IE7 issue with Integrated Windows Authentication in IIS

Question

Hi,

  I've a web application developed in ASP.NET which is hosted in a Windows 2000 server with only Integrated Windows Authentication enabled. This is to make use of Active Directory Services. Now, everything works fine with IE6. But in IE7, I get the Page Not found message. When I checked the headers, I saw the status as 401.1 which, if I am correct, basically is because of some Permission issues. Why do I get this if I use IE7?

 This above issue is with my Production server. Now, having said that, I've a test server which is also Windows 2000 on which everything works well.

  I just dont have a clue as to where the problem is with my Production server. Please help me on this ASAP as I am getting a lot of calls from my clients regarding this.

  Please do let me know if you need further details on this.

Thanks.

Answer 1

I have an application using IIS windows authentication on Windows 2003 that has been working with IE6 clients seemlessly - whilst trialling IE7 the use has to input authentication details rather than the client workstation authenticating automatically. Not sure how to resolve

Answer 2

James Pomeroy wrote:

I have an application using IIS windows authentication on Windows 2003 that has been working with IE6 clients seemlessly - whilst trialling IE7 the use has to input authentication details rather than the client workstation authenticating automatically. Not sure how to resolve

 

I think this might be because of the security setting in IE. Goto Tools/Internet Options. Select Security Tab. Select the zone in which your app runs ( Internet, Intranet etc ). Click Custom level. Scroll down to User Authentication section ( the last section ). Make sure that Automatic logon with current username/password is selected. Also, check the Advanced Tab in Tools/Internet Options. There is an option to enable Integrated Windows Authentication under Security section. Make sure that is also selected. Reopen the IE to make the settings available. Try again and you should not be seeing any prompt for authentication. This works perfectly for Win 2003.

Well, my problem is the authentication itself and that too in Win 2000 server. If there is an authentication issue, it should not work in IE6 as well. But this problem occurs only with IE7. Dont know anybody else has come across this kind of issue yet.

Answer 3

Hi!

I have the same authentication problem with IE7. IE6 works fine, but IE7 final release doesn't. I tried the things you wrote above, but didn't help.

Any suggestion???

Answer 4

Hi,

What's your OS? Is it Win 2k? Then, I am in the same boat as you are. Just hoping that I would eventually get some reply from a microsoft personnel.

I think this is happening because of the authentication format mismatch that IE7 passes to IIS. Not sure where to go and look for that or even change that.

If you happen to find any solution, please do let me know :)

Answer 5

I have exactly the same authentication issue with SOME of our IE7 machines (two out of about 6 trials so far), authenticating to ISA Server 2004 (for Internet Access).

I have set all the Internet Options to all Integrated Windows Authentication, but it keeps popping up the login box, and ISA Server will not accept the login, and treats the access as if it were anonymous.

Interesting follow-up, which you might like to try!  If you RESTART the client (not shutdown/repower) then it sometimes seems to work fine from then on!

There is nothing of any note in the event log at either initial startup, not after a restart, which would indicate any difference.

Bob

Answer 6

I think I have cracked it - at least for our situation.

UNTICK the TOOLS - INTERNET OPTIONS - ADVANCED - SECURITY - ENABLE WINDOWS INTEGRATED AUTHENTICATION!

So IE7 thinks it is NOT doing Integrated Windows Authentication.  However, ISA Server 2004 thinks it now IS doing successful Windows Integrated Authentication, and I don't have to keep using the login box!

(Typical MS 'feature'??)

Hope this might help someone else.

Bob

Answer 7

I've seen this as a solution in some other post as well. But I think I dont have enough luck as you do. Not working for me :)

Answer 8

I have the same problem. Now I have an open case at Microsoft. If there will be a solution (and I hope so) I will post it here.

Answer 9

It's weird but working...

No comment...

Answer 10

Eagerly awaiting for that :) Thanks a lot.

Answer 11

Yes we are eagerly awaiting something from MS, as this seems a significant problem.

(Our solution of unticking the 'use Windows Integrated Authentication' in IE seems only sometimes to work.)

Please let us know how you get on.

Bob

Answer 12

Alloha everybody!

Seems I find a solution.
What I do in this situation:
1. Go to Internet Options->Security
2. Add local site to Trusted Site as localhost and http://localhost/
3. Ok.
4. Close Internet Explorer if it opened.
5. Clear all cache.
6. Start Internet Explorer.

I do not know why, but exactly step 5 solve my problem...
Seems what IE7 remember last error state.... I think....

Good luck!

Answer 13

Dont have any luck with this also :(

Answer 14

under security tab, put your url in "local intranet" websites(if it is under "trusted sites", ie7 will prompt you to change). use the default security level for "local intranet"("user authentication -> logon -> automatic logon only in intranet zone" checked).

solved my problem. hope helps your guy. good luck.

Answer 15

OK, here is Microsoft's answer for my problem.

If you unthick "ENABLE WINDOWS INTEGRATED AUTHENTICATION" it will work only if the web server (or ISA server or anything else) you want to reach works with clear text authentication. But they don't recommend it because security reasons.

