RE: Access Denied from ActiveX object

From: Shawn Shepherd[MSFT] (shawnsh@microsoft.com)
Date: 01/24/03 

From: shawnsh@microsoft.com (Shawn Shepherd[MSFT])
Date: Fri, 24 Jan 2003 19:32:11 GMT

Tom,

This article discusses this in detail:

258063 Internet Explorer May Prompt You for a Password
http://support.microsoft.com/?id=258063

There are quite a few conditions that must be met for NTLM to function
properly they are described here.

"Passing your user name and password to an Internet Information Services
(IIS) Web server is the responsibility of the Web browser. The following
scenarios describe the relationship between Internet Explorer and IIS in
regards to authentication."

The above article covers alot, but essentially if the route NTLM needs to
use to get to IIS is blocked (which it usually is on the net or complex
networks), then your choice is Basic, or for secure authentication Basic
over SSL.

Essentially NTLM is not going to work over the internet

This article describes how to use Client Certificates with Internet
Explorer.

313070 HOW TO: Configure Client Certificate Mappings in Internet Information
http://support.microsoft.com/?id=313070

"In IIS, you can authenticate users who log on with a client certificate by
mapping the certificates to Windows user accounts. The mapped certificates
are used to either deny access to Web resources, or grant rights and
permissions for the mapped user account. There are two methods in which to
map certificates:......"
 
Shawn Shepherd[MSFT]
MCSE/MCP+I
Online Support Professional

This posting is provided "AS IS" with no warranties, and confers no rights.
Get Secure! - www.microsoft.com/security

Relevant Pages

  • Re: Anonymous Site with NTLM Optional
    ... Usually public websites will be hosted in a DMZ, and development sites in an internal secured network. ... The DMZ domain and the internal domains are thus usually separate. ... If this is your scenario, when testing using development the workstations with the browser clients and the webserver will likely be in the same domain, and thus there are no issues with NTLM. ... "Internet" users will not be on the same domain as the public webserver, and thus NTLM can't be used. ...
    (microsoft.public.inetserver.iis)
  • Re: multi-server auth
    ... PS as you may already know, running IIS on domain controllers is generally ... Anyone breaking into IIS from the internet would probably have ... > standalone servers) and full trust with another domain. ... > everything (NTLM for local auto auth and Basic for when NTLM isn't ...
    (microsoft.public.inetserver.iis.security)
  • Re: 401 error for user that used to logon fine
    ... Was over the Internet and you were right. ... > Why are you getting prompted by NTLM? ... How IIS Authenticates Browser Clients ... > Directory with Integrated Authentication ONLY -or- NTFS permissions ...
    (microsoft.public.inetserver.iis.security)
  • Re: NTLM over the Internet
    ... I'll keep searching around and see if I can find any more specifics. ... which suggests that certain proxy servers just don't support NTLM. ... > integrated authentication by default to Internet sites. ...
    (microsoft.public.inetserver.iis.security)
  • Error 0X80190194: Microsoft Exchange offline address book
    ... I am receiving this error in Outlook 2007 everytime I send/receive: ... In fact if I go to that location in Internet Explorer ... InternalAuthenticationMethods: {Basic, Ntlm} ... msExchAutoDiscoverVirtualDirectory} ...
    (microsoft.public.exchange.admin)