"Trevor Seward" <n***@rottdog.com> wrote in message
news:OerbYaFbFHA.2876@TK2MSFTNGP09.phx.gbl...
: Strange issue:
:
: We have a Mixed Mode, Windows 2003-based domain (still have NT4 BDCs).
:
: Users that have read/list/execute permissions to a website are in a Global
: Group and that GG is given NTFS permissions to the site.
:
: Integrated Auth is the only option checked on the site.  Users, the client
: PCs (XP SP1), and the webserver (2003) are in the same domain.
:
: When a user goes to the site, they are prompted for creds in the form of
: webservername\username.  They shouldn't be receiving this, from what I
know.
:
: We have a policy that pushes *.domain.name to the "Local Intranet" zone.
: The webserver is webserver.domain.name and the machines are
: clientmachine.domain.name, so everything is in the same domain.  Even when
: just using the NetBIOS name of the webserver, it prompts for creds
(although
: it prompts them for webserver.domain.name).
:
: Their machines are not on the same subnet.
:
: On my machines which are on the same subnet, when running IE as them or
: logging in as them, they are not prompted for creds.  I can't find any
: difference in IE setups.
:
: Enable Integrated Auth is checked on the Advanced tab.
:
: I do have SPNs set for http/webserver and http/webserver.domain.name -- 
They
: may not be needed since they should be able to use host/webserver
: host/webserver.domain.name.  Let me know if those need to be removed.
:
: Help! :)
:
: Thanks,
: Trevor
:
:

"Trevor Seward" <tre***@rottdog.com> wrote in message
news:BECD0071.1A62%trevor@rottdog.com...
: On 6/8/05 7:06 PM, in article #2RrIfJbFHA.2***@TK2MSFTNGP09.phx.gbl, "Ken
: Schaefer" <kenREM***@THISadOpenStatic.com> wrote:
:
: > The user will get the login dialogue box if either:
: >
: > a) autologon in the Intranet zone is not configured (Tools -> Internet
: > options -> Security tab -> Local Intranet -> Automatic Logon only in
: > Intranet zone). If this is not enabled, then Auto logon will not be
: > attempted.
: >
: > b) the credentials that the browser is supplying to the server are not
: > acceptable to the server for access to the resource in question. Use
FileMon
: > on the server to verify this.
: >
: > Cheers
: > Ken
:
: We've tried both "auto logon only in intranet" (set by default) as well as
: auto logon using current user/pass.  Neither worked.
:
: The user accessing the site does have permissions, via a global group, to
: the site.  The only very odd thing is that from their machine, they get
: prompted for creds (DHCP machines on different subnet from the server),
but
: from my machines, it passes creds like it should.  My machines are
static'ed
: and on the same subnet as the server.
:
: AuthDiag does confirm that the user has permissions when running AuthDiag
: from the webserver itself.
:
: Thanks,
: Trevor
:

> On 6/8/05 8:26 PM, in article epCcuLKbFHA.3***@tk2msftngp13.phx.gbl, "Ken
> Schaefer" <kenREM***@THISadOpenStatic.com> wrote:
>
>> Can you post the relevant logfile entries from the IIS log please?
>>
>> Also, verify that the site is in the Intranet zone (by eyeballing the icon
>> in IE - maybe, for some reason, your GPO isn't taking effect on the remote
>> machines).
>>
>> Thanks
>>
>> Cheers
>> Ken
>
> Yes, the display shows as being in the Intranet.
>
> 2005-06-09 04:55:10 192.168.0.100 GET /site - 80 - 192.168.1.50
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-06-09 04:55:12 192.168.0.100 GET /site - 80 - 192.168.1.50
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
> 0
> 2005-06-09 04:55:12 192.168.0.100 GET /site - 80 - 192.168.1.50
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
> 2148074252
> 2005-06-09 04:55:16 192.168.0.100 GET /site - 80 - 192.168.1.50
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
> 0
> 2005-06-09 04:55:16 192.168.0.100 GET /site - 80 - 192.168.1.50
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
> 2148074252
>
> Just so you know, there is no firewall or proxy inbetween the client and
> server -- it is just a vlan.
>
> On my machine, it shows IE attempting to use anonymous first, then goes back
> and uses the domain creds. correctly.
>
> Thanks,
> Trevor
>

