|
Home > Archive > IIS Server Security > February 2007 > IE7 Cannot Login!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi all,
Why is IE7 unable to login to our IIS websites? We've employed the same
configuration on our web servers for seven years now and never experienced
such a severe incompatibility issue with a web browser.
Our IIS configuration is as follows:
- Version: IIS 5
- Platform: W2KAS SP4
- SSL: none installed
- Anonymous Access: enabled
- Basic Authentication: disabled
- Digest Authentication: disabled
- Integrated Windows Authentication: enabled
Very straightforward. We have chosen these settings for their cross-browser
compatibility whilst allowing web directory security via NTFS permissions.
Again, this has worked flawlessly for seven years.
Needless to say, our support phones are ringing off the hook with, "my
password isn't working." It's hard not to laugh when telling our customers
that Microsoft's latest web browser is incompatible with Microsoft's own web
servers. :-D
Any help is greatly appreciated.
| |
| David Wang 2007-01-11, 7:28 pm |
| So, is IE6 able to login against these same machines, while
simultaneously IE7 cannot?
And is this an Intranet or Internet scenario? Because that affects the
viability of Integrated Authentication.
In IE Options, there is a checkbox called "Enable Integrated Windows
Authentication" - if your Intranet uses Kerberos, make sure it is
checked. Otherwise, it will be using NTLM.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Dave wrote:
> Hi all,
>
> Why is IE7 unable to login to our IIS websites? We've employed the same
> configuration on our web servers for seven years now and never experienced
> such a severe incompatibility issue with a web browser.
>
> Our IIS configuration is as follows:
>
> - Version: IIS 5
> - Platform: W2KAS SP4
> - SSL: none installed
> - Anonymous Access: enabled
> - Basic Authentication: disabled
> - Digest Authentication: disabled
> - Integrated Windows Authentication: enabled
>
> Very straightforward. We have chosen these settings for their cross-browser
> compatibility whilst allowing web directory security via NTFS permissions.
> Again, this has worked flawlessly for seven years.
>
> Needless to say, our support phones are ringing off the hook with, "my
> password isn't working." It's hard not to laugh when telling our customers
> that Microsoft's latest web browser is incompatible with Microsoft's own web
> servers. :-D
>
> Any help is greatly appreciated.
| |
|
| > So, is IE6 able to login against these same machines, while
> simultaneously IE7 cannot?
Yes. In fact, every version of IE can login, except IE7.
> And is this an Intranet or Internet scenario? Because that affects the
> viability of Integrated Authentication.
It is an "Internet" scenario in that these pages are accessible from the
public Internet. We employ ADSI scripting to automatically assign Active
Directory logins to our customers. Those permissions control access to
various resources on our network.
> In IE Options, there is a checkbox called "Enable Integrated Windows
> Authentication" - if your Intranet uses Kerberos, make sure it is
> checked. Otherwise, it will be using NTLM.
Hmmm.... I will try this, just to see.
Thank you for your kind reply, David!
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> Dave wrote:
>
>
| |
|
| Well, it appears that "Enable Windows Authentication" in IE7 has no effect.
That said, I have to backtrack <blush>. The aforementioned IIS settings were
captured from the wrong server. Our IIS configuration is:
- Version: IIS 5
- Platform: W2KAS SP4
- SSL: none installed
- Anonymous Access: enabled
- Basic Authentication: enabled
- Digest Authentication: enabled
- Integrated Windows Authentication: disabled
Again, these are supposed to be the most cross-browser compatible settings
for securing web pages via NTFS file and directory permissions.
In reviewing the Microsoft Knowledgebase, I discovered one anomaly in my
server settings: we have NOT enabled "Store password using reversible
encryption for all users in the domain." According to the MS KB, this is a
requirement of Digest Authentication, suggesting that our users have, for
seven years now, been downgraded to Basic Authentication. [Cripes.] This,
in itself, must be fixed, but to stay on topic, could this anomaly perhaps be
confusing IE7?
Thank you!
"David Wang" wrote:
> So, is IE6 able to login against these same machines, while
> simultaneously IE7 cannot?
>
> And is this an Intranet or Internet scenario? Because that affects the
> viability of Integrated Authentication.
>
> In IE Options, there is a checkbox called "Enable Integrated Windows
> Authentication" - if your Intranet uses Kerberos, make sure it is
> checked. Otherwise, it will be using NTLM.
>
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> Dave wrote:
>
>
| |
|
|
Hi Dave,
we had a similar problem here.
We use Win CE 5.0 WebServers with BASIC and NTLM Authentication enabled.
All browsers in the past 'decided' to use BASIC Authentication. IE7 now
'decides' to use NTLM instead. Why NTLM now fails with a Microsoft
Server having it enabled - i don't know - and don't want to :-)
We have disabled NTLM at our servers now and everything works again like
before...
If the returned data from the server contains "WWW-Authenticate: NTLM"
the new IE7 uses NTLM for Authentication.
//joL
*** Sent via Developersdex http://www.codecomments.com ***
| |
|
| Don't read this since you don't want to know, but others can read it. :-)
That's been the norm for quite awhile, including IE 6. If NTLM is available, NTLM is used and Basic is never used, even if NTLM fails.
http://support.microsoft.com/kb/264921/en-us - in the "Orders of precedence" sections:
"If both Basic and Windows Integrated are supported, the browser determines which method is used. If the browser supports Kerberos or Windows NT Challenge/Response, it uses this method. It does not fall back to Basic. If Windows NT Challenge/Response and Kerberos are not supported, the browser uses Basic, Digest, or Fortezza if it supports these. The order of precedence here is Basic, Digest, and then Fortezza."
Ray
<joL> wrote in message news:uY7xjbuRHHA.3412@TK2MSFTNGP02.phx.gbl...
>
> Hi Dave,
>
> we had a similar problem here.
> We use Win CE 5.0 WebServers with BASIC and NTLM Authentication enabled.
> All browsers in the past 'decided' to use BASIC Authentication. IE7 now
> 'decides' to use NTLM instead. Why NTLM now fails with a Microsoft
> Server having it enabled - i don't know - and don't want to :-)
> We have disabled NTLM at our servers now and everything works again like
> before...
> If the returned data from the server contains "WWW-Authenticate: NTLM"
> the new IE7 uses NTLM for Authentication.
>
> //joL
>
>
>
>
>
> *** Sent via Developersdex http://www.codecomments.com ***
|
|
|
|
|