Solved

Intranet Zone: authentication not possible

Posted on 2009-03-31
15
1,267 Views
Last Modified: 2013-12-08
Situation:

Datacenter:
2008 AD
IIS 7
Website with 'Windows Authentication' enabled (e.g. https://intranet.fqdn.something)

Clients:
HP 6730b laptops
Domain member
Windows XP SP3
IE 7
Intranet zone: https://intranet.fqdn.something

The clients access the servers through a static IPSEC connection while in the office, and through a Citrix Secure Access Client while 'on the road'.

Problem:
When the clients try to access the Intranet website while on the road (e.g. at home) when they're not connected through the VPN client, they cannot access the Intranet website:

"Cannot find server" is displayed in IE.

The Evenlog on the client show the reason:
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
"The Security System detected an attempted downgrade attack for server HTTP/intranet.fqdn.something.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.  (0xc000005e)".

The failure reason itself is correct: when the client's not connected through VPN there is no server (=domain controller) to service the logon request. It looks like this behaviour is related to Security Bulletin MS04-011: http://support.microsoft.com/default.aspx/kb/891559/en-us

The problem I'm facing is that IE does not offer an alternative way to authenticate the user (for example a password prompt). When I remove the URL from the Intranet zone in IE, the browser correctly displays a username/password prompt.
The client however likes to have 'single sign-on', which works only when the URL is placed in the Intranet zone.

Thanks in advance for your feedback!
0
Comment
Question by:pistole
15 Comments
 
LVL 41

Expert Comment

by:graye
ID: 24029926
Pardon my confusion, but isn't that the way it's supposed to work?
If you were at home, and NOT using VPN, then you shouldn't have access to any Intranet website
0
 
LVL 1

Author Comment

by:pistole
ID: 24036972
Hi graye,

thanks for your response. I'm not 100% sure whether that behaviour is 'by design' in IE, if you have a link to a Microsoft document that clearly states it, I would be pleased.
0
 
LVL 3

Expert Comment

by:tyronenoel
ID: 24037273
when on the road you cant access intranet. the reason for this is that your computer needs to be on a local network with a local dns server to access the site. the vpn creates the illusion that you are on the network when in fact you are not. when you are not on the network and not on a VPN internet browsers will look at the DNS server allocated to them by each individuals isp and find no records. thus giving you the error you receive. The only way to get around this is to turn your intranet into a website and apply for a domain. the downside is that it is then accessible by members of the public
0
 
LVL 1

Author Comment

by:pistole
ID: 24037515
Tyronenoel;

it's an (externally available) extranet with a public FQDN. The problem is pure authentication: when I remove the URL from the Intranet Zone, the browser shows a username+password pop-up, and all is well.
0
 
LVL 3

Expert Comment

by:tyronenoel
ID: 24057404
oh ok well then sorted :)
0
 
LVL 1

Author Comment

by:pistole
ID: 24072615
Well, not really, since my customer would like to use 'single sign-on' where possible...

I already read something about Kerberos, delegation, etc (see: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx) so I guess my solution should be found there. To be continued?
0
 
LVL 3

Expert Comment

by:tyronenoel
ID: 24074584
where have you set the computer to look up the ip address when on a local network/intranet?have you set it up in the "hosts" file or on your local dns server??
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:pistole
ID: 24091270
Hi,

sorry, I guess I didn't explain well the first time.
The "intranet" resides on a server that's accessible via a public ip-addres. Resolving works fine.

The problem is that when the clients are not connected through VPN, they cannot authenticate (because domain controller is not reachable), and give up.

Clients can be anywhere: at home, at another client's office, mobile, etc.
0
 
LVL 3

Expert Comment

by:tyronenoel
ID: 24094279
ok so when the staff are in your office they use the same FQDN?
0
 
LVL 1

Author Comment

by:pistole
ID: 24101841
That's correct. And the site will open up, automatically authenticating using the credentials with which the staff logs into the laptop.

I managed to reproduce this exact behaviour in a different environment, also using IIS7.
0
 
LVL 3

Expert Comment

by:tyronenoel
ID: 24104376
ok like you said it just cannot connect to the domain controller. the other option is to give the domain controller a FQDN and set that up in each machine as the domain controller but i do not suggest this as it will open up to many security risks and create a very slow network as everything has to be done via the internet...... i Think the best thing is to keep the vpn running and work like that
0
 
LVL 1

Author Comment

by:pistole
ID: 24111557
tyronenoel,

thanks for thinking along, but this is not a real solution to the problem.
Next week I'll read all articles about Kerberos and delegation* -- I expect (and hope!) to find a solution there.

I will of course update this topic.

* http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx
0
 
LVL 3

Expert Comment

by:tyronenoel
ID: 24182164
cool thanks let me know as i am also interested to set our intranet to be publically available
0
 
LVL 1

Accepted Solution

by:
pistole earned 0 total points
ID: 24368435
Well, it took quite some time to find a relatively simple solution: I turned off the feature 'Enable Integrated Windows Authentication' in Internet Explorer,  which basically means that IE will not try to use Kerberos based authentication (at all). It will then fall back to NTLM authentication, which works perfectly across the internet.

Thanks all for your time :)
0
 
LVL 2

Expert Comment

by:agileblowfish
ID: 24975626
pistoles solution worked for me as well.  This is in Internet Options in the Advanced tab.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now