|
Home > Archive > Microsoft Content Management Server > December 2004 > Authentication problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Authentication problems
|
|
|
| I've been experiencing some authentication problems with CMS 2002 on my machine. I've checked some previous postings regarding this issue; and although similar, my problem appears to be slightly different.
On my local machine (WinXP), I get prompted to authenticate to access the site; but yet on the test server (Win2000) I do not. Both machines are connected to the same domain, the IIS settings for both sites are identical. In fact, even if I turn on anon
ymous access on my local machine, I still get prompted. I even set to allow anonymous access in the web config locally, but no dice. I am logged onto my machine with an administrative account in CMS and it still has no effect.
This seems to go against every convention I can think of. There was a previous posting about using adsutil.vbs to change authentication locally to NTLM. I have run this already and still nothing.
Any help would be appreciated.
| |
| Stefan [MSFT] 2004-12-21, 7:49 am |
| Hi Jay,
sounds like this problem:
http://download.microsoft.com/downl...6a/MCMS+2002+-+(complete)+FAQ.htm#1251CBDC-FF47-4CD1-B9DA-A2721A9B5F64
Cheers,
Stefan.
"Jay" <confused@times> wrote in message
news:uYD5W#u5EHA.3120@TK2MSFTNGP12.phx.gbl...
> I've been experiencing some authentication problems with CMS 2002 on my
machine. I've checked some previous postings regarding this issue; and
although similar, my problem appears to be slightly different.
>
> On my local machine (WinXP), I get prompted to authenticate to access the
site; but yet on the test server (Win2000) I do not. Both machines are
connected to the same domain, the IIS settings for both sites are identical.
In fact, even if I turn on anonymous access on my local machine, I still get
prompted. I even set to allow anonymous access in the web config locally,
but no dice. I am logged onto my machine with an administrative account in
CMS and it still has no effect.
>
> This seems to go against every convention I can think of. There was a
previous posting about using adsutil.vbs to change authentication locally to
NTLM. I have run this already and still nothing.
>
> Any help would be appreciated.
| |
|
| Stefan,
I checked into that, and the network access setting is already set to "Users authenticate as themselves"..
> Hi Jay,
>
> sounds like this problem:
> http://download.microsoft.com/downl...3a1-4003-9272-2
> 404e92bb76a/MCMS+2002+-+(complete)+FAQ.htm#1251CBDC-FF47-4CD1-B9DA-A27
> 21A9B5F64
> Cheers,
> Stefan.
| |
| Stefan [MSFT] 2004-12-21, 5:51 pm |
| Hi Jay,
which zone does the affected server below to?
Check in lower right edge of the IE window.
Is it the Intranet zone?
Cheers,
Stefan
"Jay" <confused@times> wrote in message
news:OrmLS425EHA.3908@TK2MSFTNGP12.phx.gbl...
> Stefan,
>
> I checked into that, and the network access setting is already set to
"Users authenticate as themselves"..
>
>
| |
|
| Hey Stefan,
Yes, it appears as part of the local Intranet zone.
[vbcol=seagreen]
> Hi Jay,
>
> which zone does the affected server below to?
> Check in lower right edge of the IE window.
> Is it the Intranet zone?
> Cheers,
> Stefan
> "Jay" <confused@times> wrote in message
> news:OrmLS425EHA.3908@TK2MSFTNGP12.phx.gbl...
> "Users authenticate as themselves"..
>
| |
| Stefan [MSFT] 2004-12-21, 5:51 pm |
| If you enter the credentials of your currently logged in user, does it work
or do you need different credentials?
Cheers,
Stefan.
"Jay" <confused@times> wrote in message
news:eHRzYT35EHA.2156@TK2MSFTNGP10.phx.gbl...
> Hey Stefan,
>
> Yes, it appears as part of the local Intranet zone.
>
>
| |
|
| Yes, it works just fine. Although, the current user (me) has admin privleges. I just performed an additional test and no matter who I log in as, it works fine.
[vbcol=seagreen]
> If you enter the credentials of your currently logged in user, does it
> work or do you need different credentials?
>
> Cheers,
> Stefan.
