|
Home > Archive > IIS Server Security > November 2004 > IIS and Integrated Windows Authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS and Integrated Windows Authentication
|
|
| Viperlein 2004-11-11, 5:52 pm |
| Hello @ll 
We have a problem with our ASP.NET application and the IIS in our company:
As soon as you disable the "Anonymous access" and use the integrated Windows
Authentication, some users (it is only XP-profile dependant, not PC dependant
!) receive a "Bad Request" when calling the startpage. If you look closely at
the communication with a sniffer, there you see an "authentication failed"
error before receiving the "Bad request" one.
I also made a simple ASP.NET page with an asp-button on it without any
functionality and the same settings for the IIS. And guess what ????
The error also appears !
So no problem with our program.
We have no idea what to do any further ............
Any ideas would be welcome !
Thank you all for your support !
Christian
| |
| Miha Pihler 2004-11-11, 5:52 pm |
| Hi,
You will always get authentication failed on a website that is not
accessible anonymously. This is "caused" by web browser (any of them) trying
to access site anonymously (browser can't know beforehand that site is
protected). Once the site returns "authentication failed" it will return
list of authentication options that it will support (e.g. IA, Basic, ...).
INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/defaul...kb;en-us;264921
Mike
"Viperlein" <Viperlein@discussions.microsoft.com> wrote in message
news:6BC95DC9-1E4F-4DCE-B6DE-CE2B17CA9DF3@microsoft.com...
> Hello @ll
>
> We have a problem with our ASP.NET application and the IIS in our company:
>
> As soon as you disable the "Anonymous access" and use the integrated
> Windows
> Authentication, some users (it is only XP-profile dependant, not PC
> dependant
> !) receive a "Bad Request" when calling the startpage. If you look closely
> at
> the communication with a sniffer, there you see an "authentication failed"
> error before receiving the "Bad request" one.
>
> I also made a simple ASP.NET page with an asp-button on it without any
> functionality and the same settings for the IIS. And guess what ????
> The error also appears !
>
> So no problem with our program.
>
> We have no idea what to do any further ............
> Any ideas would be welcome !
>
> Thank you all for your support !
>
> Christian
| |
| Viperlein 2004-11-11, 5:52 pm |
| Hmmm, thanks.
But why does this not happen to ALL people, but only a few with their
certain profile.
How can this be profile related ? In the company each one has the same
installation and updates. Some have more software than others. But in the
end, the browser configuration is the same to all.
I thought if I activate "Integrated WIndows Authentication", the login of
the user is used automatically and all the rights for drives and so on are
taken from the Active Directory, as it is for all who do not get the error ?
"Miha Pihler" wrote:
> Hi,
>
> You will always get authentication failed on a website that is not
> accessible anonymously. This is "caused" by web browser (any of them) trying
> to access site anonymously (browser can't know beforehand that site is
> protected). Once the site returns "authentication failed" it will return
> list of authentication options that it will support (e.g. IA, Basic, ...).
>
> INFO: How IIS Authenticates Browser Clients
> http://support.microsoft.com/defaul...kb;en-us;264921
>
> Mike
>
> "Viperlein" <Viperlein@discussions.microsoft.com> wrote in message
> news:6BC95DC9-1E4F-4DCE-B6DE-CE2B17CA9DF3@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-11-11, 5:52 pm |
| Integrated Authentication works only for sites that are located in Local
Intranet zone in IE (if you think logically, why would browser send your
credentials to just any site on the _internet_ that would request them ;-)
....). This would be default be e.g. http://site/ but not
http://site.domain.com or http://10.10.10.10 (where 10.10.10.10 is IP of
site.domain.com). If you add http://site.domain.com to your Local Intranet
Zone your browser will then use IA for when client accesses this site.
You can centrally manage IE Zones using group policy and Active Directory.
Mike
"Viperlein" <Viperlein@discussions.microsoft.com> wrote in message
news:1B2F0B06-EF5F-482B-B44D-E8DBB20DCB11@microsoft.com...[vbcol=seagreen]
> Hmmm, thanks.
>
> But why does this not happen to ALL people, but only a few with their
> certain profile.
> How can this be profile related ? In the company each one has the same
> installation and updates. Some have more software than others. But in the
> end, the browser configuration is the same to all.
> I thought if I activate "Integrated WIndows Authentication", the login of
> the user is used automatically and all the rights for drives and so on are
> taken from the Active Directory, as it is for all who do not get the error
> ?
>
> "Miha Pihler" wrote:
>
| |
| Viperlein 2004-11-11, 5:52 pm |
| That's sure )
Erm, yes, that's what other guys told me, too. It is in the local intranet
of our comapny and also added to the trusted ones. As I said, for most of the
people it works, but there are few which cannot access it, because of some
settings in their profile. And that is making me crazy )
"Miha Pihler" wrote:
> Integrated Authentication works only for sites that are located in Local
> Intranet zone in IE (if you think logically, why would browser send your
> credentials to just any site on the _internet_ that would request them ;-)
> ....). This would be default be e.g. http://site/ but not
> http://site.domain.com or http://10.10.10.10 (where 10.10.10.10 is IP of
> site.domain.com). If you add http://site.domain.com to your Local Intranet
> Zone your browser will then use IA for when client accesses this site.
>
> You can centrally manage IE Zones using group policy and Active Directory.
>
> Mike
>
> "Viperlein" <Viperlein@discussions.microsoft.com> wrote in message
> news:1B2F0B06-EF5F-482B-B44D-E8DBB20DCB11@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-11-11, 5:52 pm |
| There is not much I can do...
You can try and reset IE settings (Open IE -> Tools -> Internet Options ->
Advanced tab -> Restore Defaults). Also compare Security settings (Open
IE -> Tools -> Internet Options -> Security) between working and non-working
computers.
You can also try and disable IA in IE under Advanced tab just for a test
(you will have to reboot the computer).
Mike
"Viperlein" <Viperlein@discussions.microsoft.com> wrote in message
news:5E30F6EF-E8A8-4D27-A1EC-38F0FA4E3C50@microsoft.com...[vbcol=seagreen]
> That's sure )
> Erm, yes, that's what other guys told me, too. It is in the local intranet
> of our comapny and also added to the trusted ones. As I said, for most of
> the
> people it works, but there are few which cannot access it, because of some
> settings in their profile. And that is making me crazy )
>
> "Miha Pihler" wrote:
>
|
|
|
|
|