IIS integrated authentication prompting for credentials

Customer of mine has the following issue:
They recently changed there IIS authentication from anonymous login to integrated authentication for there intranet site.
Everything is working, except they do not want to be prompted for credentials..  
When the user account is NOT in this specific group, they do NOT get prompted for credentials.
When the user account is IN the specific group, they DO get prompted for credentials.

I suspect either some sort of misconfiguration in IIS OR a conflicting setting in the policy applied to that group.  Now i checked with the customer that in the security tab of the home directory for the website, that the group has read and execute permission.
I have the RSOP for both when the user is in the group and when the user is not in the group, the only difference is this one additional policy that is applied.
Within this policy there are many settings defined, Including IE restrictions.  Now does anyone know of any specific policies that would affect this integrated authentication, short of me copy and pasting the whole rsop on here.  I can paste it at expert request.

Any ideas and help appreciated on this issue.
LVL 4
supportsolutionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kevin HaysIT AnalystCommented:
Well I know that someone had a problem similar to this the other day.  They were always getting prompted for their username and password.  When they started using fqdn instead of IP they were not prompted.

Maybe that could be the problem?
0
supportsolutionsAuthor Commented:
possible,
but doesnt explain why when the group membership changes the outcome changes,

I am assuming its going to be related to this policy conflicting or restricing IE in someway.
The policy is essentially a lockdown policy.  

Im assuming there might be some information in the IIS logs, i am going to check.
0
Kevin HaysIT AnalystCommented:
I agree the more I thought about it.  You need to see what those groups permissions are on the site or folder they are trying to access.  

Or it's somewhere in the policy and it's just a matter of weeding through all the settings to find the one that could possibly be the problem.  Does this happen when they are in both groups at the same time?  It shouldn't happen unless there is a "deny" listed for that one specific group that you are talking about.

Kevin
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Kini pradeepPrincipal Cloud and security consultantCommented:
Is this site listed under the Iocal intranet zone ?
if you login as a user , who is asked to enter the username /pswd. and check what zone this site is listed. also in IE , tools internet options, security, highlight the local intranet and custom settings.
under custom settings, under user authentication automatic logon with current user name and pswd is checked.
its under IE policies: computer config --Admin templates----IE ---IE control panel ----security page ---local intranet and under that check the logon options.

cheers !!
0
supportsolutionsAuthor Commented:
Good Ideas,
Computer config portion of the policy is disabled.
I was testing here in the virtual environment, with the following settings
User configuration - Windows Settings - IE maintenance - security - security zones and content ratings.
I set "import the current security zones and privacy settings" modify settings and add the iis servers IP address to the intranet sites, at the same time selecting, "automatic login only in intranet zone".

Now when I login with this user, gpresult shows that the policy is applied.
However when i look under the security tab- intranet zone in ie options, the ip address that i set for the iis server does not show, why? if i look in the policy then its there but does not seem to be applied...

Another interesting thing I notice is when looking at the RSOP, I dig down to the setting in the policy i applied,
After digging down to Security Zones and Content Ratings i double click, and everything is greyed out with the setting "do not customize security zones and privacy" selected but greyed out,
When i look at the "Security zones precedence" tab
I see my IE auto authenticate gpo but beside it under setting it says "disabled"

why does gpresult say the policy is applied but rsop says the gpo is disabled,
ive tried no override and it doesnt make a difference,

im lost lol


0
supportsolutionsAuthor Commented:
Also, I found this
http://technet2.microsoft.com/WindowsServer/en/library/22fffeb1-66a3-4d5c-bc12-def57c3354fa1033.mspx?mfr=true

Where it states:
"The policy for the feature needs to be enabled for the process — for example, IExplore.exe — before the zones’ individual security setting policies or preferences will be applied"

So do i need to enable the policy this article is talking about, and if so how do i do that in windows 2000 if its a 2003 policy?
0
supportsolutionsAuthor Commented:
am i getting off track here?  it still comes down to if the user has this original policy they get prompted, if they dont have this operator policy, then they do not get prompted.
0
Kevin HaysIT AnalystCommented:
If it's a windows 2003 policy you will need to update your adm files to support the 2003 settings.  Basically it's just a copy over of the *.adm files from the 2003 server or XP system.  You could always do gpresult /v > GPOresult.txt from the command window on the target server to get a list of policies being applied as well.

Cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.