Solved

Win 2008 Website Authentication

Posted on 2009-05-06
12
636 Views
Last Modified: 2013-12-04
We currently have a Win 2008 Standard Server setup for our websites and it's part of a domain and our AD for authentication. We have a few websites setup to only allow internal & authenticated people to access them. So in IIS7 for each of these websites under "Authentication" we have "Anonymous" disabled and "Basic Auth..." and "Win Auth..." enabled. The problem is when we try to access these websites on a PC using IE7 the browser is not able to login unless I enter my user name like "MyDomain\UserName" and my password. If I try to enter just "UserName" and password I get a "401 - Unauthorized: Access is denied due to invalid credentials."? But in FireFox it works fine just entering "UserName" and password no domain is required in the user name. Does anyone know how to resolve this? Any help is appreciated.

Thank you,

Mike
0
Comment
Question by:davisadmin
  • 5
  • 4
  • 3
12 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 24324013
Hi,

disable 'windows auth' and use only 'basic auth' then IE will behave the same as firefox.

alternatively, if the local PC is logged on to the domain and the web site is in the IE 'trusted' zone, the user will not need to enter credentials at all (IE will use the logged on credentials automatically)

Cheers.
0
 

Author Comment

by:davisadmin
ID: 24326094
Hi meverest,

Thanks for your reply. Unfortunately our computers are not logging to the domain. They are stand alone since 95% of them are Macs. We only have a few PCs in the office and those are the ones that are having the problem. All Macs are able to login and authenticate using FireFox and Safari with no problems but the PCs that are using IE are the problem. I've tried what you suggested by disabling "Win Auth" and only having "Basic Auth" but now I can't login at all, not even with FireFox on both PC and Mac? Any other suggestions or configurations that I could try?

Thank you,

Mike
0
 

Author Comment

by:davisadmin
ID: 24326142
One thing I should mention is the Win 2008 server is not the domain control. It's part of the domain and the AD is not on this machine either. It's on another Win 2003 machine.

Mike
0
 
LVL 37

Expert Comment

by:meverest
ID: 24331222
Hi,

safari and firefox do not do windows auth, so there /should/ be no affect on their behavior from disabling windows auth.

do you have the default domain listed in the relevant field?

Cheers.
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 24332907
Meverest: We use only Windows authentication with Safari and Firefox in our site.  The only thing Safari doesn't support is automatic logon.

Have you tried disabling 'Basic Authentication' and only using 'Windows Authentication' which is essentially encrypted NTLM authentication?
0
 

Author Comment

by:davisadmin
ID: 24332920
I've tried removing "win auth" and only having "basic auth" but then FireFox doesn't work either? It's strange but it's really happening and I'm sure why. It's the same on PC and Mac.

Mike
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 51

Expert Comment

by:tedbilly
ID: 24332927
I'll repeat my comment: "Have your tried disabling 'Basic Authentication' and only use 'Windows Authentication'?
0
 

Author Comment

by:davisadmin
ID: 24332937
tedbilly,

I've tried that as well but the problem is I don't want users to have to type "Domain\UserName". I would like them just to type "UserName" and their password to login. The strange thing is it works if I just use "UserName" + my password in the login with FireFox on both PC and Mac but if I try it with IE 7 it doesn't work. I have to put "Domain\UserName" + my password to login with IE 7. What is the difference that it works with FF but not IE?

Mike
0
 
LVL 51

Assisted Solution

by:tedbilly
tedbilly earned 62 total points
ID: 24333281
Sorry, but I don't think there is a viable solution.  The implementations are all too different.  Only a cookie based form authentication system would give you consistent results.
0
 
LVL 37

Accepted Solution

by:
meverest earned 63 total points
ID: 24343957

>> What is the difference that it works with FF but not IE?

hey - my comment above:

> safari and firefox do not do windows auth, so there /should/ be no affect on their behavior from disabling windows auth.

that is the difference.  IE is 'smart' (that's 'smart' with a capital Microsoft) so it is IIS-aware.

if the IE is logged in to some domain (even local machine) then it will probably try to send "computername\username" every time.

Take a look at the web server log files to see what the actual username passed is.  Also, you can use fiddler (www.fiddlertool.com) to inspect the http headers and see what username IE is sending.

Cheers!
0
 

Author Comment

by:davisadmin
ID: 24344648
Meverest,

Thanks for your reply. I did some tests with the following combination:

Test 1) Enabled "Win Auth" and "Basic Auth" both FF 3.x and IE 7 work, but for IE 7 I have to put "Domain\UserName" but for FF I only have to enter "UserName".

Test 2) Enabled "Basic Auth" and disabled "Win Auth" both work but I have to enter "Domain\UserName" for both FF and IE to be able to login. Where in test 1 above for FF I only had to enter "UserName" to login.

Test 3) Enabled "Win Auth" and disabled "Basic Auth" both FF and IE work. For IE I still have to enter "Domain\UserName" but for FF I only have to enter "UserName"

To conclude Tedbilly is correct. There is no other way but to do a form authentication. I will have to run this by other IT people here to see what they want to do.

Thank you to all who gave their input.

Mike
0
 
LVL 37

Expert Comment

by:meverest
ID: 24346768
OK - but it works OK for me.

Did you try using a protocol analyser (i.e. fiddlertool.com) to check what username IE is passing to your web server?  If you know exactly what it is doing, then that should give you at least some better understanding of what is going on.

Cheers!
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now