"Trevor Seward" <tre***@rottdog.com> wrote in message
news:BECD1BE5.1A6A%trevor@rottdog.com...
> Another thing to note is that I see the client attempting to authenticate
> to
> the server with servername\firstname.  Our usernames are first initial,
> last
> name, so I don't understand where this is being "saved" at.  The
> authentication package is also NTLM, not Negotiate/Kerberos.
>
> Thanks
>
> On 6/8/05 9:59 PM, in article BECD1ADE.1A66%tre***@rottdog.com, "Trevor
> Seward" <tre***@rottdog.com> wrote:
>
>> On 6/8/05 8:26 PM, in article epCcuLKbFHA.3***@tk2msftngp13.phx.gbl, "Ken
>> Schaefer" <kenREM***@THISadOpenStatic.com> wrote:
>>
>>> Can you post the relevant logfile entries from the IIS log please?
>>>
>>> Also, verify that the site is in the Intranet zone (by eyeballing the
>>> icon
>>> in IE - maybe, for some reason, your GPO isn't taking effect on the
>>> remote
>>> machines).
>>>
>>> Thanks
>>>
>>> Cheers
>>> Ken
>>
>> Yes, the display shows as being in the Intranet.
>>
>> 2005-06-09 04:55:10 192.168.0.100 GET /site - 80 - 192.168.1.50
>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401
>> 2
>> 2148074254
>> 2005-06-09 04:55:12 192.168.0.100 GET /site - 80 - 192.168.1.50
>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401
>> 1
>> 0
>> 2005-06-09 04:55:12 192.168.0.100 GET /site - 80 - 192.168.1.50
>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401
>> 1
>> 2148074252
>> 2005-06-09 04:55:16 192.168.0.100 GET /site - 80 - 192.168.1.50
>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401
>> 1
>> 0
>> 2005-06-09 04:55:16 192.168.0.100 GET /site - 80 - 192.168.1.50
>> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401
>> 1
>> 2148074252
>>
>> Just so you know, there is no firewall or proxy inbetween the client and
>> server -- it is just a vlan.
>>
>> On my machine, it shows IE attempting to use anonymous first, then goes
>> back
>> and uses the domain creds. correctly.
>>
>> Thanks,
>> Trevor
>>
>
>

"Trevor Seward" <n***@rottdog.com> wrote in message
news:OerbYaFbFHA.2876@TK2MSFTNGP09.phx.gbl...
> Strange issue:
>
> We have a Mixed Mode, Windows 2003-based domain (still have NT4 BDCs).
>
> Users that have read/list/execute permissions to a website are in a Global
> Group and that GG is given NTFS permissions to the site.
>
> Integrated Auth is the only option checked on the site.  Users, the client
> PCs (XP SP1), and the webserver (2003) are in the same domain.
>
> When a user goes to the site, they are prompted for creds in the form of
> webservername\username.  They shouldn't be receiving this, from what I
> know.
>
> We have a policy that pushes *.domain.name to the "Local Intranet" zone.
> The webserver is webserver.domain.name and the machines are
> clientmachine.domain.name, so everything is in the same domain.  Even when
> just using the NetBIOS name of the webserver, it prompts for creds
> (although
> it prompts them for webserver.domain.name).
>
> Their machines are not on the same subnet.
>
> On my machines which are on the same subnet, when running IE as them or
> logging in as them, they are not prompted for creds.  I can't find any
> difference in IE setups.
>
> Enable Integrated Auth is checked on the Advanced tab.
>
> I do have SPNs set for http/webserver and http/webserver.domain.name -- 
> They
> may not be needed since they should be able to use host/webserver
> host/webserver.domain.name.  Let me know if those need to be removed.
>
> Help! :)
>
> Thanks,
> Trevor
>
>