?
Solved

IIS 5 Authentication Problem -- Servername\Username in logon prompt

Posted on 2004-08-05
10
Medium Priority
?
1,027 Views
Last Modified: 2008-01-09
Hi there.

We have an IIS 5-based intranet Web site running on a Windows 2000 Server domain member server. The Intranet virtual directory is configured for SSL, Basic Authentication (with a default domain specified) and Integrated Windows Authentication.

When users log in with the Domain name\Username syntax at the login box, they can login just fine. However, if the users try to login with only their domain user name, IIS shoots back the logon box pre-filled in with:

Servername\username

The server name is fully qualified. That is to say:

Server01.company.com\joeuser

This strikes me as very, very weird.

I scoured the metabase by using the metabase editor. I found some traces to the referenced servername path in the SMTP properties and I nuked 'em because we aren't running SMTP on the IIS server. No help, though.

I also scoured the Registry for traces of the servername--nothing. I don't know why IIS thinks it should be pointing to the local computer instead of our domain controller. As I said earlier, if users manually type in Domainname\Username they can log in fine. However, as you network admins know, the less we have to instruct our users to do themselves manually, the better. :)

Thanks in advance,
Tim
0
Comment
Question by:ISIS2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 14

Expert Comment

by:alimu
ID: 11733033
Next to where you allow basic authentication in IIS management console is a button you click to set the default domain for authentication - do you have a specific domain set there?
0
 

Author Comment

by:ISIS2004
ID: 11734906
Yeah--I've added the non-qualified name of our domain.

Eg: COMPANY rather than COMPANY.COM

0
 
LVL 37

Expert Comment

by:meverest
ID: 11735240
Hi,

the defaulkt domain should be the windows domain (if it is different to the internet domain)

i.e. for "Domain name\Username", enter the "Domain name" part as default domain.

cheers.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Comment

by:ISIS2004
ID: 11735291
Actually, not to split hairs here, but that is what we have done.

For example:

Web server: SERVER01.DOMAIN.COMPANY.COM where DOMAIN.COMPANY.COM is the name of our Active Directory domain

We used DOMAIN as the default domain name for Basic Authentication.

However, in the logon prompt for the SSL-secured page the users see

SERVER01.DOMAIN.COMPANY.COM\username

in the username field instead of

DOMAIN.COMPANY.COM\username

or simply

DOMAIN\username

Thanks,
Tim
0
 
LVL 37

Expert Comment

by:meverest
ID: 11735714
ok,

what about using windows integrated auth - disable plain text authentication, then the ie browser will just send the credentials used to log on to the local AD domain by default.

cheers,  Mike.
0
 

Author Comment

by:ISIS2004
ID: 11736217
Well, you know we tried enabling only the Windows Integrated Authentication (and disabling the Basic Authentication). However, the logon box still gave the servername\username deal in the logon box.

Should we have bounced the IIS server? I didn' t think it was necessary, but maybe we should have tried that...
0
 
LVL 37

Expert Comment

by:meverest
ID: 11740621
Hi,

no - you needn't bounce the server to apply those changes.

is the iis server associated with the windows domain at all?  try adding the server to the AD domain regime.

Cheers.
0
 
LVL 14

Accepted Solution

by:
alimu earned 500 total points
ID: 11790463
ok - the site will always prompt for authentication against the local SAM first.  User needs to enter username@domain or domain\user to authenticate successfully.
More info in this thread: http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2004-06/0192.html

This still doesn't explain why some of your users are getting prompts and others aren't.
Are your users all using IE - it's the only browser that supports Integrated logon.
Have you checked out account lockouts / whether user has changed their password that day / clearing out cache and restarting problem browser?
0
 

Author Comment

by:ISIS2004
ID: 11792094
Thanks, alimu. The bottom line is that I need to instruct my users to submit their credentials as domain\user or username@domain, as you said.

-Tim
0
 
LVL 14

Expert Comment

by:alimu
ID: 11806074
that's correct - if they're getting a logon box this is the case.
With integrated authentication they shouldn't get prompted for credentials unless they are in a different domain to the server.  If you've got a single domain for clients & web server, users still getting prompted would indicate an NTFS permission problem on the web server files or possibly a client side issue.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question