After installing SP2 for Windows XP, I noticed that my local IIS web
site that uses Windows authentication was acting strangly. When I go
to :

http://localhost/mySecureSite  - no login window - site is displayed
http://[myIPAddress]/mySecureSite - login window - site is displayed
(after very slow login)
http://127.0.0.1/mySecureSite  - login window - site is displayed
http://mySite/mySecureSite  - login window - ** access denied **

In the last test, "mySite" was defined in the hosts file on the local
machine. The login windows was displayed (with the name of the local
machine in the title of the dialog) however the username/password was
systematically rejected!!


Tests I performed:
- Instead of defining mySite as 127.0.0.1 in the hosts file, I defined
it as the local external IP address. No change.

- Disabled the firewall (Set to "Off" in the "General" Tab of Windows
Firewall). No change.

- Stopped the Windows Firewall /ICS service. No change.

- Rebooted. No change.

- I just tried these four tests in Mozilla Firefox. They all work?!!!
Is this an IE security setting problem?


Any help would be appreciated,
Anil

[ Post a follow-up to this message ]

Hi,

Add your http://[myIPAddress]/, http://127.0.0.1, and http://mySite/ to
"Local Intranet" zone and try again.

I hope this helps,

Mike

"Anil" <anilr@post.com> wrote in message
news:108c4151.0408180030.5d5850e2@posting.google.com...
> After installing SP2 for Windows XP, I noticed that my local IIS web
> site that uses Windows authentication was acting strangly. When I go
> to :
>
> http://localhost/mySecureSite  - no login window - site is displayed
> http://[myIPAddress]/mySecureSite - login window - site is displayed
> (after very slow login)
> http://127.0.0.1/mySecureSite  - login window - site is displayed
> http://mySite/mySecureSite  - login window - ** access denied **
>
> In the last test, "mySite" was defined in the hosts file on the local
> machine. The login windows was displayed (with the name of the local
> machine in the title of the dialog) however the username/password was
> systematically rejected!!
>
>
> Tests I performed:
> - Instead of defining mySite as 127.0.0.1 in the hosts file, I defined
> it as the local external IP address. No change.
>
> - Disabled the firewall (Set to "Off" in the "General" Tab of Windows
> Firewall). No change.
>
> - Stopped the Windows Firewall /ICS service. No change.
>
> - Rebooted. No change.
>
> - I just tried these four tests in Mozilla Firefox. They all work?!!!
> Is this an IE security setting problem?
>
>
> Any help would be appreciated,
> Anil

[ Post a follow-up to this message ]

Hi,

This explains why you are getting the login dialogue for <Ip address> and
<127.0.0.1>
http://support.microsoft.com/?id=258063

for http://mysite/ you probably need to enter your credentials as
RealComputerName\Username

Cheers
Ken

"Anil" <anilr@post.com> wrote in message
news:108c4151.0408180030.5d5850e2@posting.google.com...
> After installing SP2 for Windows XP, I noticed that my local IIS web
> site that uses Windows authentication was acting strangly. When I go
> to :
>
> http://localhost/mySecureSite  - no login window - site is displayed
> http://[myIPAddress]/mySecureSite - login window - site is displayed
> (after very slow login)
> http://127.0.0.1/mySecureSite  - login window - site is displayed
> http://mySite/mySecureSite  - login window - ** access denied **
>
> In the last test, "mySite" was defined in the hosts file on the local
> machine. The login windows was displayed (with the name of the local
> machine in the title of the dialog) however the username/password was
> systematically rejected!!
>
>
> Tests I performed:
> - Instead of defining mySite as 127.0.0.1 in the hosts file, I defined
> it as the local external IP address. No change.
>
> - Disabled the firewall (Set to "Off" in the "General" Tab of Windows
> Firewall). No change.
>
> - Stopped the Windows Firewall /ICS service. No change.
>
> - Rebooted. No change.
>
> - I just tried these four tests in Mozilla Firefox. They all work?!!!
> Is this an IE security setting problem?
>
>
> Any help would be appreciated,
> Anil

[ Post a follow-up to this message ]

Thanks for the responses guys.

I tried adding "mysite" to both the Trusted Sites and the Local
Intranet site, but still I can not get past the login window.

What I don't understand is that "mysite" resolves to 127.0.0.1. So
theoretically the login window should be the same for both. However
the "mysite" link rejects every login, while the link using 127.0.0.1
works just fine (logging in with USERNAME or MYCOMPUTERNAME\USERNAME).

I've got an ASP page that returns the AUTH_USER server variable. It
appears that I'm logging in to the appropriate account with the 3
links that do work (i.e. I can use a username/pwd other than my
current logged in account).

Again, with Mozilla I can access all 4 links on the local machine.

Interestingly, from a remote machine (Windows 2000 on another domain)
if I modify the hosts file to define "mysite" as the IP address of the
XP box it works just fine. I can log in without a problem.

This would appear to be an IE bug / strange security setting.

A colleague of mine just (unintentionally) duplicated this scenario.
Hmmm....


Can anyone confirm this as an SP2 bug?

[ Post a follow-up to this message ]

Please enable Logon Auditing failure on your local machine, and look in the
Windows Security event logs to see what account Windows thinks is attempting
to logon (and failing).

