supportsolutions
asked on
IIS integrated authentication prompting for credentials
Customer of mine has the following issue:
They recently changed there IIS authentication from anonymous login to integrated authentication for there intranet site.
Everything is working, except they do not want to be prompted for credentials..
When the user account is NOT in this specific group, they do NOT get prompted for credentials.
When the user account is IN the specific group, they DO get prompted for credentials.
I suspect either some sort of misconfiguration in IIS OR a conflicting setting in the policy applied to that group. Now i checked with the customer that in the security tab of the home directory for the website, that the group has read and execute permission.
I have the RSOP for both when the user is in the group and when the user is not in the group, the only difference is this one additional policy that is applied.
Within this policy there are many settings defined, Including IE restrictions. Now does anyone know of any specific policies that would affect this integrated authentication, short of me copy and pasting the whole rsop on here. I can paste it at expert request.
Any ideas and help appreciated on this issue.
They recently changed there IIS authentication from anonymous login to integrated authentication for there intranet site.
Everything is working, except they do not want to be prompted for credentials..
When the user account is NOT in this specific group, they do NOT get prompted for credentials.
When the user account is IN the specific group, they DO get prompted for credentials.
I suspect either some sort of misconfiguration in IIS OR a conflicting setting in the policy applied to that group. Now i checked with the customer that in the security tab of the home directory for the website, that the group has read and execute permission.
I have the RSOP for both when the user is in the group and when the user is not in the group, the only difference is this one additional policy that is applied.
Within this policy there are many settings defined, Including IE restrictions. Now does anyone know of any specific policies that would affect this integrated authentication, short of me copy and pasting the whole rsop on here. I can paste it at expert request.
Any ideas and help appreciated on this issue.
ASKER
possible,
but doesnt explain why when the group membership changes the outcome changes,
I am assuming its going to be related to this policy conflicting or restricing IE in someway.
The policy is essentially a lockdown policy.
Im assuming there might be some information in the IIS logs, i am going to check.
but doesnt explain why when the group membership changes the outcome changes,
I am assuming its going to be related to this policy conflicting or restricing IE in someway.
The policy is essentially a lockdown policy.
Im assuming there might be some information in the IIS logs, i am going to check.
I agree the more I thought about it. You need to see what those groups permissions are on the site or folder they are trying to access.
Or it's somewhere in the policy and it's just a matter of weeding through all the settings to find the one that could possibly be the problem. Does this happen when they are in both groups at the same time? It shouldn't happen unless there is a "deny" listed for that one specific group that you are talking about.
Kevin
Or it's somewhere in the policy and it's just a matter of weeding through all the settings to find the one that could possibly be the problem. Does this happen when they are in both groups at the same time? It shouldn't happen unless there is a "deny" listed for that one specific group that you are talking about.
Kevin
Is this site listed under the Iocal intranet zone ?
if you login as a user , who is asked to enter the username /pswd. and check what zone this site is listed. also in IE , tools internet options, security, highlight the local intranet and custom settings.
under custom settings, under user authentication automatic logon with current user name and pswd is checked.
its under IE policies: computer config --Admin templates----IE ---IE control panel ----security page ---local intranet and under that check the logon options.
cheers !!
if you login as a user , who is asked to enter the username /pswd. and check what zone this site is listed. also in IE , tools internet options, security, highlight the local intranet and custom settings.
under custom settings, under user authentication automatic logon with current user name and pswd is checked.
its under IE policies: computer config --Admin templates----IE ---IE control panel ----security page ---local intranet and under that check the logon options.
cheers !!
ASKER
Good Ideas,
Computer config portion of the policy is disabled.
I was testing here in the virtual environment, with the following settings
User configuration - Windows Settings - IE maintenance - security - security zones and content ratings.
I set "import the current security zones and privacy settings" modify settings and add the iis servers IP address to the intranet sites, at the same time selecting, "automatic login only in intranet zone".
Now when I login with this user, gpresult shows that the policy is applied.
However when i look under the security tab- intranet zone in ie options, the ip address that i set for the iis server does not show, why? if i look in the policy then its there but does not seem to be applied...
Another interesting thing I notice is when looking at the RSOP, I dig down to the setting in the policy i applied,
After digging down to Security Zones and Content Ratings i double click, and everything is greyed out with the setting "do not customize security zones and privacy" selected but greyed out,
When i look at the "Security zones precedence" tab
I see my IE auto authenticate gpo but beside it under setting it says "disabled"
why does gpresult say the policy is applied but rsop says the gpo is disabled,
ive tried no override and it doesnt make a difference,
im lost lol
Computer config portion of the policy is disabled.
I was testing here in the virtual environment, with the following settings
User configuration - Windows Settings - IE maintenance - security - security zones and content ratings.
I set "import the current security zones and privacy settings" modify settings and add the iis servers IP address to the intranet sites, at the same time selecting, "automatic login only in intranet zone".
Now when I login with this user, gpresult shows that the policy is applied.
However when i look under the security tab- intranet zone in ie options, the ip address that i set for the iis server does not show, why? if i look in the policy then its there but does not seem to be applied...
Another interesting thing I notice is when looking at the RSOP, I dig down to the setting in the policy i applied,
After digging down to Security Zones and Content Ratings i double click, and everything is greyed out with the setting "do not customize security zones and privacy" selected but greyed out,
When i look at the "Security zones precedence" tab
I see my IE auto authenticate gpo but beside it under setting it says "disabled"
why does gpresult say the policy is applied but rsop says the gpo is disabled,
ive tried no override and it doesnt make a difference,
im lost lol
ASKER
Also, I found this
http://technet2.microsoft.com/WindowsServer/en/library/22fffeb1-66a3-4d5c-bc12-def57c3354fa1033.mspx?mfr=true
Where it states:
"The policy for the feature needs to be enabled for the process — for example, IExplore.exe — before the zones’ individual security setting policies or preferences will be applied"
So do i need to enable the policy this article is talking about, and if so how do i do that in windows 2000 if its a 2003 policy?
http://technet2.microsoft.com/WindowsServer/en/library/22fffeb1-66a3-4d5c-bc12-def57c3354fa1033.mspx?mfr=true
Where it states:
"The policy for the feature needs to be enabled for the process — for example, IExplore.exe — before the zones’ individual security setting policies or preferences will be applied"
So do i need to enable the policy this article is talking about, and if so how do i do that in windows 2000 if its a 2003 policy?
ASKER
am i getting off track here? it still comes down to if the user has this original policy they get prompted, if they dont have this operator policy, then they do not get prompted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Maybe that could be the problem?