Re: IIS 6 Integrated Authentication and IE 6 - security credential
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/11/05
- Next message: J M: "IIS calling cscript.exe from cgi permission denied - WMI access"
- Previous message: Ken Schaefer: "Re: IIS 6 conflict using port 443 for NON-SSL traffic"
- In reply to: Matthew Emsley: "Re: IIS 6 Integrated Authentication and IE 6 - security credential"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Apr 2005 13:26:27 +1000
I don't think this is the same issue. I suggest you start a new thread.
Thanks
Cheers
Ken
-- Blog: www.adopenstatic.com/cs/blogs/ken/ Web: www.adopenstatic.com "Matthew Emsley" <MatthewEmsley@discussions.microsoft.com> wrote in message news:BD5F6156-4BFF-4E7B-AB55-80D3C0B4BE60@microsoft.com... :I think I'm experiencing the smae problem. I have Win2003 with IIS6. I just : installed SP1. : : My server is in a domain. I'm running two websites through IIS6. Anoymous : access is OFF, and I'm using Integrated Windows authentication : : My server has a static IP address and the : DNS name is: FLOWER.COMPANY.COM : WINS name is: TLA-FLOWER : I have aliased the website names on companies DNS server to my IP address : Alias name 1: PETAL.COMPANY.COM : Alias name 2: STEM.COMPANY.COM : : I have PETAL.COMPANY.COM as the default website. : : Before SPI if i connected to http://PETAL it did not ask for a username and : password (it was in the Local Intranet Zone). After SP1 going to : http://PETAL or http://FLOWER asks me for a username and password and the : Domain username and password I use eventially result in a error 401.1. If, : however I use the WINS name: http://TLA-FLOWER I am not asked for the : username and password and I am able to connect to the webpage again on the : Local Intranet zone. : : All help is appreciated. : : : : : "Andy Wright" wrote: : : > Thanks for the information David. The article that you provided the link to : > mentioned includes the following: : > : > ---------------- : > Forcing NTLM : > In the following situations, Kerberos fails and you must force IIS to use : > NTLM authentication by setting the NTAuthenticationProviders metabase : > property to NTLM. : > : > 1) When you isolate Web sites on a virtual directory level by configuring : > worker process identities as different domain accounts, Kerberos fails. : > : > 2) If you are using Integrated Windows authentication, are not using a WINS : > or DNS name for the server running IIS, and you want to use a local user : > account or the LocalService account as a worker process identity, Kerberos : > authentication fails because Active Directory will not "trust" the accounts. : > -------------- : > : > Because I had configured the application as in 1) above, Kerberos was : > failing. When I set the NTAuthenticationProviders metabase property to NTLM : > the problem was fixed. This seems to work ok when set at the virtual : > directory level and so needn't have an impact on other applications in the : > Web site. : > : > Do you know of any references that describe the likely consequences of : > setting this metabase property for an application and any workrounds or : > configuration options that are available for applications that need to rely : > on Kerberos features? : > : > I also tried setting the Application Pool Identity for the entire web site : > rather than at the Application/Virtual Directory level and that seems to : > work ok even when Kerberos is enabled (NTAuthenticationProviders metabase : > property set to Negotiate,NTLM). : > : > : > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message : > news:e5krHpmOFHA.2748@TK2MSFTNGP09.phx.gbl... : > > Right now, your failure pattern it sounds a common misconfiguration where : > > you have: : > > 1. a customized Application Pool Identity : > > 2. Only Integrated authentication is enabled : > > 3. the server is in a domain : > > : > > http://64.233.187.104/search?q=cache:NIZib3_gx9sJ:www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ca_cfgwrkridentity.asp&hl=en : > > : > > : > > : > >> If I reconfigure the web site so that it runns in an application : > >> pool associated with the default Network Service identity : > >> then the request from the Windows XP machine works : > >> ok and is logged as: : > >> : > >> 2005-04-04 09:29:17 192.168.0.100 GET /test/test.htm : > >> - 80 LOCH_NESS\Administrator 192.168.0.127 : > >> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) : > >> 304 0 0 : > > : > > This has login of LOCH_NESS\Administrator, which is not the same as : > > "LOCH_NESS\pplustester1" which you said you were testing with. Either you : > > chose the wrong log entry or something else is running on the server and : > > interfering. : > > : > > -- : > > //David : > > IIS : > > http://blogs.msdn.com/David.Wang : > > This posting is provided "AS IS" with no warranties, and confers no : > > rights. : > > // : > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message : > > news:uvNtTSbOFHA.2136@TK2MSFTNGP14.phx.gbl... : > > Mmm.. : > > 401.2 - Logon failed due to server configuration. : > > what authentication method you using ? : > > is the NT4 and XP pro machine located in the same subnet and browse using : > > the same URL ? : > > : > >>> : > >> If I reconfigure the web site so that it runns in an application pool : > >> associated with the default Network Service identity then the request : > >> from : > >> the Windows XP machine works ok and is logged as: : > > : > > what was the previous app pool identity ? : > > : > > -- : > > Regards, : > > Bernard Cheah : > > http://www.tryiis.com/ : > > http://support.microsoft.com/ : > > http://www.msmvps.com/bernard/ : > > : > > : > > "Andy Wright" <A@bc.com> wrote in message : > > news:uKExrnPOFHA.3960@TK2MSFTNGP12.phx.gbl... : > >> Hi, : > >> : > >> I have an IIS 6 application on Windows 2003 SP1 configured to use : > >> integrated authentication. It runs in an application pool that is : > >> configured with a specific user name and password. : > >> : > >> If I connect to the web site using IE 6 hosted on a machine running NT 4 : > >> everything works fine. When I request a page from the web site, the : > >> following request is logged: : > >> : > >> 2005-04-04 09:00:57 192.168.0.100 GET /test/test.htm - 80 : > >> LOCH_NESS\pplustester1 192.168.0.5 : > >> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+4.0) 200 0 0 : > >> : > >> However, if I log on as the same user (LOCH_NESS\pplustester1) on a : > >> machine running IE 6 hosted on Winndows XP, the system prompts me for : > >> user : > >> name and password credentials. After supplying the correct credentials I : > >> eventually get an HTTP 401.1 error. The request is logged at the server : > >> as: : > >> : > >> 2005-04-04 07:59:28 192.168.0.100 GET /test/test.htm - 80 - 192.168.0.127 : > >> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 : > >> 2 2148074254 : > >> : > >> It seems that the user name authentication credentials aren't being : > >> passed : > >> on to the web server correctly. : > >> : > >> If I reconfigure the web site so that it runns in an application pool : > >> associated with the default Network Service identity then the request : > >> from : > >> the Windows XP machine works ok and is logged as: : > >> : > >> 2005-04-04 09:29:17 192.168.0.100 GET /test/test.htm - 80 : > >> LOCH_NESS\Administrator 192.168.0.127 : > >> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 304 : > >> 0 0 : > >> : > >> Does anyone know if there are any settings that need to be configured for : > >> IE6 when running on XP to fix it so that the credentials are passed on : > >> correctly - or is there something more subtle that I'm missing? : > >> : > >> Thanks, : > >> : > >> Andy Wright : > >> : > > : > > : > > : > : > : >
- Next message: J M: "IIS calling cscript.exe from cgi permission denied - WMI access"
- Previous message: Ken Schaefer: "Re: IIS 6 conflict using port 443 for NON-SSL traffic"
- In reply to: Matthew Emsley: "Re: IIS 6 Integrated Authentication and IE 6 - security credential"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
