Client Permissions required for Integrated Authentication?

Hi there,

I've got a IIS 6.0 Website on Windows 2003 which I have setup as Integrated
Authentication. I have disabled all other forms of authentication
(Anonymous, basic, etc).

The Clients authenticate against a Windows NT domain currently. When the
client tries to authenticate against the website, I get a login box for the
client, unless the user is defined as a local admin on his local PC. As soon
as we add the user's account to the local 'Administrators' group, everything
seems to work as we'd expect.

I saw postings on here about the fact that IE will only send the NT
Challenge information to sites in the 'Local Intranet' zone, and I added the
lcoal website to the local servers in the 'proxy' configuration page (which
should add them to the local intranet zone), but it didn't appear to change
anything.

Our local PC's are locked down pretty tightly, so I need a bit of guidance
as to what local security settings need to be applied to allow Windows
Integrated authentication.

Cheers,

Paul.

Re: Client Permissions required for Integrated Authentication?

"Paul Haigh" wrote in message
news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com...
> Hi there,
>
> I've got a IIS 6.0 Website on Windows 2003 which I have setup as
> Integrated
> Authentication. I have disabled all other forms of authentication
> (Anonymous, basic, etc).
>
> The Clients authenticate against a Windows NT domain currently. When the
> client tries to authenticate against the website, I get a login box for
> the
> client, unless the user is defined as a local admin on his local PC. As
> soon
> as we add the user's account to the local 'Administrators' group,
> everything
> seems to work as we'd expect.
>
> I saw postings on here about the fact that IE will only send the NT
> Challenge information to sites in the 'Local Intranet' zone, and I added
> the
> lcoal website to the local servers in the 'proxy' configuration page
> (which
> should add them to the local intranet zone), but it didn't appear to
> change
> anything.
>
> Our local PC's are locked down pretty tightly, so I need a bit of guidance
> as to what local security settings need to be applied to allow Windows
> Integrated authentication.

Sounds like the NTFS permissions on the content need to be adjusted. The IE
issue you mention would not be affected by whether or not users are part of
the amdin group. Make sure your users have at least NTFS Read permissions
on your content files and folders.

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers /iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS

Re: Client Permissions required for Integrated Authentication?

"Tom Kaminski [MVP]" wrote:
> "Paul Haigh" wrote in message
> news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com...
> > Hi there,
> >

>
> Sounds like the NTFS permissions on the content need to be adjusted. The IE
> issue you mention would not be affected by whether or not users are part of
> the amdin group. Make sure your users have at least NTFS Read permissions
> on your content files and folders.
>
Hi Tom,

I thought that as well to start with, but when I added 'Everyone' to the
NTFS permissions for the content, nothing changed. We didn't see the boxes
go away until we added the NT account to the local PC's 'Administrators'
group - then the issue appears to go away immediately.

Alternatively, the login box can be removed by putting back 'Anonymous
Authentication', which isn't a huge surprise.

Cheers,

Paul

Re: Client Permissions required for Integrated Authentication?

"Paul Haigh" wrote in message
news:1E59068D-4CB8-485F-A154-D8142E62E702@microsoft.com...
> "Tom Kaminski [MVP]" wrote:
>> "Paul Haigh" wrote in message
>> news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com...
>> > Hi there,
>> >
>
>>
>> Sounds like the NTFS permissions on the content need to be adjusted. The
>> IE
>> issue you mention would not be affected by whether or not users are part
>> of
>> the amdin group. Make sure your users have at least NTFS Read
>> permissions
>> on your content files and folders.
>>
> Hi Tom,
>
> I thought that as well to start with, but when I added 'Everyone' to the
> NTFS permissions for the content, nothing changed. We didn't see the
> boxes
> go away until we added the NT account to the local PC's 'Administrators'
> group - then the issue appears to go away immediately.
>
> Alternatively, the login box can be removed by putting back 'Anonymous
> Authentication', which isn't a huge surprise.

Try with the specific account instead of Everyone.

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers /iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS

Re: Client Permissions required for Integrated Authentication?

Adding the user to the local administrators group on their client PC should
have no effect whatsoever on whether the authentication dialogue appears or
not, as far as I can tell.

The authentication dialogue appears when:
a) the site is not in the local intranet zone (check visually using the
little icon that IE displays down the bottom right of the screen)
-or-
b) the site is in the local intranet zone, but the credentials that IE has
supplied "under the covers" do not have permission, on the server, to access
the files off the server's hard disk.

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Paul Haigh" wrote in message
news:A0EEB7CE-69DC-4BEE-B084-E3ABE2E4081D@microsoft.com...
: Hi there,
:
: I've got a IIS 6.0 Website on Windows 2003 which I have setup as
Integrated
: Authentication. I have disabled all other forms of authentication
: (Anonymous, basic, etc).
:
: The Clients authenticate against a Windows NT domain currently. When the
: client tries to authenticate against the website, I get a login box for
the
: client, unless the user is defined as a local admin on his local PC. As
soon
: as we add the user's account to the local 'Administrators' group,
everything
: seems to work as we'd expect.
:
: I saw postings on here about the fact that IE will only send the NT
: Challenge information to sites in the 'Local Intranet' zone, and I added
the
: lcoal website to the local servers in the 'proxy' configuration page
(which
: should add them to the local intranet zone), but it didn't appear to
change
: anything.
:
: Our local PC's are locked down pretty tightly, so I need a bit of guidance
: as to what local security settings need to be applied to allow Windows
: Integrated authentication.
:
: Cheers,
:
: Paul.

Re: Client Permissions required for Integrated Authentication?

Ken/Tom

Thanks for the responses. I was seriously weirded out by the behaviour, but
looking more carefully today (with a fresh head), I see that adding local
admin for some reason puts the website into the 'Local Intranet' zone,
whereas when you are not a local admin, the same website (with the same IE
config) is in the 'Internet' zone.

Weird, but true. I'll focus on finding the appropriate settings in the
registry/IE configuration to get the website in the 'Local Intranet' zone.

Thanks once again.

Paul

Re: Client Permissions required for Integrated Authentication?

I've seen this before, it might help to put the contents of the current user
part of an administrator registry to the local machine part. Also, you must
not user FQDN's in the URL: this will cause a Internetqualification as well.
The key that you should check is:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet settings\Zonemap
there should be three values in there. If they are not ALL there, the three
settings that are in Internet Options, Security tab, Local Intranet, Sites,
will not work for regular users. You can export the settings (one is
something like UNCasIntranet=1) . Delete all subkeys from the export and
change the string CURRENT_USER tot LOCAL_MACHINE, import this into the
registry and it works.

"Paul Haigh" schreef:

> Ken/Tom
>
> Thanks for the responses. I was seriously weirded out by the behaviour, but
> looking more carefully today (with a fresh head), I see that adding local
> admin for some reason puts the website into the 'Local Intranet' zone,
> whereas when you are not a local admin, the same website (with the same IE
> config) is in the 'Internet' zone.
>
> Weird, but true. I'll focus on finding the appropriate settings in the
> registry/IE configuration to get the website in the 'Local Intranet' zone.
>
> Thanks once again.
>
> Paul