RE: IIS Authentication Methods

From: Lisa Cozzens [MSFT] (lcozzens@online.microsoft.com)
Date: 03/11/03 

From: lcozzens@online.microsoft.com (Lisa Cozzens [MSFT])
Date: Tue, 11 Mar 2003 20:06:40 GMT

When you use IE to access a site that has both Integrated and Basic
authentication enabled, IE will try to authenticate using Integrated. If
Integrated fails, it will NOT fall back to Basic. It will simply fail to
authenticate and show some flavor of 401 error.

When you use Netscape to access a site with both authentication methods
enabled, Netscape will use Basic authentication, because it doesn't
understand Integrated authentication.

As for the problem at hand, you should be prompted three times for
authentication and then receive an error message with a status code that
probably starts with a 401. If it's a 401.3, check to make sure that the
local user account that you're using has the "Access this computer from the
network" user right. (Start -> Settings -> Control Panel -> Administrative
Tools -> Local Security Policy -> Local Policies -> User Rights
Assignment). If it's some other status code, or if it's a 401.3 but the
user does have "Access this computer from the network" permissions, post
here again and we'll see if we can help out.

Thanks,
Lisa

--------------------
> Content-Class: urn:content-classes:message
> From: "Larry" <Larry@cwxonline.com>
> Sender: "Larry" <Larry@cwxonline.com>
> Subject: IIS Authentication Methods
> Date: Tue, 11 Mar 2003 11:31:25 -0800
> Lines: 35
> Message-ID: <00f301c2e804$ce4e8200$a401280a@phx.gbl>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> Thread-Index: AcLoBM5OcTAYPUwNTqOfFJ8VUuSksg==
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Newsgroups: microsoft.public.inetserver.iis.security
> Path: cpmsftngxa06
> Xref: cpmsftngxa06 microsoft.public.inetserver.iis.security:16226
> NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> Hello,
>
> I would like to ask anyone if they can help me understand
> the following problem.
>
> 1. When I setup our IIS 5.0 server I setup all websites
> to use Integrated Authentication and Basic
> Authentication. If a user was using internet explorer
> externally they would only have to enter thier username
> and password without a domain name if they were a user
> that was LOCAL to the server. Domain users always entered
> thier domain as well as the user name and password.
>
> 2. A few days ago I ran a security script that "HARDENED"
> the server. It was called securit-elok that is bassically
> a script.
>
> 3. After Installing this script, External users are no
> longer able to logon with internet explorer if they are a
> local user on the web server. If they use netscape basic
> authentication works fine.
>
>
> So is IIS supposed to work like this:
>
> 1. Try integrated authentication and if that fails than
> use basic?
>
> or Is it supposed to fail continuesly with integrated
> authentication?
>
>
>
> Thanks for the help
>
>

-----
Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

© 2003 Microsoft Corporation. All rights reserved.