|
Home > Archive > IIS Server Security > December 2004 > IE won't authenticate on localhost when URL is a FQDN
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IE won't authenticate on localhost when URL is a FQDN
|
|
| theyas@community.nospam 2004-12-08, 5:53 pm |
| Windows XP, SP2, IE 6.0 SP2 128bit, IIS 5.1, Symantec Antivirus 9.0.0.xxx
When I connect to "http://localhost/localstart.asp", it works (as installed).
When I connect to "http://<machinename>/localstart.asp", it works.
When I connect to "http://<machinename>.<domainname>/localstart.asp", it
pops up the integrated windows authentication dialog and won't take any user
name or password. I'm logged on as a domain user. I can use the local admin
account or I can use a domain account. It doesn't matter. Nothing works.
After three tries, I get the error page with the "HTTP 401.1 - Unauthorized:
Logon Failed" error.
ipconfig /all
Host Name ......... : machname
DNS Suffix Search list ... : xxx.yyy.zzz
yyy.zzz
Connection-specific DNS Suffix . : xxx.yyy.zzz
nslookup machname.xxx.yyy.zzz
Server: dns1.yyy.zzz
Address: blah.blah.blah.blah
Name: machname.xxx.yyy.zzz
Address: blah.blah.blah.blah
ipconfig and nslookup return matching IP addresses for machname.
I reconfigured IE and added "machname.xxx.yyy.zzz" to the list of "Local
Intranet" sites. So when I navigate to
"http://machname.xxx.yyy.zzz/localstart.asp" and get the error message, in
the lower right corner, it shows "Local intranet". If I take this out of the
list of "Local Intranet" sites, then everything is the same except that the
lower right corner shows that I'm in the "Internet" zone.
I checked the IIS log file and when I connect to "localhost" as above, it
shows the following (as expected):
17:00:55 127.0.0.1 - 80 GET /localstart.asp 401 localhost -
17:01:03 127.0.0.1 <DOMAIN>\<USER> 80 GET /localstart.asp 200 localhost -
When I connect to "machname" as above, it shows the following (again, as
expected):
17:10:20 blah.blah.blah.blah - 80 GET /localstart.asp 401 machname -
17:10:20 blah.blah.blah.blah <DOMAIN>\USER 80 GET /localstart.asp 200
machname -
When I connect to "machname.xxx.yyy.zzz", it shows the following:
17:41:26 blah.blah.blah.blah - 80 GET /localstart.asp 401
machname.xxx.yyy.zzz -
17:41:26 blah.blah.blah.blah - 80 GET /localstart.asp 401
machname.xxx.yyy.zzz -
17:41:30 blah.blah.blah.blah - 80 GET /localstart.asp 401
machname.xxx.yyy.zzz -
17:41:31 blah.blah.blah.blah - 80 GET /localstart.asp 401
machname.xxx.yyy.zzz -
17:41:31 blah.blah.blah.blah - 80 GET /localstart.asp 401
machname.xxx.yyy.zzz -
So, it appears that IE is not sending the authentication information.
I installed and ran wfetch and it appears that wfetch is exhibiting the same
problem. The connection fails when I connect to the FQDN and it works when I
connect to "localhost" or to the machine name without the domain name. It
appears that in both cases (working and not), there is a longer Authorization
sent in the 'Authorization" request header on the second trip.
So, perhaps it is IIS after all???
Any and all help appreciated!
Thanks,
Lowell
| |
| Jason Brown [MSFT] 2004-12-08, 5:53 pm |
| One quick question before I dive right on in - are you by any chance using a
proxy server?
it looks a little like you're bypassing a proxy for local addresses, but the
FQDN is going through it, and authentication is interrupted by that
behaviour. If you could check that first, that'd be good.
--
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no
rights.
"theyas@community.nospam" <theyascommunitynospam@discussions.microsoft.com>
wrote in message news:8D484FC9-008A-441E-AA46-6DA352D20E7A@microsoft.com...
> Windows XP, SP2, IE 6.0 SP2 128bit, IIS 5.1, Symantec Antivirus 9.0.0.xxx
>
> When I connect to "http://localhost/localstart.asp", it works (as
> installed).
