Solved

Intermittent Windows Login Prompt on ASP .Net intranet

Posted on 2011-03-11
10
1,056 Views
Last Modified: 2012-05-11
Hello experts,

I've put together some simple intranet pages for work, using ASP .Net, all was going well until testers began reporting an issue about windows login prompts interrupting their experience.

What appears to be happening is a prompt is emerging for the server itself - I say this based on the username which is being pre-populated (it is the generic user login for the server, not the tester's actual windows lan ID).

Reading the forums online, this seems to be a common enough problem, the answers to which seem partially correct but do not seem to explain why this is intermittent. In my case, one user will experience it continually, then it disappears the next day. Flushig out the Internet Explorer temp files/cookies etc seems to help for some users but not others. I can't yet see the pattern here.

The server I am using is NOT in the list of intranet sites populated into IE 7 by our administrators.

A quick test on the one PC we could find running the chrome browser did not trigger the issue.

The intranet page web.config is set for windows authentication, IIS is set to Integration Windows Authentication And Allow anonymous users.

Appreciate any thoughts on how I might tackle diagnosing this one.

Thank you!!

Split Pin
0
Comment
Question by:Split_Pin
  • 4
  • 3
10 Comments
 
LVL 29

Expert Comment

by:Paul Jackson
ID: 35108086
I had a similar experience once, we found it was down to the server-side code was trying to raise an error in the event log using some event logging code we had written but the source specified was not registered as a source for the event log. Also ensure that if you have any event logging going on that you have given permissions for your users to be able to write to the event logs.
0
 

Author Comment

by:Split_Pin
ID: 35113728
Hi Jacko72,
I appreciate your input. I will leave this one open for a bit and try to synthesize the different ideas people might throw up. Can I ask, was your issue only affecting users intermittently? (Mine seems to vary between not at all and frequent depending on the user, but varies for them from day to day).
My site is a pretty basic set of grid views - the code is minimal, including such things as

- Passing user.identity.name and IP address to a text box on the page (just to create a feeling that they must act responsibly as we know who is using the site)
- For some pages, looking up the username in a table and redirecting if they do not have relevant access level (but the error is occurring before we even get to pages "protected" in this way
- wondering now if I've done something stupid in web config ???
- my coworker prepared a page with some menu lists in them (he did not write any code however), I created a new page and dropped his ASP code in via copy paste ... could I have messed things up here (the page looks and works fine for me and others though)...
- final thought you have triggered - we have another datasource that is only called by default.aspx in the site which my users do not access (I am just directing them to so blind urls) - if the guys who are mucking around with that datasource do something weird (I often see errors on the default.aspx page) could that somehow be triggered issues in my pages? (all pages are in the one project)

Cheers,Split_Pin
0
 

Author Comment

by:Split_Pin
ID: 35126716
Hi Experts,
I tested this page at another site today, the same login prompt popped up but this time without any pre-populated user name. Again, the address in the pop-up window was of the reporting server. On clicking cancel the site could be browsed without issue.

There is no event logging code running.

Any ideas?
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 35130228
Disable 'Anonymous Access' otherwise the browser will use the lowest common denominator for access which is anonymous.  I suspect what is happening is most users are connecting anonymously then when they trigger a specific event they are challenged for credentials.

If you want to use SSO (Single Sign On) with Windows credentials in the intranet then anonymous must be turned off.

I'll bet if you inspect the packets using WireShark the users are usually connecting anonymously.
0
 

Author Comment

by:Split_Pin
ID: 35135433
Hi Tedbilly

Thank you!  Coincidentally have unticked anonymous access on IIS today and the problem seems to be reduced - appreciate confirmation that this is a reasonable plan -  one user who was unable to do anything on the site at all was suddenly able to browse although after a while the pop up came back.
Is it worth further trouble shooting or do I resign myself to the fact that there is weirdness going on between IIS and Internet Explorer... I continue to find many related threads on the net that have no conclusive answer.

Could it be something to do with the iusr_<computername> login and associated permissions?

Cheers,
Split_Pin
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 35135545
Just to be clear there is different layers of security in a web application.

First off is determining what authentication is required to request a page using a GET or POST.  That is what you've set with the integrated windows authentication.

Next is the authentication you add in your own code.  For example with Form Based Authentication the site might be set for anonymous access to the page but your code would first authenticate the user then control access to the site.

Finally there is the process running the web site which has to have rights assigned via the identity in the application pool to decide what access the web application has to the host server or possible other network resources of servers.

It gets complicated when you use impersonation to relay the credentials of the user to the background process.  If you have SQL and IIS on the same server you can relay the user's credentials to the SQL server using impersonation.  However, if SQL is on another server then you need to use Kerberos to relay the credentials of the user via IIS.

So, the IUSR_<ComputerName> has nothing to do with multiple authentication prompts because it's a fixed identity in the application pool.

If you have a page with an IFRAME that is accessing another server that requires Windows authentication you can get double prompts or if you are using impersonation you might be challenged if you are NOT using Kerberos (or it's configured incorrectly)

IE will work fine in the following cases:
- If IE recognizes the web application as being in the Local Intranet zone.  To do this either the domain suffix of the client has to match the web server (and they have to be on the same domain to do so) OR the DNS name of the site has to be added to the Local Intranet zone.
- If you add the site to the "Trusted Sites" zone then set "Log on automatically using Windows Credentials"

If IE is set correctly as well as your code, then SSO works great.
0
 

Author Comment

by:Split_Pin
ID: 35137026
Many thanks Tedbilly,

I can see I have homework to do here (the noob that I am).
You've saved me from wasting time going down the iusr rabbit hole. I guess at the root of this I'm confused why in a corporate environment where everyone is running identical software we are getting different results for different users.

Perhaps that concludes the thread unless anyone else has a brilliant comment to add :-)
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 35142079
The primary reason you get different results with different users with web applications in a corporate environment is inconsistent settings on client computers.

So, if the leadership decides to save money they will do the following:

- Implement a corporate browser standard.  In other words users MUST use one browser for all corporate web sites.  Because of the ability to precisile control IE using group policy objects that is my recommendation
- Implement a set of group policies that ensure that the browser experience is consistent throughout the organization.

Those two rules will save the development team time (aka money) by ensuring everyone has the same browser experience.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question