Solved

IIS integrated authentication prompting for credentials

Posted on 2007-03-21
8
2,419 Views
Last Modified: 2013-12-05
Customer of mine has the following issue:
They recently changed there IIS authentication from anonymous login to integrated authentication for there intranet site.
Everything is working, except they do not want to be prompted for credentials..  
When the user account is NOT in this specific group, they do NOT get prompted for credentials.
When the user account is IN the specific group, they DO get prompted for credentials.

I suspect either some sort of misconfiguration in IIS OR a conflicting setting in the policy applied to that group.  Now i checked with the customer that in the security tab of the home directory for the website, that the group has read and execute permission.
I have the RSOP for both when the user is in the group and when the user is not in the group, the only difference is this one additional policy that is applied.
Within this policy there are many settings defined, Including IE restrictions.  Now does anyone know of any specific policies that would affect this integrated authentication, short of me copy and pasting the whole rsop on here.  I can paste it at expert request.

Any ideas and help appreciated on this issue.
0
Comment
Question by:supportsolutions
  • 4
  • 3
8 Comments
 
LVL 16

Expert Comment

by:kshays
ID: 18767824
Well I know that someone had a problem similar to this the other day.  They were always getting prompted for their username and password.  When they started using fqdn instead of IP they were not prompted.

Maybe that could be the problem?
0
 
LVL 4

Author Comment

by:supportsolutions
ID: 18767949
possible,
but doesnt explain why when the group membership changes the outcome changes,

I am assuming its going to be related to this policy conflicting or restricing IE in someway.
The policy is essentially a lockdown policy.  

Im assuming there might be some information in the IIS logs, i am going to check.
0
 
LVL 16

Expert Comment

by:kshays
ID: 18768015
I agree the more I thought about it.  You need to see what those groups permissions are on the site or folder they are trying to access.  

Or it's somewhere in the policy and it's just a matter of weeding through all the settings to find the one that could possibly be the problem.  Does this happen when they are in both groups at the same time?  It shouldn't happen unless there is a "deny" listed for that one specific group that you are talking about.

Kevin
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 18769270
Is this site listed under the Iocal intranet zone ?
if you login as a user , who is asked to enter the username /pswd. and check what zone this site is listed. also in IE , tools internet options, security, highlight the local intranet and custom settings.
under custom settings, under user authentication automatic logon with current user name and pswd is checked.
its under IE policies: computer config --Admin templates----IE ---IE control panel ----security page ---local intranet and under that check the logon options.

cheers !!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Author Comment

by:supportsolutions
ID: 18796613
Good Ideas,
Computer config portion of the policy is disabled.
I was testing here in the virtual environment, with the following settings
User configuration - Windows Settings - IE maintenance - security - security zones and content ratings.
I set "import the current security zones and privacy settings" modify settings and add the iis servers IP address to the intranet sites, at the same time selecting, "automatic login only in intranet zone".

Now when I login with this user, gpresult shows that the policy is applied.
However when i look under the security tab- intranet zone in ie options, the ip address that i set for the iis server does not show, why? if i look in the policy then its there but does not seem to be applied...

Another interesting thing I notice is when looking at the RSOP, I dig down to the setting in the policy i applied,
After digging down to Security Zones and Content Ratings i double click, and everything is greyed out with the setting "do not customize security zones and privacy" selected but greyed out,
When i look at the "Security zones precedence" tab
I see my IE auto authenticate gpo but beside it under setting it says "disabled"

why does gpresult say the policy is applied but rsop says the gpo is disabled,
ive tried no override and it doesnt make a difference,

im lost lol


0
 
LVL 4

Author Comment

by:supportsolutions
ID: 18796634
Also, I found this
http://technet2.microsoft.com/WindowsServer/en/library/22fffeb1-66a3-4d5c-bc12-def57c3354fa1033.mspx?mfr=true

Where it states:
"The policy for the feature needs to be enabled for the process — for example, IExplore.exe — before the zones’ individual security setting policies or preferences will be applied"

So do i need to enable the policy this article is talking about, and if so how do i do that in windows 2000 if its a 2003 policy?
0
 
LVL 4

Author Comment

by:supportsolutions
ID: 18796808
am i getting off track here?  it still comes down to if the user has this original policy they get prompted, if they dont have this operator policy, then they do not get prompted.
0
 
LVL 16

Accepted Solution

by:
kshays earned 500 total points
ID: 18798806
If it's a windows 2003 policy you will need to update your adm files to support the 2003 settings.  Basically it's just a copy over of the *.adm files from the 2003 server or XP system.  You could always do gpresult /v > GPOresult.txt from the command window on the target server to get a list of policies being applied as well.

Cheers
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now