> When I connect to "http://<machinename>/localstart.asp", it works.
> When I connect to "http://<machinename>.<domainname>/localstart.asp", it
> pops up the integrated windows authentication dialog and won't take any
> user
> name or password. I'm logged on as a domain user. I can use the local
> admin
> account or I can use a domain account. It doesn't matter. Nothing works.
> After three tries, I get the error page with the "HTTP 401.1 -
> Unauthorized:
> Logon Failed" error.
>
> ipconfig /all
>
> Host Name ......... : machname
> DNS Suffix Search list ... : xxx.yyy.zzz
> yyy.zzz
>
> Connection-specific DNS Suffix . : xxx.yyy.zzz
>
> nslookup machname.xxx.yyy.zzz
> Server: dns1.yyy.zzz
> Address: blah.blah.blah.blah
>
> Name: machname.xxx.yyy.zzz
> Address: blah.blah.blah.blah
>
> ipconfig and nslookup return matching IP addresses for machname.
>
> I reconfigured IE and added "machname.xxx.yyy.zzz" to the list of "Local
> Intranet" sites. So when I navigate to
> "http://machname.xxx.yyy.zzz/localstart.asp" and get the error message, in
> the lower right corner, it shows "Local intranet". If I take this out of
> the
> list of "Local Intranet" sites, then everything is the same except that
> the
> lower right corner shows that I'm in the "Internet" zone.
>
> I checked the IIS log file and when I connect to "localhost" as above, it
> shows the following (as expected):
>
> 17:00:55 127.0.0.1 - 80 GET /localstart.asp 401 localhost -
> 17:01:03 127.0.0.1 <DOMAIN>\<USER> 80 GET /localstart.asp 200 localhost -
>
> When I connect to "machname" as above, it shows the following (again, as
> expected):
>
> 17:10:20 blah.blah.blah.blah - 80 GET /localstart.asp 401 machname -
> 17:10:20 blah.blah.blah.blah <DOMAIN>\USER 80 GET /localstart.asp 200
> machname -
>
> When I connect to "machname.xxx.yyy.zzz", it shows the following:
>
> 17:41:26 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:26 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:30 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:31 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:31 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
>
> So, it appears that IE is not sending the authentication information.
>
> I installed and ran wfetch and it appears that wfetch is exhibiting the
> same
> problem. The connection fails when I connect to the FQDN and it works
> when I
> connect to "localhost" or to the machine name without the domain name. It
> appears that in both cases (working and not), there is a longer
> Authorization
> sent in the 'Authorization" request header on the second trip.
>
> So, perhaps it is IIS after all???
>
> Any and all help appreciated!
>
> Thanks,
>
> Lowell
>
| |
| Bernard 2004-12-09, 2:54 am |
| This behavior is by design.
Intranet site is identified as an Internet site when you use an FQDN or an
IP address
http://support.microsoft.com/?id=303650
from the 401.1, it is stated that the authentication failed.
did you use domainname\username for the username field ?
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"theyas@community.nospam" <theyascommunitynospam@discussions.microsoft.com>
wrote in message news:8D484FC9-008A-441E-AA46-6DA352D20E7A@microsoft.com...
> Windows XP, SP2, IE 6.0 SP2 128bit, IIS 5.1, Symantec Antivirus 9.0.0.xxx
>
> When I connect to "http://localhost/localstart.asp", it works (as
> installed).
> When I connect to "http://<machinename>/localstart.asp", it works.
> When I connect to "http://<machinename>.<domainname>/localstart.asp", it
> pops up the integrated windows authentication dialog and won't take any
> user
> name or password. I'm logged on as a domain user. I can use the local
> admin
> account or I can use a domain account. It doesn't matter. Nothing works.
> After three tries, I get the error page with the "HTTP 401.1 -
> Unauthorized:
> Logon Failed" error.
>
> ipconfig /all
>
> Host Name ......... : machname
> DNS Suffix Search list ... : xxx.yyy.zzz
> yyy.zzz
>
> Connection-specific DNS Suffix . : xxx.yyy.zzz
>
> nslookup machname.xxx.yyy.zzz
> Server: dns1.yyy.zzz
> Address: blah.blah.blah.blah
>
> Name: machname.xxx.yyy.zzz
> Address: blah.blah.blah.blah
>
> ipconfig and nslookup return matching IP addresses for machname.
