• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1105
  • Last Modified:

Intermittent Windows Login Prompt on ASP .Net intranet

Hello experts,

I've put together some simple intranet pages for work, using ASP .Net, all was going well until testers began reporting an issue about windows login prompts interrupting their experience.

What appears to be happening is a prompt is emerging for the server itself - I say this based on the username which is being pre-populated (it is the generic user login for the server, not the tester's actual windows lan ID).

Reading the forums online, this seems to be a common enough problem, the answers to which seem partially correct but do not seem to explain why this is intermittent. In my case, one user will experience it continually, then it disappears the next day. Flushig out the Internet Explorer temp files/cookies etc seems to help for some users but not others. I can't yet see the pattern here.

The server I am using is NOT in the list of intranet sites populated into IE 7 by our administrators.

A quick test on the one PC we could find running the chrome browser did not trigger the issue.

The intranet page web.config is set for windows authentication, IIS is set to Integration Windows Authentication And Allow anonymous users.

Appreciate any thoughts on how I might tackle diagnosing this one.

Thank you!!

Split Pin
  • 4
  • 3
1 Solution
Paul JacksonSoftware EngineerCommented:
I had a similar experience once, we found it was down to the server-side code was trying to raise an error in the event log using some event logging code we had written but the source specified was not registered as a source for the event log. Also ensure that if you have any event logging going on that you have given permissions for your users to be able to write to the event logs.
Split_PinAuthor Commented:
Hi Jacko72,
I appreciate your input. I will leave this one open for a bit and try to synthesize the different ideas people might throw up. Can I ask, was your issue only affecting users intermittently? (Mine seems to vary between not at all and frequent depending on the user, but varies for them from day to day).
My site is a pretty basic set of grid views - the code is minimal, including such things as

- Passing user.identity.name and IP address to a text box on the page (just to create a feeling that they must act responsibly as we know who is using the site)
- For some pages, looking up the username in a table and redirecting if they do not have relevant access level (but the error is occurring before we even get to pages "protected" in this way
- wondering now if I've done something stupid in web config ???
- my coworker prepared a page with some menu lists in them (he did not write any code however), I created a new page and dropped his ASP code in via copy paste ... could I have messed things up here (the page looks and works fine for me and others though)...
- final thought you have triggered - we have another datasource that is only called by default.aspx in the site which my users do not access (I am just directing them to so blind urls) - if the guys who are mucking around with that datasource do something weird (I often see errors on the default.aspx page) could that somehow be triggered issues in my pages? (all pages are in the one project)

Split_PinAuthor Commented:
Hi Experts,
I tested this page at another site today, the same login prompt popped up but this time without any pre-populated user name. Again, the address in the pop-up window was of the reporting server. On clicking cancel the site could be browsed without issue.

There is no event logging code running.

Any ideas?
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Ted BouskillSenior Software DeveloperCommented:
Disable 'Anonymous Access' otherwise the browser will use the lowest common denominator for access which is anonymous.  I suspect what is happening is most users are connecting anonymously then when they trigger a specific event they are challenged for credentials.

If you want to use SSO (Single Sign On) with Windows credentials in the intranet then anonymous must be turned off.

I'll bet if you inspect the packets using WireShark the users are usually connecting anonymously.
Split_PinAuthor Commented:
Hi Tedbilly

Thank you!  Coincidentally have unticked anonymous access on IIS today and the problem seems to be reduced - appreciate confirmation that this is a reasonable plan -  one user who was unable to do anything on the site at all was suddenly able to browse although after a while the pop up came back.
Is it worth further trouble shooting or do I resign myself to the fact that there is weirdness going on between IIS and Internet Explorer... I continue to find many related threads on the net that have no conclusive answer.

Could it be something to do with the iusr_<computername> login and associated permissions?

Ted BouskillSenior Software DeveloperCommented:
Just to be clear there is different layers of security in a web application.

First off is determining what authentication is required to request a page using a GET or POST.  That is what you've set with the integrated windows authentication.

Next is the authentication you add in your own code.  For example with Form Based Authentication the site might be set for anonymous access to the page but your code would first authenticate the user then control access to the site.

Finally there is the process running the web site which has to have rights assigned via the identity in the application pool to decide what access the web application has to the host server or possible other network resources of servers.

It gets complicated when you use impersonation to relay the credentials of the user to the background process.  If you have SQL and IIS on the same server you can relay the user's credentials to the SQL server using impersonation.  However, if SQL is on another server then you need to use Kerberos to relay the credentials of the user via IIS.

So, the IUSR_<ComputerName> has nothing to do with multiple authentication prompts because it's a fixed identity in the application pool.

If you have a page with an IFRAME that is accessing another server that requires Windows authentication you can get double prompts or if you are using impersonation you might be challenged if you are NOT using Kerberos (or it's configured incorrectly)

IE will work fine in the following cases:
- If IE recognizes the web application as being in the Local Intranet zone.  To do this either the domain suffix of the client has to match the web server (and they have to be on the same domain to do so) OR the DNS name of the site has to be added to the Local Intranet zone.
- If you add the site to the "Trusted Sites" zone then set "Log on automatically using Windows Credentials"

If IE is set correctly as well as your code, then SSO works great.
Split_PinAuthor Commented:
Many thanks Tedbilly,

I can see I have homework to do here (the noob that I am).
You've saved me from wasting time going down the iusr rabbit hole. I guess at the root of this I'm confused why in a corporate environment where everyone is running identical software we are getting different results for different users.

Perhaps that concludes the thread unless anyone else has a brilliant comment to add :-)
Ted BouskillSenior Software DeveloperCommented:
The primary reason you get different results with different users with web applications in a corporate environment is inconsistent settings on client computers.

So, if the leadership decides to save money they will do the following:

- Implement a corporate browser standard.  In other words users MUST use one browser for all corporate web sites.  Because of the ability to precisile control IE using group policy objects that is my recommendation
- Implement a set of group policies that ensure that the browser experience is consistent throughout the organization.

Those two rules will save the development team time (aka money) by ensuring everyone has the same browser experience.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now