[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


MOSS 2007 Authentication Problems

Posted on 2009-12-16
Medium Priority
Last Modified: 2013-12-08

We are currently running a Moss 2007 server as an intranet document solution in an active directory 2003 domain.

After adding a second access mapping to the default zone through "alternative access mappings" under "operations" in the central administration, users are prompted for a username and password at random intervals while browsing the site - especially when trying to access a document.

Usually, the user can click cancel, and access the ressource as desired, sometimes the user recieves multiple prompts and then finally an error message from IIS:
"HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration favoring an alternate authentication method"

The authentication providers for the site were not modified, and both access mappings use the same settings, i.e. the web application was not "extended".

Here are the current settings we are using:
IIS 6.0 - Website Security:
Anonymous Access = Off
Authentication: Integrated Windows Authentication

In the application's web.config:
    <authentication mode="Windows" />
    <identity impersonate="true" />

The application's authentication provider:
Method: Windows
Integrated Windows Authentication: On / NTLM
Clientintegration: Activated

I could not find any file permission related issues, and tracing access with filemon returned no results of access denied (which would return another HTTP status code anyways).

Thinking that I (even tho adding a mapping shouldn't produce such effects) may have made a mistake, I reverted the changes manually. As that didn't change anything, I restored the config-database from a date before the changes were made, and cleared the file system cache as described under KB 939308, but to no avail.

Does anyone have any other ideas what I could change to allow the normal active directory user credentials to be passed on to the sharepoint application?

We are not accessing any resources on other servers, or going through proxys or whatever, which could produde the "double-hop" effect while using NTLM auth.

I (and the rest of our MOSS users ;-) )would be grateful for any suggestions you may have that could help!

Thanks in advance!
Question by:eSourceONE
  • 5
  • 4

Expert Comment

ID: 26063963

what are your setting for the AAM.

Keep in mind that the Zone within AAM is not just a name - an URL can work fine for one Zone and for another zone it doesn't.

LVL 44

Accepted Solution

zephyr_hex (Megan) earned 1000 total points
ID: 26064077
there are two articles i'd recommend that you read.  first, AAM:

and then also, take a look here for common reasons for that authentication prompt:  (in particular, look at the IE setting):

Author Comment

ID: 26070237
Thanks for the links - I will look into them.

The AAM / Zone settings are quite simple:
Default zone URL: http://machinename.domainname.local
There is another AAM for the default zone in the form of http://machinename

My predecessors had set the machine name to be the default and only URL for the application. Adding the FQDN was neccessary, due to the fact that some people (VPN-Users, etc), had problems looking up the Netbios name and experienced performance problems from other sites.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 26080015

after reading zephyr_hex's links, I decided to test adding the sites to the local intranet zone in the browsers security settings. After testing this on my local computer, I set this up on the other affected computers.

The problem isn't really solved, but a decentralized workaround was set up, as the login prompt no longer appears.

Author Closing Comment

ID: 31666759
The problem affecting all clients was not solvable through a centralized solution.

An accurate solution was also not presented through the links, but merely a hint.
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 26081483
what was your decentralized workaround?

Author Comment

ID: 26095350

I simply added the MOSS Application's URL to the zone "local intranet" in the IE settings, and ensured that the setting "log on using current credentials" was activated. Once this was tested (no Auth-Promt appeared), the settings were pushed via Group Policy. (At first decentralized because I set it up on individual clients).

Unfortunately, I have never had to change a client setting to permit users to log on to Sharepoint using their AD users accounts automatically, and I believe I'm "ignoring" the actual problem.

We do intend on upgrading to MOSS 2010 soon, and hope that the problem will be resolved automatically by then.

Thanks for the help!
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 26139564
actually, you're not ignoring the core problem.  if you don't want to see the prompt, you need to have the site added to IE intranet or trusted zone, and have that zone configured to pass the credentials.  it's a browser thing, not a sharepoint thing.

so, upgrading MOSS will not change this situation.

Author Comment

ID: 26143593
Well, that might be true, but the fact that the site ran for over a year without once asking for user credentials, makes me wonder what caused it. Obviously something had to change. Unfortunately the only change was to add the AAM as mentioned in the initial post.

LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 26182440
actually, what you are describing is a browser issue, not a sharepoint issue.

you have to configure the browser to pass along the credentials.  you aren't ignoring the core issue.  it's the way it works.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Several part series to implement Internet Explorer 11 Enterprise Mode
When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses
Course of the Month18 days, 15 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question