Solved

Intermittent Windows Login Prompt on ASP .Net intranet

Posted on 2011-03-11
10
1,051 Views
Last Modified: 2012-05-11
Hello experts,

I've put together some simple intranet pages for work, using ASP .Net, all was going well until testers began reporting an issue about windows login prompts interrupting their experience.

What appears to be happening is a prompt is emerging for the server itself - I say this based on the username which is being pre-populated (it is the generic user login for the server, not the tester's actual windows lan ID).

Reading the forums online, this seems to be a common enough problem, the answers to which seem partially correct but do not seem to explain why this is intermittent. In my case, one user will experience it continually, then it disappears the next day. Flushig out the Internet Explorer temp files/cookies etc seems to help for some users but not others. I can't yet see the pattern here.

The server I am using is NOT in the list of intranet sites populated into IE 7 by our administrators.

A quick test on the one PC we could find running the chrome browser did not trigger the issue.

The intranet page web.config is set for windows authentication, IIS is set to Integration Windows Authentication And Allow anonymous users.

Appreciate any thoughts on how I might tackle diagnosing this one.

Thank you!!

Split Pin
0
Comment
Question by:Split_Pin
  • 4
  • 3
10 Comments
 
LVL 29

Expert Comment

by:Paul Jackson
ID: 35108086
I had a similar experience once, we found it was down to the server-side code was trying to raise an error in the event log using some event logging code we had written but the source specified was not registered as a source for the event log. Also ensure that if you have any event logging going on that you have given permissions for your users to be able to write to the event logs.
0
 

Author Comment

by:Split_Pin
ID: 35113728
Hi Jacko72,
I appreciate your input. I will leave this one open for a bit and try to synthesize the different ideas people might throw up. Can I ask, was your issue only affecting users intermittently? (Mine seems to vary between not at all and frequent depending on the user, but varies for them from day to day).
My site is a pretty basic set of grid views - the code is minimal, including such things as

- Passing user.identity.name and IP address to a text box on the page (just to create a feeling that they must act responsibly as we know who is using the site)
- For some pages, looking up the username in a table and redirecting if they do not have relevant access level (but the error is occurring before we even get to pages "protected" in this way
- wondering now if I've done something stupid in web config ???
- my coworker prepared a page with some menu lists in them (he did not write any code however), I created a new page and dropped his ASP code in via copy paste ... could I have messed things up here (the page looks and works fine for me and others though)...
- final thought you have triggered - we have another datasource that is only called by default.aspx in the site which my users do not access (I am just directing them to so blind urls) - if the guys who are mucking around with that datasource do something weird (I often see errors on the default.aspx page) could that somehow be triggered issues in my pages? (all pages are in the one project)

Cheers,Split_Pin
0
 

Author Comment

by:Split_Pin
ID: 35126716
Hi Experts,
I tested this page at another site today, the same login prompt popped up but this time without any pre-populated user name. Again, the address in the pop-up window was of the reporting server. On clicking cancel the site could be browsed without issue.

There is no event logging code running.

Any ideas?
0
 
LVL 51

Accepted Solution

by:
tedbilly earned 500 total points
ID: 35130228
Disable 'Anonymous Access' otherwise the browser will use the lowest common denominator for access which is anonymous.  I suspect what is happening is most users are connecting anonymously then when they trigger a specific event they are challenged for credentials.

If you want to use SSO (Single Sign On) with Windows credentials in the intranet then anonymous must be turned off.

I'll bet if you inspect the packets using WireShark the users are usually connecting anonymously.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Split_Pin
ID: 35135433
Hi Tedbilly

Thank you!  Coincidentally have unticked anonymous access on IIS today and the problem seems to be reduced - appreciate confirmation that this is a reasonable plan -  one user who was unable to do anything on the site at all was suddenly able to browse although after a while the pop up came back.
Is it worth further trouble shooting or do I resign myself to the fact that there is weirdness going on between IIS and Internet Explorer... I continue to find many related threads on the net that have no conclusive answer.

Could it be something to do with the iusr_<computername> login and associated permissions?

Cheers,
Split_Pin
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 35135545
Just to be clear there is different layers of security in a web application.

First off is determining what authentication is required to request a page using a GET or POST.  That is what you've set with the integrated windows authentication.

Next is the authentication you add in your own code.  For example with Form Based Authentication the site might be set for anonymous access to the page but your code would first authenticate the user then control access to the site.

Finally there is the process running the web site which has to have rights assigned via the identity in the application pool to decide what access the web application has to the host server or possible other network resources of servers.

It gets complicated when you use impersonation to relay the credentials of the user to the background process.  If you have SQL and IIS on the same server you can relay the user's credentials to the SQL server using impersonation.  However, if SQL is on another server then you need to use Kerberos to relay the credentials of the user via IIS.

So, the IUSR_<ComputerName> has nothing to do with multiple authentication prompts because it's a fixed identity in the application pool.

If you have a page with an IFRAME that is accessing another server that requires Windows authentication you can get double prompts or if you are using impersonation you might be challenged if you are NOT using Kerberos (or it's configured incorrectly)

IE will work fine in the following cases:
- If IE recognizes the web application as being in the Local Intranet zone.  To do this either the domain suffix of the client has to match the web server (and they have to be on the same domain to do so) OR the DNS name of the site has to be added to the Local Intranet zone.
- If you add the site to the "Trusted Sites" zone then set "Log on automatically using Windows Credentials"

If IE is set correctly as well as your code, then SSO works great.
0
 

Author Comment

by:Split_Pin
ID: 35137026
Many thanks Tedbilly,

I can see I have homework to do here (the noob that I am).
You've saved me from wasting time going down the iusr rabbit hole. I guess at the root of this I'm confused why in a corporate environment where everyone is running identical software we are getting different results for different users.

Perhaps that concludes the thread unless anyone else has a brilliant comment to add :-)
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 35142079
The primary reason you get different results with different users with web applications in a corporate environment is inconsistent settings on client computers.

So, if the leadership decides to save money they will do the following:

- Implement a corporate browser standard.  In other words users MUST use one browser for all corporate web sites.  Because of the ability to precisile control IE using group policy objects that is my recommendation
- Implement a set of group policies that ensure that the browser experience is consistent throughout the organization.

Those two rules will save the development team time (aka money) by ensuring everyone has the same browser experience.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now