>
> I reconfigured IE and added "machname.xxx.yyy.zzz" to the list of "Local
> Intranet" sites. So when I navigate to
> "http://machname.xxx.yyy.zzz/localstart.asp" and get the error message, in
> the lower right corner, it shows "Local intranet". If I take this out of
> the
> list of "Local Intranet" sites, then everything is the same except that
> the
> lower right corner shows that I'm in the "Internet" zone.
>
> I checked the IIS log file and when I connect to "localhost" as above, it
> shows the following (as expected):
>
> 17:00:55 127.0.0.1 - 80 GET /localstart.asp 401 localhost -
> 17:01:03 127.0.0.1 <DOMAIN>\<USER> 80 GET /localstart.asp 200 localhost -
>
> When I connect to "machname" as above, it shows the following (again, as
> expected):
>
> 17:10:20 blah.blah.blah.blah - 80 GET /localstart.asp 401 machname -
> 17:10:20 blah.blah.blah.blah <DOMAIN>\USER 80 GET /localstart.asp 200
> machname -
>
> When I connect to "machname.xxx.yyy.zzz", it shows the following:
>
> 17:41:26 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:26 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:30 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:31 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
> 17:41:31 blah.blah.blah.blah - 80 GET /localstart.asp 401
> machname.xxx.yyy.zzz -
>
> So, it appears that IE is not sending the authentication information.
>
> I installed and ran wfetch and it appears that wfetch is exhibiting the
> same
> problem. The connection fails when I connect to the FQDN and it works
> when I
> connect to "localhost" or to the machine name without the domain name. It
> appears that in both cases (working and not), there is a longer
> Authorization
> sent in the 'Authorization" request header on the second trip.
>
> So, perhaps it is IIS after all???
>
> Any and all help appreciated!
>
> Thanks,
>
> Lowell
>
| |
| theyas@community.nospam 2004-12-13, 6:38 pm |
| Thanks for the reply, Jason!
I noticed that I was getting some errors in the event log ("the server was
unable to logon the Windows NT account 'IUSR_machname' due to the following
error: Logon failure: the user has not been granted the requested logon type
at this computer. ...").
I went surfing around in the newsgroups and found someone with a similar
problem and an answer that went to some web pages (MS answers). I was able
to follow the procedure in one of them for undoing stuff in the firewall and
DCOM and a few other places. That fixed that problem. Now I have another
posting in the Visual Studio debugger group asking why I cannot debug (or
even see) the aspnet_wp process.
Unfortunately, I can't remember any more than that or even what the
newsgroup postings might have been.
Thanks for the good try!
Lowell
"Jason Brown [MSFT]" wrote:
> One quick question before I dive right on in - are you by any chance using a
> proxy server?
>
> it looks a little like you're bypassing a proxy for local addresses, but the
> FQDN is going through it, and authentication is interrupted by that
> behaviour. If you could check that first, that'd be good.
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "theyas@community.nospam" <theyascommunitynospam@discussions.microsoft.com>
> wrote in message news:8D484FC9-008A-441E-AA46-6DA352D20E7A@microsoft.com...
>
>
>
| |
| theyas@community.nospam 2004-12-13, 6:38 pm |
| Thanks for the reply Bernard. I was able to resolve this issue from another
post. See my reply to Jason for more info.
Also, a few comments below, interspersed with yours.
Lowell
"Bernard" wrote:
> This behavior is by design.
> Intranet site is identified as an Internet site when you use an FQDN or an
> IP address
> http://support.microsoft.com/?id=303650
Yes. But you can also reconfigure IE to recognize a particular site as
being on the local intranet. As I stated in the original message, I did that
and successfully verified that it was done. As I originally wrote:
[vbcol=seagreen]
> from the 401.1, it is stated that the authentication failed.
> did you use domainname\username for the username field ?
Yes.
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "theyas@community.nospam" <theyascommunitynospam@discussions.microsoft.com>
> wrote in message news:8D484FC9-008A-441E-AA46-6DA352D20E7A@microsoft.com...
>
>
>
|
|
|
|
|