|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Getting prompted on IIS webIIS 5 on Windows 2000 and are fully patched with current versions of ADO. In order to browse the application we only use the server name in the URL. For example: http://MyServer/MyApp/default.aspx . We are not prompted for our credentials because we only have Windows authentication enabled. Some of our end users have used the fully qualified domain name. For example: http://MyServer.MyDomain.Com/MyApp/default.aspx . At this point we are prompted for our credentials even though it is the same web app. Authentication method has not changed, only the URL now uses the entire domain name. What gives? We ran FileMon on the servers and only got SUCCESS for all file access. When we tracert we get the same (two hop) results. Why does the slight change in the URL cause us to get prompted? Could it be that the first solution uses a different domain controller to authenticate than the second? Many thanks, Keith It's to do with your IE security Zones. surf to the FQDN and make a note of
the zone (bottom right on the staus bar). then do the same on the netbios name. See the difference? Add the FQDN to the intranet or trusted zone and the problem ought to go away -- Show quoteHide quoteJason Brown Microsoft GTSC, IIS This posting is provided "AS IS" with no warranties, and confers no rights. "Keith-Earl" <k@k.com> wrote in message news:uwax2OUOFHA.2604@TK2MSFTNGP10.phx.gbl... > We have run a .NET app on a test and prod server for months. We are > running IIS 5 on Windows 2000 and are fully patched with current versions > of ADO. In order to browse the application we only use the server name in > the URL. For example: http://MyServer/MyApp/default.aspx . We are not > prompted for our credentials because we only have Windows authentication > enabled. > > Some of our end users have used the fully qualified domain name. For > example: http://MyServer.MyDomain.Com/MyApp/default.aspx . At this point > we are prompted for our credentials even though it is the same web app. > Authentication method has not changed, only the URL now uses the entire > domain name. > > What gives? > > We ran FileMon on the servers and only got SUCCESS for all file access. > When we tracert we get the same (two hop) results. > > Why does the slight change in the URL cause us to get prompted? Could it > be that the first solution uses a different domain controller to > authenticate than the second? > > Many thanks, > > Keith > Hi Keith,
When using FQDN/DNS name, IE will consider it's an internet site and therefore it will not send credential to IIS to automatically perform integrated authentication. The work around is explicitly adding the FQDN into IE intranet or trusted zone. All the detailed info is explained in the following article: Internet Explorer May Prompt You for a Password http://support.microsoft.com/?id=258063 Thanks. Best regards, WenJun Zhang Microsoft Online Partner Support When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== Business-Critical Phone Support (BCPS) provides you with technical phone support at no charge during critical LAN outages or "business down" situations. This benefit is available 24 hours a day, 7 days a week to all Microsoft technology partners in the United States and Canada. This and other support options are available here: BCPS: https://partner.microsoft.com/US/technicalsupport/supportoverview/4001 0469 Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/ If you are outside the United States, please visit our International Support page: http://support.microsoft.com/common/international.aspx ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Thank you both. Will try when I put out this fire first.
Is there a way to automatically add the FQDN to the Intranet Zone? We do not want our end-users to ever get prompted because this truly is an intranet app. many, many thanks, Keith ""WenJun Zhang[msft]"" <v-wzh***@online.microsoft.com> wrote in message Show quoteHide quote news:lcKte6aOFHA.2944@TK2MSFTNGXA01.phx.gbl... > Hi Keith, > > When using FQDN/DNS name, IE will consider it's an internet site and > therefore it will not send credential to IIS to automatically perform > integrated authentication. The work around is explicitly adding the > FQDN into IE intranet or trusted zone. All the detailed info is > explained in the following article: > > Internet Explorer May Prompt You for a Password > http://support.microsoft.com/?id=258063 > > Thanks. > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > When responding to posts, please "Reply to Group" via your newsreader > so that others may learn and benefit from your issue. > > ===================================================== > > Business-Critical Phone Support (BCPS) provides you with technical > phone support at no charge during critical LAN outages or "business > down" situations. This benefit is available 24 hours a day, 7 days a > week to all Microsoft technology partners in the United States and > Canada. > > This and other support options are available here: > > BCPS: > https://partner.microsoft.com/US/technicalsupport/supportoverview/4001 > 0469 > Others: > https://partner.microsoft.com/US/technicalsupport/supportoverview/ > > If you are outside the United States, please visit our International > Support page: http://support.microsoft.com/common/international.aspx > > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > Use Group Policy
Cheers Ken Show quoteHide quote "Keith-Earl" <k@k.com> wrote in message news:uAgAMIhOFHA.2468@tk2msftngp13.phx.gbl... : Thank you both. Will try when I put out this fire first. : : Is there a way to automatically add the FQDN to the Intranet Zone? We do : not want our end-users to ever get prompted because this truly is an : intranet app. : : many, many thanks, : : Keith : : : ""WenJun Zhang[msft]"" <v-wzh***@online.microsoft.com> wrote in message : news:lcKte6aOFHA.2944@TK2MSFTNGXA01.phx.gbl... : > Hi Keith, : > : > When using FQDN/DNS name, IE will consider it's an internet site and : > therefore it will not send credential to IIS to automatically perform : > integrated authentication. The work around is explicitly adding the : > FQDN into IE intranet or trusted zone. All the detailed info is : > explained in the following article: : > : > Internet Explorer May Prompt You for a Password : > http://support.microsoft.com/?id=258063 : > : > Thanks. : > : > Best regards, : > : > WenJun Zhang : > Microsoft Online Partner Support : > : > When responding to posts, please "Reply to Group" via your newsreader : > so that others may learn and benefit from your issue. : > : > ===================================================== : > : > Business-Critical Phone Support (BCPS) provides you with technical : > phone support at no charge during critical LAN outages or "business : > down" situations. This benefit is available 24 hours a day, 7 days a : > week to all Microsoft technology partners in the United States and : > Canada. : > : > This and other support options are available here: : > : > BCPS: : > https://partner.microsoft.com/US/technicalsupport/supportoverview/4001 : > 0469 : > Others: : > https://partner.microsoft.com/US/technicalsupport/supportoverview/ : > : > If you are outside the United States, please visit our International : > Support page: http://support.microsoft.com/common/international.aspx : > : > ===================================================== : > : > This posting is provided "AS IS" with no warranties, and confers no : > rights. : > : : Keith,
In case all the client machines are in the same domain, using group policy will help you achieve this. How To Set Advanced Settings In Internet Explorer by Using Group Policy Objects http://support.microsoft.com/kb/274846/ Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. You are welcome.
Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. >-----Original Message----- months. We are running >We have run a .NET app on a test and prod server for >IIS 5 on Windows 2000 and are fully patched with current versions of ADO. >In order to browse the application we only use the server name in the URL. >For example: http://MyServer/MyApp/default.aspx . We are not prompted for >our credentials because we only have Windows domain name. For authentication enabled. > >Some of our end users have used the fully qualified >example: http://MyServer.MyDomain.Com/MyApp/default.aspx . At this point we >are prompted for our credentials even though it is the same web app. >Authentication method has not changed, only the URL now uses the entire >domain name. all file access. > >What gives? > >We ran FileMon on the servers and only got SUCCESS for >When we tracert we get the same (two hop) results. prompted? Could it be > >Why does the slight change in the URL cause us to get >that the first solution uses a different domain controller to authenticate Show quoteHide quote >than the second? > >Many thanks, > >Keith > > >. > 
Other interesting topics
IIS 6 Integrated Authentication and IE 6 - security credentials seem to not get passed from browser
Anonymous access IIS 5.0 Directory Settings help IIS 6.0 and Integrated Security - restricting logins Anonymous access Vulnerabilities W2003 SP1 - IIS CRL Check Executables won't run in IIS 5.1 on XP pro IIS and .NET State IE browser "NO COOKIES" is ignored for 1 site; works for another; same scripts (Cross-posted to inet Problems with IUSR after installing security templates |
|||||||||||||||||||||||