> "Jay" <confused@times> wrote in message
> news:eHRzYT35EHA.2156@TK2MSFTNGP10.phx.gbl...
| |
| Stefan [MSFT] 2004-12-21, 5:52 pm |
| Hi Jay,
then it seems to be an issue that IE does for some reason not automatically
send the credentials.
Please check the IE settings.
Cheers,
Stefan.
"Jay" <confused@times> wrote in message
news:u5NPDf35EHA.1408@TK2MSFTNGP10.phx.gbl...
> Yes, it works just fine. Although, the current user (me) has admin
privleges. I just performed an additional test and no matter who I log in
as, it works fine.
>
>
>
| |
|
| But with both my workstation and the server using the security context of the Intranet zone; why do the credentials get passed to the server properly; but not the localhost?
[vbcol=seagreen]
> Hi Jay,
>
> then it seems to be an issue that IE does for some reason not
> automatically
> send the credentials.
> Please check the IE settings.
> Cheers,
> Stefan.
> "Jay" <confused@times> wrote in message
> news:u5NPDf35EHA.1408@TK2MSFTNGP10.phx.gbl...
> privleges. I just performed an additional test and no matter who I
> log in as, it works fine.
>
| |
| Stefan [MSFT] 2004-12-21, 5:52 pm |
| No idea.
Please check the IIS log if the credentials are sent.
Cheers,
Stefan
"Jay" <confused@times> wrote in message
news:#Lm7Yy35EHA.2316@TK2MSFTNGP15.phx.gbl...
> But with both my workstation and the server using the security context of
the Intranet zone; why do the credentials get passed to the server properly;
but not the localhost?
>
>
| |
| Matthijs Wensveen 2004-12-22, 5:52 pm |
| > Matthijs, reading through another post I found this kb article that
> seems to address the problem:
> http://support.microsoft.com/defaul.../294382/EN-US/?
>
> This article describes two workarounds. I tried the second (running the
> adsutil.vbs script) and it worked for me -- Integrated Authentication
> now works when accessing a web app hosted on XP SP2 using a host name
> defined in your local hosts file.
>
> I haven't researched all of the ramifications of making this change
> yet, but I'm only dealing with my development machine which may be
> different than your situation.
>
> The KB article doesn't specifically mention XP, but I personally have
> never encountered this problem with 2000 or 2003 server or with XP
> before SP2.
Hi Mike and others,
Thanks a lot for your help. The 2nd workaround worked like a charm.
This is certainly a weird issue. I could connect from other machines without any
problems, using whatever host header I wanted, but not from my local machine....
This seems to be a Kerberos authentication issue. How is this supposed to work?
I mean, it seems like ordinary operation to use Windows Integrated
Authentication on servers that serve multiple Virtual Hosts based on host
headers. Why does the domain controller grant access based on a host header?
What has Kerberos to do with the HTTP protocol? Shouldn't the domain controller
just grant (or deny) access based on the IP of the authentication target?
I'm a complete Kerberos/Authentication/IIS n00b, so it could well be that I'm
talking out of my *ss here 
Anyways, thanks a lot for your help, I really appreciate it!
Regards, Matthijs.
| |
| Stefan [MSFT] 2004-12-22, 5:52 pm |
| Hi Matthijs,
this is the wrong newsgroup to ask kerberos questions.
You should post this to an AD or IIS related newsgroup.
Cheers,
Stefan.
"Matthijs Wensveen" <mrw@wanadoo.nl> wrote in message
news:41c9a02e$1@inaja.bit.nl...
>
> Hi Mike and others,
> Thanks a lot for your help. The 2nd workaround worked like a charm.
> This is certainly a weird issue. I could connect from other machines
without any
> problems, using whatever host header I wanted, but not from my local
machine....
>
> This seems to be a Kerberos authentication issue. How is this supposed to
work?
> I mean, it seems like ordinary operation to use Windows Integrated
> Authentication on servers that serve multiple Virtual Hosts based on host
> headers. Why does the domain controller grant access based on a host
header?
> What has Kerberos to do with the HTTP protocol? Shouldn't the domain
controller
> just grant (or deny) access based on the IP of the authentication target?
>
> I'm a complete Kerberos/Authentication/IIS n00b, so it could well be that
I'm
> talking out of my *ss here
> Anyways, thanks a lot for your help, I really appreciate it!
>
> Regards, Matthijs.
|
|
|
|
|