IIS 6 integrated authentication still prompts for credentials
Posted on 2009-07-15
I have an existing intranet website that uses anonymous authentication in IIS and handles user authentication via ASP. Each page checks for the existence of a session variable that is populated when the user successfully logs in. If that variable is null, the user is redirected to login.asp where they can login.
I want to use integrated authentication so users aren't prompted to enter a password. What I've done is changed the authentication settings on login.asp in IIS Manager. I disabled anonymous access for this page and set the only enabled authentication method to integrated windows authentication. The idea being, that when the user is redirected to login.asp, I can grab their windows username, set the session variable for them, and thus automatically log them in.
Here's the problem. When I browse to login.asp, I still get a authentication dialog box popup in the browser. I'm using Firefox and have added the sites URL to the "network.automatic-ntlm-auth.trusted-uris" parameter under about:config. I've checked the NTFS permissions on the file and verified that integrated windows authentication is selected for it in IIS Manager - but it still prompts me for authentication.
I created a new website in IIS for testing purposes. I created a new webroot folder and copied the login.asp file into it. I set the directory security options for this new test website to allow anonymous access and then manually set the authentication options on the login.asp file to only permit integrated windows auth. I added the test site's URL to firefox's list of NTLM sites and when I browse to login.asp on the test site, I am logged in automatically.
Here's the kicker - in IIS Manager, I changed the directory for the test website to the same directory as the existing intranet. Now when I browse to the test site, everything works perfectly, I am automatically logged in.
So, something about the configuration of the intranet site in IIS is screwy. Essentially, I've set up a duplicate website in IIS, pointing to the same webroot, with the same auth settings, and that one works but the original site doesn't.
I could just create a new site in IIS and disable the old one, but there are tons of virtual directories, and special settings on subfolders that I'd have to duplicate, which would be a lot of work.
Very frustrating...what am I missing?