". > > When I use IE6 (on the same physical machine) to connect to > http://<FQDN_of_my_server>/iwaprotected/default.asp, I get a popup login > window. > > However, when I try to login using a valid user (e.g., "whatever\testuser" > or "testu***@whatever.com") and password, the popup just re-displays. > After 3 times, I get an 401.1 error. > > I know that the username/password are valid, because I can login to the > Windows domain using them. > > I've tried this with "Enable Integrated Windows Authentication" checkbox > in IE6 both checked and unchecked, with same results. > > I've also accessed the same website from another machine using the same > FQDN, and get the same behavior > > Does anyone have any idea about why this might be happening? Is there > something that might prevent IE6 from being able to pass the user's > credentials? > > Thanks, > Jim Hi,
Comments interspersed... Jim Miha Pihler [MVP] wrote: > Hi, I will have someone check the above.> > Does user actually have permissions to the content? E.g. is Domain Users > group assigned at least Read permissions on the content of the website? IIS > will always honor NTFS permissions. For comparison, I have another, separate test configuration consisting of a DC, and a server that is a member of that other domain, and where IWA works on my test page. When I click Properties->Security tab on the test directory and page, it shows that Administrators, IIS_WPG, SYSTEM, and Users(machinename\Users) have Read permissions, i.e., Domain Users is not shown. On this system (the one where IWA works), when I look in Local Users and Groups, it looks like "Domain Users" is a member of "Users". > For Integrated authentication to work, site must be in Local Intranet zone. When I access the site in the environment where IWA is not working, > Site entered in format http://<FQDN_of_my_server>/ would by default be in > Internet zone and not in Intranet zone - and Integrated authentication will > not work. "Internet" is showing up in the lower-right of IE6. I've seen the above comment before, but in the 2nd environment that I mentioned above, where IWA *is* working, the only sites in Intranet are http://localhost, hcp://system, and https://localhost, and I did not have to add the site to "Intranet", so I'm puzzled about this point? Jim Hi,
Comments interspersed... Jim Miha Pihler [MVP] wrote: > Hi, I will have someone check the above.> > Does user actually have permissions to the content? E.g. is Domain Users > group assigned at least Read permissions on the content of the website? IIS > will always honor NTFS permissions. For comparison, I have another, separate test configuration consisting of a DC, and a server that is a member of that other domain, and where IWA works on my test page. When I click Properties->Security tab on the test directory and page, it shows that Administrators, IIS_WPG, SYSTEM, and Users(machinename\Users) have Read permissions, i.e., Domain Users is not shown. On this system (the one where IWA works), when I look in Local Users and Groups, it looks like "Domain Users" is a member of "Users". > For Integrated authentication to work, site must be in Local Intranet zone. When I access the site in the environment where IWA is not working, > Site entered in format http://<FQDN_of_my_server>/ would by default be in > Internet zone and not in Intranet zone - and Integrated authentication will > not work. "Internet" is showing up in the lower-right of IE6. I've seen the above comment before, but in the 2nd environment that I mentioned above, where IWA *is* working, the only sites in Intranet are http://localhost, hcp://system, and https://localhost, and I did not have to add the site to "Intranet", so I'm puzzled about this point? Jim Hi,
Any url that is in format: http://servername or https://servername is in local intranet zone by default. Urls in format: http://server.domain.com or http://10.10.10.10 are in Internet zone by default and in this case Integrated auth. will not work ... -- Show quoteHide quoteMike Microsoft MVP - Windows Security > Miha Pihler [MVP] wrote: >> Hi, >> >> Does user actually have permissions to the content? E.g. is Domain Users >> group assigned at least Read permissions on the content of the website? >> IIS will always honor NTFS permissions. > > I will have someone check the above. > > For comparison, I have another, separate test configuration consisting of > a DC, and a server that is a member of that other domain, and where IWA > works on my test page. When I click Properties->Security tab on the test > directory and page, it shows that Administrators, IIS_WPG, SYSTEM, and > Users(machinename\Users) have Read permissions, i.e., Domain Users is not > shown. On this system (the one where IWA works), when I look in Local > Users and Groups, it looks like "Domain Users" is a member of "Users". > > >> For Integrated authentication to work, site must be in Local Intranet >> zone. Site entered in format http://<FQDN_of_my_server>/ would by default >> be in Internet zone and not in Intranet zone - and Integrated >> authentication will not work. > > When I access the site in the environment where IWA is not working, > "Internet" is showing up in the lower-right of IE6. > > I've seen the above comment before, but in the 2nd environment that I > mentioned above, where IWA *is* working, the only sites in Intranet are > http://localhost, hcp://system, and https://localhost, and I did not have > to add the site to "Intranet", so I'm puzzled about this point? Hi,
I'm not meaning to disagree, but on the test environment that I have where IWA works, I can use FQDN hostnames in the URLs, and IWA works. I still haven't figured out why IWA doesn't work on that other environment :(... Still waiting for someone on-site to check the Local Security settings... Jim Miha Pihler [MVP] wrote: Show quoteHide quote > Hi, > > Any url that is in format: > > http://servername or https://servername > > is in local intranet zone by default. > > Urls in format: > > http://server.domain.com or http://10.10.10.10 are in Internet zone by > default and in this case Integrated auth. will not work ... > I am saying what is by default. This can be changed (not recommended) in the
browser settings... Again, you can use FQDN with IWA, but you have to add the URL to Local Intranet zone... (by default) -- Show quoteHide quoteMike Microsoft MVP - Windows Security "ohaya" <oh***@cox.net> wrote in message news:esCF$$MGHHA.536@TK2MSFTNGP02.phx.gbl... > Hi, > > I'm not meaning to disagree, but on the test environment that I have where > IWA works, I can use FQDN hostnames in the URLs, and IWA works. > > I still haven't figured out why IWA doesn't work on that other environment > :(... > > Still waiting for someone on-site to check the Local Security settings... > > Jim > > > > Miha Pihler [MVP] wrote: >> Hi, >> >> Any url that is in format: >> >> http://servername or https://servername >> >> is in local intranet zone by default. >> >> Urls in format: >> >> http://server.domain.com or http://10.10.10.10 are in Internet zone by >> default and in this case Integrated auth. will not work ... >> 
Other interesting topics
MS IIS Setting: HTTP Failed To Connect if Using Machine Name
notepad will not save .config file in iis7 Diff behavior for "Integrated windows authentication" in IIS6 Vs I How to create a web application on SBS2003 server ? RPC over HTTPS for Exchange IIS Security and files upload/create "Failed to access IIS metabase" after installing Windows XP Pro "Certificate does not have a private key" Multiple SSL - Same Server - Same Port/IP Multiple SSL sites served from a single content path |
|||||||||||||||||||||||
