?
Solved

Internet Explorer, Apache and Integrated Windows Authentication

Posted on 2011-05-05
7
Medium Priority
?
1,098 Views
Last Modified: 2012-05-11
Hi there,

I am having a Windows 2008 R2 computer named testcomputer with Apache webserver installed. The computer belongs to domain test.

I log on to testcomputer as test\user1 and start Internet Explorer 8. I try to connect to the local website http://testcomputer. Since this is an intranet site, IE tries to connect me as current user, but this fails with "Internet Explorer cannot display the webpage". If I change the IE security options to "Prompt for user name and password", and do another try, IE prompts me for the name and password. I enter the SAME information of the already logged on user, and I see the website without any error message.

Now I log on to another computer, i. e. testcomputer1, as test\user1, and try to access the website http://testcomputer. I see the website without any other interaction or error message.

Question: Why doesn´t the integrated authentification work if I am logged on on the same computer as the webserver runs? Thank you very much!
0
Comment
Question by:ITWolf
  • 4
  • 2
7 Comments
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 35704340
Since WIndows Server 2003, per default, the IE runs in a mode called "Enhanced Security Configuration".
http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx
Either add the local site to the Trusted Sites in IE or disable this function copmpletely:
In Server Manager-> Security Information-> Enhanced Security Configuration for IE
HTH
0
 

Author Comment

by:ITWolf
ID: 35705589
Dear mpfister,

Thank you for your comment. ESC has already been disabled for users and admistrators on all involved machines.

Wolf
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35706230
You still have to:

1. Make sure that Inegrated Auth is enabled in IE,...in many case it is not,..and that has nothing to with ESC,...it is just something else that you have to look for in addition to ESC.

2. You have to also add the FQDN of the Site to the Intranet Zone in IE,...unless you use the Netbios Name (no "dots") of the machine in the Address Bar of the browser which causes it to automatically be assumed by IE to be in the Intranet Zone
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:ITWolf
ID: 35711951
Dear pwindell,

Thanks for your comment. testcomputer and testcomputer1 have exact the same configuration, Integrated Windows Authentication is on, and the sites with their FQDN are manually added to the intranet zone. I am using the FQDNs for access to the websites, i.e. http://testcomputer.testdomain.local, since I need this for IE to get the right SPN from the Kerberos KDC.

I did some investigation with the Kerberos debugging tools and there is absolutely no Kerberos communication when accessing the local website on testcomputer. It seems that IE uses only NTLM when connecting to the local website, but don´t know if this behaviour is "by design".
0
 

Accepted Solution

by:
ITWolf earned 0 total points
ID: 35715661
I´ve found this on an excellent Kerberos debugging blog article at http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx:

Kerberos is not enabled in this configuration and a hard coded loopback check will always force usage of NTLM in this scenario. Note that NTLM may also not work in this configuration (see http://support.microsoft.com/kb/896861 for more details).

So my described behaviour is by design and cannot be changed.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35720480
When you add sites to the Intranet Zone do it like this exactly  *.testdomain.local
Do not put any http:// or https:// in front of it and do not put any "www" or any sub domains in place of the star.  Do it just like I showed

Yes. It will use NTLM,...NTLM is fine,...that is what everyone is using for this and have been for years and years and nothing ever "evil" has happened because NTLM was in use..
0
 

Author Closing Comment

by:ITWolf
ID: 35752592
After doing a lot of research, I found a blog article describing the behaviour as by design.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question