Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Windows authentication from IE7
Message
From
25/02/2008 07:20:54
Viv Phillips
Hay-On-Wye, United Kingdom
 
 
To
24/02/2008 01:42:01
Al Doman
M3 Enterprises Inc.
North Vancouver, British Columbia, Canada
General information
Forum:
Internet
Category:
Microsoft Internet Explorer
Title:
Re: Windows authentication from IE7
Miscellaneous
Thread ID:
01295271
Message ID:
01296004
Views:
15
>>>>Hi,
>>>>
>>>>I'm testing a W2K3/IIS6 webweserver. Where anonymous access is disabled I can't seem to authenticate from IE7.
>>>>On a IE6 browser I use either 'username' or 'webservermachinename\username' successully. With a IE7 browser both of these are rejected and the text in the User name textbox changes to 'www.xxx.com\username'. Only successful login is by specifying the webserver IP address in the URL.
>>>>
>>>>Of course this may not be a IE6/IE7 issue - the browsers are on different machines (IE7 is in fact on the webserver itself) and the URL is mapped to the webservers IP address in the HOSTS file in both cases. Nevertheless I'm pretty sure this was working OK on the webserver under IE6.
>>>>
>>>>UPDATE: Just tried from IE7 on another machine and that works as expected. So it appears to only be an issue when using the IE7 browser on the webserver. Maybe some DNS quirk?
>>>
>>>Just a SWAG, but security groups can be configured to deny console (local) logon to server(s) - maybe the account you're trying belongs to such a group? You could test by trying with the local server or domain admin credentials.
>>>
>>>Another even SWAGgier guess is that there are various Group Policies available for IE. You could check them and see if any are changed from the default:
>>>
>>>- run gpedit.msc
>>>- check Local Computer Policy...Computer Configuration...Administrative Templates...Windows Components...Internet Explorer
>>
>>Hi,
>>Thanks for the suggestions but:
>>Same problem when logging on using an Administrator account
>>No changes made to Local Computer Policy.
>>Below are two sample audit events - one success, one fail. The only difference between the two attempts is that for the first on I used the IP address in the URL and in the second I used the Hosts specified name:
>>Event Type:	Success Audit
>>Event Source:	Security
>>Event Category:	Logon/Logoff
>>Event ID:	540
>>Date:		23/02/2008
>>Time:		09:59:49
>>User:		COMPUTERNAME\username
>>Computer:	COMPUTERNAME
>>Description:
>>Successful Network Logon:
>> 	User Name:	username
>> 	Domain:		COMPUTERNAME
>> 	Logon ID:		(0x0,0x15D01F)
>> 	Logon Type:	3
>> 	Logon Process:	NtLmSsp
>> 	Authentication Package:	NTLM
>> 	Workstation Name:	COMPUTERNAME
>> 	Logon GUID:	-
>> 	Caller User Name:	-
>> 	Caller Domain:	-
>> 	Caller Logon ID:	-
>> 	Caller Process ID: -
>> 	Transited Services: -
>> 	Source Network Address:	192.168.0.246
>> 	Source Port:	1065
>>--------------------------------------------------------------
>>Event Type:	Failure Audit
>>Event Source:	Security
>>Event Category:	Logon/Logoff
>>Event ID:	534
>>Date:		23/02/2008
>>Time:		10:26:47
>>User:		NT AUTHORITY\SYSTEM
>>Computer:	COMPUTERNAME
>>Description:
>>Logon Failure:
>> 	Reason:	The user has not been granted the requested
>> 		logon type at this machine
>> 	User Name:	username
>> 	Domain:		COMPUTERNAME
>> 	Logon Type:	4
>> 	Logon Process:	Advapi
>> 	Authentication Package:	Negotiate
>> 	Workstation Name:	COMPUTERNAME
>> 	Caller User Name:	NETWORK SERVICE
>> 	Caller Domain:	NT AUTHORITY
>> 	Caller Logon ID:	(0x0,0x3E4)
>> 	Caller Process ID:	2420
>> 	Transited Services:	-
>> 	Source Network Address:	-
>> 	Source Port:	-
>>
>>For comparison here's a Success audit when logging in using the site name from another machine:
Event Type:	Success Audit
>>Event Source:	Security
>>Event Category:	Logon/Logoff
>>Event ID:	540
>>Date:		23/02/2008
>>Time:		10:26:46
>>User:		COMPUTERNAME\username
>>Computer:	COMPUTERNAME
>>Description:
>>Successful Network Logon:
>> 	User Name:	username
>> 	Domain:		COMPUTERNAME
>> 	Logon ID:		(0x0,0x2388D9)
>> 	Logon Type:	3
>> 	Logon Process:	NtLmSsp
>> 	Authentication Package:	NTLM
>> 	Workstation Name:	DELL9400
>> 	Logon GUID:	-
>> 	Caller User Name:	-
>> 	Caller Domain:	-
>> 	Caller Logon ID:	-
>> 	Caller Process ID: -
>> 	Transited Services: -
>> 	Source Network Address:	192.168.0.126
>> 	Source Port:	1596
>>Note that this isn't really an issue for me but I would like to understand the reason for the different behaviours.
>
>Hmm, clearly something more is happening than IP vs. HOSTS specified name. The failed attempt is trying to log on via what looks like a local system/service account, some of the other parameters are different as well.
>

Hi,

>Can you confirm with NSLOOKUP what your local DNS is returning for the URL you're trying to get to via HOSTS?

'Unknown' (it's a deliberately fictional URL).

But resolved : http://support.microsoft.com/kb/896861/. Snip:

"This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name"

Didn't bother with the workarounds since there's no real reason that I require the ability.
Thanks for the input, Regards,
Viv
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform