Solved

IIS integrated authentication prompting for credentials

Posted on 2007-03-21
8
2,426 Views
Last Modified: 2013-12-05
Customer of mine has the following issue:
They recently changed there IIS authentication from anonymous login to integrated authentication for there intranet site.
Everything is working, except they do not want to be prompted for credentials..  
When the user account is NOT in this specific group, they do NOT get prompted for credentials.
When the user account is IN the specific group, they DO get prompted for credentials.

I suspect either some sort of misconfiguration in IIS OR a conflicting setting in the policy applied to that group.  Now i checked with the customer that in the security tab of the home directory for the website, that the group has read and execute permission.
I have the RSOP for both when the user is in the group and when the user is not in the group, the only difference is this one additional policy that is applied.
Within this policy there are many settings defined, Including IE restrictions.  Now does anyone know of any specific policies that would affect this integrated authentication, short of me copy and pasting the whole rsop on here.  I can paste it at expert request.

Any ideas and help appreciated on this issue.
0
Comment
Question by:supportsolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 16

Expert Comment

by:kshays
ID: 18767824
Well I know that someone had a problem similar to this the other day.  They were always getting prompted for their username and password.  When they started using fqdn instead of IP they were not prompted.

Maybe that could be the problem?
0
 
LVL 4

Author Comment

by:supportsolutions
ID: 18767949
possible,
but doesnt explain why when the group membership changes the outcome changes,

I am assuming its going to be related to this policy conflicting or restricing IE in someway.
The policy is essentially a lockdown policy.  

Im assuming there might be some information in the IIS logs, i am going to check.
0
 
LVL 16

Expert Comment

by:kshays
ID: 18768015
I agree the more I thought about it.  You need to see what those groups permissions are on the site or folder they are trying to access.  

Or it's somewhere in the policy and it's just a matter of weeding through all the settings to find the one that could possibly be the problem.  Does this happen when they are in both groups at the same time?  It shouldn't happen unless there is a "deny" listed for that one specific group that you are talking about.

Kevin
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 13

Expert Comment

by:Kini pradeep
ID: 18769270
Is this site listed under the Iocal intranet zone ?
if you login as a user , who is asked to enter the username /pswd. and check what zone this site is listed. also in IE , tools internet options, security, highlight the local intranet and custom settings.
under custom settings, under user authentication automatic logon with current user name and pswd is checked.
its under IE policies: computer config --Admin templates----IE ---IE control panel ----security page ---local intranet and under that check the logon options.

cheers !!
0
 
LVL 4

Author Comment

by:supportsolutions
ID: 18796613
Good Ideas,
Computer config portion of the policy is disabled.
I was testing here in the virtual environment, with the following settings
User configuration - Windows Settings - IE maintenance - security - security zones and content ratings.
I set "import the current security zones and privacy settings" modify settings and add the iis servers IP address to the intranet sites, at the same time selecting, "automatic login only in intranet zone".

Now when I login with this user, gpresult shows that the policy is applied.
However when i look under the security tab- intranet zone in ie options, the ip address that i set for the iis server does not show, why? if i look in the policy then its there but does not seem to be applied...

Another interesting thing I notice is when looking at the RSOP, I dig down to the setting in the policy i applied,
After digging down to Security Zones and Content Ratings i double click, and everything is greyed out with the setting "do not customize security zones and privacy" selected but greyed out,
When i look at the "Security zones precedence" tab
I see my IE auto authenticate gpo but beside it under setting it says "disabled"

why does gpresult say the policy is applied but rsop says the gpo is disabled,
ive tried no override and it doesnt make a difference,

im lost lol


0
 
LVL 4

Author Comment

by:supportsolutions
ID: 18796634
Also, I found this
http://technet2.microsoft.com/WindowsServer/en/library/22fffeb1-66a3-4d5c-bc12-def57c3354fa1033.mspx?mfr=true

Where it states:
"The policy for the feature needs to be enabled for the process — for example, IExplore.exe — before the zones’ individual security setting policies or preferences will be applied"

So do i need to enable the policy this article is talking about, and if so how do i do that in windows 2000 if its a 2003 policy?
0
 
LVL 4

Author Comment

by:supportsolutions
ID: 18796808
am i getting off track here?  it still comes down to if the user has this original policy they get prompted, if they dont have this operator policy, then they do not get prompted.
0
 
LVL 16

Accepted Solution

by:
kshays earned 500 total points
ID: 18798806
If it's a windows 2003 policy you will need to update your adm files to support the 2003 settings.  Basically it's just a copy over of the *.adm files from the 2003 server or XP system.  You could always do gpresult /v > GPOresult.txt from the command window on the target server to get a list of policies being applied as well.

Cheers
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question