Re: Authentication troubles
From: Jerry (jerry.giacinto_at_ketteng.com.nospam.com)
Date: Tue, 23 Mar 2004 08:00:31 -0700
Thanks for your responses, Ken and Bernard.
I don't think that he is using NTLM v.2, but I'm really not sure how to
tell. The reason I think that he's not is because I know it's not "default"
behavior for Win 9x clients, and I setup his computer to begin with.
However, one of my tests was to enable NTLM v.2 per MS KB Q239869
that didn't work, I removed the registry change that forced NTLM v.2. Now
that I think of it, I never tried the setting to force LM and NTLM only -
may be worth a shot.
I should've mentioned that the web server is not part of a domain. Good
As for SSL, I actually would prefer that myself. Is the only way to
enable SSL to purchase a security certificate from a company such as
Verisign? And, if so, once I have the certificate, how do I apply it just
to the Virtual Directory in IIS (the web folder)? When I view the
properties for the virtual directory, the Server Certificate button is
grayed out. Currently, the web folder is a virtual directory under the
actual website. So users access it as www.domainname.com/webfolder, for
example. I think that's the only way for me to set it up. I guess I would
apply the certificate at the site level and require secure communications at
the web folder level?
Thanks and best regards,
"Bernard" <email@example.com> wrote in message
> If user are coming from the internet, I would suggest you configured Basic
> Auth with SSL.
> Bernard Cheah
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> > a) NTLM v2 authentication does not work through most proxy servers,
> > it requires an open end-to-end connection between server and client for
> > couple of back-and-forward messages. If there is a proxy server between
> > and your server, NTLM v2 authentication will most likely fail
> > b) Ensure that he is including the appropriate Domain Name in the user
> > crentials: Domain\Username, otherwise IIS will use the local machine,
> > assume that the user wants WebServerName\UserName which may not be a
> > account.
> > Cheers
> > Ken
> > "Jerry" <firstname.lastname@example.org> wrote in message
> > news:%232d11lGEEHA.2908@TK2MSFTNGP09.phx.gbl...
> > : I have a web folder setup on IIS 5 on Win 2K server. The
> > : level is set to Integrated Windows Authentication, and I do not allow
> > : anonymous access. It wouldn't matter if I did, because the folder and
> > it's
> > : contents have specific NTFS permissions. This has been working well
> > all
> > : clients accessing it until now.
> > :
> > : One client is running Win 98 se with IE 5.5 SP2 - current on all
> > patches.
> > : When the user tries to connect from that machine using IE, he gets
> > prompted
> > : three times for a username and password, then it gives the "You are
> > : authorized to view this page" message in IE. When he tries to add the
> > : folder in Windows Explorer, he gets prompted three times, then gets
> > : message, "You do not have permission to access this web folder
> > : All I get in the IIS log is a 401 entry, but no error messages or
> > indication
> > : of what is happening.
> > :
> > : When I switch the authentication to Basic, he is able to logon just
> > fine.
> > : It appears that the username is not being received correctly by IIS
> > because
> > : he is not able to lock out the account after enough tries with an
> > : intentionally wrong password (but it can be done by a client that is
> > to
> > : logon normally).
> > :
> > : He is running Roadrunner-provided hi-speed internet with Norton
> > : Firewall. He has tried with the firewall software disabled, but that
> > : not work. I have verified that the server will accept LM, NTLM, and
> > : v.2 requests. I have verified his IE Security and Advanced settings
> > a
> > : similar client that is able to logon correctly. I am running out of
> > ideas.
> > : The only thing I can figure is that Roadrunner may have something in
> > : setup that is not allowing this to function - but that seems like a
> > : longshot.
> > :
> > : Although I have found several posts dealing with Integrated Windows
> > : Authentication and logon failures, I have not found any that solve or
> > : explain my circumstance. Any help would be greatly appreciated.
> > :
> > : One side note about the IIS logs - when it logs his attempt to
> > : his client information is listed as
> > : (compatible;+MSIE+5.5;+Windows+98;+T312461). I looked up the T312461
> > : because it doesn't show up on any other clients that I've seen, even
> > they
> > : are current on MS patches. It does not appear to be part of the
> > : authentication problem, but I'm including it just in case it sticks
> > : someone.
> > :
> > : Thanks for your help,
> > : Jerry
> > :
> > :