Cheers
Ken

"Anil" <anilr@post.com> wrote in message
news:108c4151.0408180710.bcfa51a@posting.google.com...
> Thanks for the responses guys.
>
> I tried adding "mysite" to both the Trusted Sites and the Local
> Intranet site, but still I can not get past the login window.
>
> What I don't understand is that "mysite" resolves to 127.0.0.1. So
> theoretically the login window should be the same for both. However
> the "mysite" link rejects every login, while the link using 127.0.0.1
> works just fine (logging in with USERNAME or MYCOMPUTERNAME\USERNAME).
>
> I've got an ASP page that returns the AUTH_USER server variable. It
> appears that I'm logging in to the appropriate account with the 3
> links that do work (i.e. I can use a username/pwd other than my
> current logged in account).
>
> Again, with Mozilla I can access all 4 links on the local machine.
>
> Interestingly, from a remote machine (Windows 2000 on another domain)
> if I modify the hosts file to define "mysite" as the IP address of the
> XP box it works just fine. I can log in without a problem.
>
> This would appear to be an IE bug / strange security setting.
>
> A colleague of mine just (unintentionally) duplicated this scenario.
> Hmmm....
>
>
> Can anyone confirm this as an SP2 bug?

[ Post a follow-up to this message ]

You might want to ring PSS and see if this help
Programs that connect to IP addresses that are in the loopback address range
may not work as you expect in Windows XP Service Pack 2
http://support.microsoft.com/?id=884020

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



"Anil" <anilr@post.com> wrote in message
news:108c4151.0408180710.bcfa51a@posting.google.com...
> Thanks for the responses guys.
>
> I tried adding "mysite" to both the Trusted Sites and the Local
> Intranet site, but still I can not get past the login window.
>
> What I don't understand is that "mysite" resolves to 127.0.0.1. So
> theoretically the login window should be the same for both. However
> the "mysite" link rejects every login, while the link using 127.0.0.1
> works just fine (logging in with USERNAME or MYCOMPUTERNAME\USERNAME).
>
> I've got an ASP page that returns the AUTH_USER server variable. It
> appears that I'm logging in to the appropriate account with the 3
> links that do work (i.e. I can use a username/pwd other than my
> current logged in account).
>
> Again, with Mozilla I can access all 4 links on the local machine.
>
> Interestingly, from a remote machine (Windows 2000 on another domain)
> if I modify the hosts file to define "mysite" as the IP address of the
> XP box it works just fine. I can log in without a problem.
>
> This would appear to be an IE bug / strange security setting.
>
> A colleague of mine just (unintentionally) duplicated this scenario.
> Hmmm....
>
>
> Can anyone confirm this as an SP2 bug?

[ Post a follow-up to this message ]

Yeah, I looked at the Event manager for info, but it's not very helpful
(to me at least). Here's the scoop...

The Logon Failure event is as follows:

Event Type:	Failure Audit
Event Source:	Security
Event Category:	Logon/Logoff
Event ID:	537
Date:		19/08/2004
Time:		10:30:28
User:		NT AUTHORITY\SYSTEM
Computer:	WINCALL002
Description:
Logon Failure:
Reason:		An error occurred during logon
User Name:	ANILR
Domain:		myDomain
Logon Type:	3
Logon Process:	8‘|ÔúÃ
Authentication Package:	NTLM
Workstation Name:	MYMACHINE
Status code:	0xC000006D
Substatus code:	0xC3FC50

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----------------------------------------------------

The firewall information provided just before the login failure:


The Windows Firewall has detected an application listening for incoming
traffic.

Name: lsass.exe
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 636
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 4415
Allowed: Yes
User notified: No

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------------------

*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!

[ Post a follow-up to this message ]

"Anil Rhemtulla" <anilr@post.com> wrote in message
news:eLeeMnchEHA.1652@TK2MSFTNGP09.phx.gbl...
>  User Name: ANILR
>  Domain: myDomain

Try to logon as Local instead of the "myDomain" see what it does. I have
XP/SP2 (issued on 8/10/04) installed on my XP Pro and it works fine here
with FireWall enabled (fully) and no settings were altered.

John

[ Post a follow-up to this message ]

John,

You managed to log on to a local web site with Windows Authentication
using a host name in the URL (which was defined in your HOSTS file)?

As I mentioned, I've tried both local and domain username/pwd
combinations, and I can successfuly log in to the web site if I
replace the Host name with either the IP address or "localhost".

I have defined the Host name correctly (tested using "ping HostName")
as either the IP address or 127.0.0.1. But neither allow me to log in.

Here's the interesting part:
IT WORK IN MOZILLA FIREFOX !

So for some reason, the IE is screwing up the windows Authentication.
I've tried adding HostName to my trusted web sites in IE to see if
that helped out, but it did not.

John, can you please confirm your test was similar.

Cheers,
Anil

[ Post a follow-up to this message ]

Did you check the KB article that Bernard posted? If this is an XP SP2
machine, you can get a hotfix from PSS (there is no charge, just cite the KB
article).

Cheers
Ken

"Anil" <anilr@post.com> wrote in message
news:108c4151.0408240001.387efe58@posting.google.com...
> John,
>
> You managed to log on to a local web site with Windows Authentication
> using a host name in the URL (which was defined in your HOSTS file)?
>
> As I mentioned, I've tried both local and domain username/pwd
> combinations, and I can successfuly log in to the web site if I
> replace the Host name with either the IP address or "localhost".
>
> I have defined the Host name correctly (tested using "ping HostName")
> as either the IP address or 127.0.0.1. But neither allow me to log in.
>
> Here's the interesting part:
> IT WORK IN MOZILLA FIREFOX !
>
> So for some reason, the IE is screwing up the windows Authentication.
> I've tried adding HostName to my trusted web sites in IE to see if
> that helped out, but it did not.
>
> John, can you please confirm your test was similar.
>
> Cheers,
> Anil

[ Post a follow-up to this message ]