The cause of the problem is, that unttil IE6 the browser doesn't support kerberos authentication. The server what you want to reach begins the authentication process with a negotiation: Can you handle kerb auth.?

If the answer is yes, they will use that. If the answer is no, it will ask: Can you handle NTLM auth.?

If the answer is yes, they will use that. Because IE6 can't handle kerberos it always uses NTLM. (If the answer is no it won't authenticate you.)

The problem is with kerberos. In our case I needed to authenticate to a server through another one (chained proxies) and kerberos doesn't support this method while NTLM supports it.

The resolution was that we set on the server to use only NTLM auth all the time. It is a hotfix and a VBscript but it is not available on Microsoft.com, they sent us on e-mail.

I hope it helped some of you!

Answer 16

If you haven't seen http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx, this page has some tips on 401.1 errors specifically that might help.

For the purposes of diagnosing this, I recommend unchecking "Enable Integrated Windows Authentication" on the client, because it will force IE to use NTLM auth. Troubleshooting Kerberos failures can be a whole different problem.

I have some questions:

- Does this happen consistently with IE7 on different machines? With the information you've provided, I'm not aware of a change in behavior between IE6 and IE7 that could cause this.

- Does IE show you a logon dialog (for entering username and password for the site)? Or does it just fail with the 401.1 error as soon as you try to navigate to the page? It's unusual for IE to fail from this error without first attempting to get credentials.

- When you see the 401.1 error page, what zone does it show up in? For whatever zone it is, try going into Tools -> Internet Options -> Security -> choose the zone that the error page is in -> Custom... -> set "Logon" at the bottom to "Prompt for username and password". OK out of all the dialogs.

Now, when you navigate to the site again, you should certainly get a log on dialog asking for your credentials. If you enter in credentials that should have access to the site, does it still fail?

- Can you get a look at the traffic between IE and the site using Fiddler (http://www.fiddlertool.com)? In particular, can you paste here the WWW-Authenticate header in the first request after the 401 error?

 

I can follow up with more questions or answers based on your reply.

Answer 17

I have exactly the same problem, haven't found a GOOD solution yet. But to work around it I've used the IP address instead of the server name and it seems to work (wouldn't have the faintest clue why). If anyone finds a solution please let us know.

Answer 18

I am having a similar problem and I've been working with Microsoft for a week now trying to get it resolved!

I have 4 Vista PC's outside the firewall that cannot connect to our intranet site. The XP machines using IE 6 or 7 work fine from the same location. All clients are going through a proxy first.

I've been reading that prior to IE7, Kerberos authentication via a proxy is not supported but that this was resolved in IE 7. Can anyone confirm this?

I can use firefox from the same problem computers and access the site fine. I ran fiddler to trace the communication between client and server using IE and the response headers are showing:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

The site is set for windows integrated authentication, I've turned that option on in IE along with adding the site name and IP address under trusted sites and changing the log on option to automatic log on with current username and password.

I've tried everything on this forum and the microsoft tech I'm working with is just as stuck... Anyone else have any suggestions?

Thanks!!!

Answer 19

I figured out a solution to the problem I was experiencing... on the Vista boxes, I had to go to the Local Security Policy --> Security Options and changed the LAN Manager authentication level properties to Send LM & NTLM - use NTLMv2 session security if negotiated.
The default was set to: Use NTLMv2 response only.

Once I changed that setting, all workstations connected to the internal sharepoint site. Hope that helps someone else :)

Answer 20

I had the same issue with a website that use pass through authentication.
The website gets the logged in users identity and user groups..
In Firefox, it would prompt me for the user name and password, which is correct because FF doesn't support pass through in windows.
BTW I set up the website in IIS and told it to use integrated authentication, in ASP.net security.

In IE7 it would fail all the time.. When I unchecked Enable Integrated Windows Authentication it works. and allows me to get user info through system security
but in internet options, under user authentication, I have checked automatic logon with current user name and password.
Now the website works perfectly...

Now to check it against IE8, since MS made it a critical update. alot of people installed it not knowing it was buggy....

Answer 21

Reena111

Thanks for your fix... I have Windows 7 and couldn't even map a network drive to a Windows 2000 server, it just kept asking for the username and password over and over, and what you mention aboved fixed that.

Answer 22

I fixed this problem by changing the application pool's identity back to Network Service. Some better tech could probably explain why but I've heard it has something to do with Kerberos and NTLM. Woot!

Answer 23

As an addon to this topic, I have seen issues in my environment using Integrated Windows Auth. It is always solved by implementing the following fix.

http://support.microsoft.com/default.aspx/kb/215383

cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"

Kereberos is the default authentication mechanism, so implicity setting NTLM does the trick for me.

this can also be set at this level, if I remember correctly.

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

Answer 24

Actually work if you want to force NTLM,

do it a the server level (open IIS7 - navigate at the root - IIS section Authentication - enable Windows Authentication on top of the one set in your web.config) and that will prevent kerberos from taking over ! - no need to untick the box !