Integrated Windows Authentication authenticating the wrong user

microsoft.public.inetserver.iis.security

24 Nov 2005 6:57 AM

teedilo

I support an application that supports Integrated Windows
Authentication. I am running into a strange problem with my own user
account. It appears that Internet Explorer is passing the wrong
credentials to the web server, because the application is trying to
authenticate me with the wrong user account. The account is actually
one of my accounts, but it's definitely not the one that I was signed
into Windows with at the time that I was attempting to access the
application.

The application in question is Serena's TeamTrack. Serena says that
TeamTrack authenticates with the user that the system passes to them,
and as such, they maintain that it's not an issue with TeamTrack. I'm
thinking that they may be correct about this.

I've tried many different things to fix this:

- I rebooted the TeamTrack server.

- I rebooted my desktop.

- I cleared my browser cache (deleted temporary Internet files,
cookies, etc.).

- I deleted from my desktop the profile of the user account that is
being erroneously authenticated.

Here are a few other interesting details:

- We also have other TeamTrack systems within our network, and I am
able to get signed in automatically to those systems just fine from my
own desktop.

- After logging into a different desktop with the account that I
usually use to sign into my own desktop, I was then able to get signed
in automatically to the TeamTrack system that I am having trouble
signing into from my own desktop.

This all leads me to believe that it somehow involves the connection
between my own desktop and the TeamTrack server. I have read where
Integrated Windows Authentication sometimes doesn't work properly with
some proxy servers and Internet devices. I wouldn't think that it
would have anything to do with our proxy server, since our TeamTrack
systems have DNS entries that match one of the proxy bypass settings,
so I shouldn't be hitting the proxy server.

This is strange because we have been using TeamTrack for several years
and this is the first I've seen this problem. I've had a few different
desktops through the years, but I was even able to access TeamTrack
successfully with my latest desktop for quite some time before running
into this problem.

My latest desktop is running Windows XP Pro. An upgrade to XP SP2 was
fairly recent, but I had no problems for some time after the upgrade.
I do use a tool called Psynch for maintaining the same password for
both of my Windows user accounts, and that was changed fairly recently.
I think I might next try disassociating my user accounts from Psynch
and just change my passwords again "normally", just in case Psynch is
somehow a culprit here.

Theories, anyone? Thanks.

24 Nov 2005 1:14 PM

karl levinson, mvp

How exactly are you seeing the wrong user account? Is that from the web
server logs?

I would try logging into the troubled computer as a different user that has
local administrator privileges, rename the Windows user profile for the
troubled user under c:\documents and settings\, then log out and back into
Windows as the troubled user to create a fresh new Windows profile and see
if the problem persists. If it does, at least you know the problem is not
in the user profile.

If this hasn't been done already, I would check the web server logs, run a
sniffer like the free www.ethereal.com to capture and inspect the data when
logging in [if it's https encrypted, that may be a problem for the sniffer],
and compare the browser settings on both the working and non-working
computer under tools, internet options, security. Specifically, try to
determine whether both computers consider the web site as being in the same
zone, and determine if they have different settings in that zone [or check
all zones] for user authentication. Under Tools, Internet Options,
Advanced, there may also be a setting for "allow windows integrated
authentication" that you might check just in case.

Be sure the working and non-working computers you are comparing are both
running the same version of Windows, because Windows XP IE does not always
do authentication the same way as previous versions of Windows.

<teed***@gmail.com> wrote in message
Show quoteHide quote

news:1132815476.337709.7400@z14g2000cwz.googlegroups.com...
>I support an application that supports Integrated Windows
> Authentication. I am running into a strange problem with my own user
> account. It appears that Internet Explorer is passing the wrong
> credentials to the web server, because the application is trying to
> authenticate me with the wrong user account. The account is actually
> one of my accounts, but it's definitely not the one that I was signed
> into Windows with at the time that I was attempting to access the
> application.
>
> The application in question is Serena's TeamTrack. Serena says that
> TeamTrack authenticates with the user that the system passes to them,
> and as such, they maintain that it's not an issue with TeamTrack. I'm
> thinking that they may be correct about this.
>
> I've tried many different things to fix this:
>
> - I rebooted the TeamTrack server.
>
> - I rebooted my desktop.
>
> - I cleared my browser cache (deleted temporary Internet files,
> cookies, etc.).
>
> - I deleted from my desktop the profile of the user account that is
> being erroneously authenticated.
>
> Here are a few other interesting details:
>
> - We also have other TeamTrack systems within our network, and I am
> able to get signed in automatically to those systems just fine from my
> own desktop.
>
> - After logging into a different desktop with the account that I
> usually use to sign into my own desktop, I was then able to get signed
> in automatically to the TeamTrack system that I am having trouble
> signing into from my own desktop.
>
>
> This all leads me to believe that it somehow involves the connection
> between my own desktop and the TeamTrack server. I have read where
> Integrated Windows Authentication sometimes doesn't work properly with
> some proxy servers and Internet devices. I wouldn't think that it
> would have anything to do with our proxy server, since our TeamTrack
> systems have DNS entries that match one of the proxy bypass settings,
> so I shouldn't be hitting the proxy server.
>
> This is strange because we have been using TeamTrack for several years
> and this is the first I've seen this problem. I've had a few different
> desktops through the years, but I was even able to access TeamTrack
> successfully with my latest desktop for quite some time before running
> into this problem.
>
> My latest desktop is running Windows XP Pro. An upgrade to XP SP2 was
> fairly recent, but I had no problems for some time after the upgrade.
> I do use a tool called Psynch for maintaining the same password for
> both of my Windows user accounts, and that was changed fairly recently.
> I think I might next try disassociating my user accounts from Psynch
> and just change my passwords again "normally", just in case Psynch is
> somehow a culprit here.
>
> Theories, anyone? Thanks.
>

28 Nov 2005 5:24 PM

teedilo

Thanks so much for the informative reply, Karl. I was about to try out
your suggestions when I discovered what the actual cause and solution
was. There was a user name and password stored on my computer for our
TeamTrack web server that was using the account that I don't normally
sign onto my machine with. I'm honestly not even sure how it got
there, but here's how I got rid of it:

1) Click Start, Settings, Control Panel, User Accounts.

2) Click the Advanced tab.

3) Click Manage Passwords.

4) Select the entry for the TeamTrack web server, click Remove, Close,
OK.

Apparently having that saved user name and password somehow overrode
the Integrated Windows Authentication functionality.