|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Client Permissions required for Integrated Authentication?I've got a IIS 6.0 Website on Windows 2003 which I have setup as Integrated Authentication. I have disabled all other forms of authentication (Anonymous, basic, etc). The Clients authenticate against a Windows NT domain currently. When the client tries to authenticate against the website, I get a login box for the client, unless the user is defined as a local admin on his local PC. As soon as we add the user's account to the local 'Administrators' group, everything seems to work as we'd expect. I saw postings on here about the fact that IE will only send the NT Challenge information to sites in the 'Local Intranet' zone, and I added the lcoal website to the local servers in the 'proxy' configuration page (which should add them to the local intranet zone), but it didn't appear to change anything. Our local PC's are locked down pretty tightly, so I need a bit of guidance as to what local security settings need to be applied to allow Windows Integrated authentication. Cheers, Paul.
Show quote
Hide quote
"Paul Haigh" <Paul Ha***@discussions.microsoft.com> wrote in message Sounds like the NTFS permissions on the content need to be adjusted. The IE news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com... > Hi there, > > I've got a IIS 6.0 Website on Windows 2003 which I have setup as > Integrated > Authentication. I have disabled all other forms of authentication > (Anonymous, basic, etc). > > The Clients authenticate against a Windows NT domain currently. When the > client tries to authenticate against the website, I get a login box for > the > client, unless the user is defined as a local admin on his local PC. As > soon > as we add the user's account to the local 'Administrators' group, > everything > seems to work as we'd expect. > > I saw postings on here about the fact that IE will only send the NT > Challenge information to sites in the 'Local Intranet' zone, and I added > the > lcoal website to the local servers in the 'proxy' configuration page > (which > should add them to the local intranet zone), but it didn't appear to > change > anything. > > Our local PC's are locked down pretty tightly, so I need a bit of guidance > as to what local security settings need to be applied to allow Windows > Integrated authentication. issue you mention would not be affected by whether or not users are part of the amdin group. Make sure your users have at least NTFS Read permissions on your content files and folders. -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS "Tom Kaminski [MVP]" wrote: <snip>> "Paul Haigh" <Paul Ha***@discussions.microsoft.com> wrote in message > news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com... > > Hi there, > > > I thought that as well to start with, but when I added 'Everyone' to the > Sounds like the NTFS permissions on the content need to be adjusted. The IE > issue you mention would not be affected by whether or not users are part of > the amdin group. Make sure your users have at least NTFS Read permissions > on your content files and folders. > Hi Tom, NTFS permissions for the content, nothing changed. We didn't see the boxes go away until we added the NT account to the local PC's 'Administrators' group - then the issue appears to go away immediately. Alternatively, the login box can be removed by putting back 'Anonymous Authentication', which isn't a huge surprise. Cheers, Paul
Show quote
Hide quote
"Paul Haigh" <Paul Ha***@discussions.microsoft.com> wrote in message Try with the specific account instead of Everyone.news:1E59068D-4CB8-485F-A154-D8142E62E702@microsoft.com... > "Tom Kaminski [MVP]" wrote: >> "Paul Haigh" <Paul Ha***@discussions.microsoft.com> wrote in message >> news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com... >> > Hi there, >> > > <snip> >> >> Sounds like the NTFS permissions on the content need to be adjusted. The >> IE >> issue you mention would not be affected by whether or not users are part >> of >> the amdin group. Make sure your users have at least NTFS Read >> permissions >> on your content files and folders. >> > Hi Tom, > > I thought that as well to start with, but when I added 'Everyone' to the > NTFS permissions for the content, nothing changed. We didn't see the > boxes > go away until we added the NT account to the local PC's 'Administrators' > group - then the issue appears to go away immediately. > > Alternatively, the login box can be removed by putting back 'Anonymous > Authentication', which isn't a huge surprise. -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS Adding the user to the local administrators group on their client PC should
have no effect whatsoever on whether the authentication dialogue appears or not, as far as I can tell. The authentication dialogue appears when: a) the site is not in the local intranet zone (check visually using the little icon that IE displays down the bottom right of the screen) -or- b) the site is in the local intranet zone, but the credentials that IE has supplied "under the covers" do not have permission, on the server, to access the files off the server's hard disk. Cheers Ken Show quoteHide quote "Paul Haigh" <Paul Ha***@discussions.microsoft.com> wrote in message news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com... : Hi there, : : I've got a IIS 6.0 Website on Windows 2003 which I have setup as Integrated : Authentication. I have disabled all other forms of authentication : (Anonymous, basic, etc). : : The Clients authenticate against a Windows NT domain currently. When the : client tries to authenticate against the website, I get a login box for the : client, unless the user is defined as a local admin on his local PC. As soon : as we add the user's account to the local 'Administrators' group, everything : seems to work as we'd expect. : : I saw postings on here about the fact that IE will only send the NT : Challenge information to sites in the 'Local Intranet' zone, and I added the : lcoal website to the local servers in the 'proxy' configuration page (which : should add them to the local intranet zone), but it didn't appear to change : anything. : : Our local PC's are locked down pretty tightly, so I need a bit of guidance : as to what local security settings need to be applied to allow Windows : Integrated authentication. : : Cheers, : : Paul. Ken/Tom
Thanks for the responses. I was seriously weirded out by the behaviour, but looking more carefully today (with a fresh head), I see that adding local admin for some reason puts the website into the 'Local Intranet' zone, whereas when you are not a local admin, the same website (with the same IE config) is in the 'Internet' zone. Weird, but true. I'll focus on finding the appropriate settings in the registry/IE configuration to get the website in the 'Local Intranet' zone. Thanks once again. Paul I've seen this before, it might help to put the contents of the current user
part of an administrator registry to the local machine part. Also, you must not user FQDN's in the URL: this will cause a Internetqualification as well. The key that you should check is: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet settings\Zonemap there should be three values in there. If they are not ALL there, the three settings that are in Internet Options, Security tab, Local Intranet, Sites, will not work for regular users. You can export the settings (one is something like UNCasIntranet=1) . Delete all subkeys from the export and change the string CURRENT_USER tot LOCAL_MACHINE, import this into the registry and it works. "Paul Haigh" schreef: Show quoteHide quote > Ken/Tom > > Thanks for the responses. I was seriously weirded out by the behaviour, but > looking more carefully today (with a fresh head), I see that adding local > admin for some reason puts the website into the 'Local Intranet' zone, > whereas when you are not a local admin, the same website (with the same IE > config) is in the 'Internet' zone. > > Weird, but true. I'll focus on finding the appropriate settings in the > registry/IE configuration to get the website in the 'Local Intranet' zone. > > Thanks once again. > > Paul 
Other interesting topics
IIS6 ASP Crystal DLL
Digest access to UNC share IIS 5.0 - Create Server Certificate Wizard Access Denied to share with anonymous access disabled why request for cmd.exe had passed UrlScan.dll? Unable to set up client certificate, error 403.7 Guest book created through Frontpage Problem with Integrated Windows authentication on SSL connection - second times Switching from Integrated Authentication to Anonymous exporting key |
|||||||||||||||||||||||
