Win2K3, IIS6, and IE6 - Can"t get IWA/NTLM to work

am 05.12.2006 02:49:11 von ohaya

Hi,

I have a Win2K3 Server with IIS6 on it. In the Default website, I have
a directory (/iwaprotected) with just a default.asp in it. The machine
is a member of domain "whatever.com".

When I use IE6 (on the same physical machine) to connect to
http:///iwaprotected/default.asp, I get a popup login
window.

However, when I try to login using a valid user (e.g.,
"whatever\testuser" or "testuser@whatever.com") and password, the popup
just re-displays. After 3 times, I get an 401.1 error.

I know that the username/password are valid, because I can login to the
Windows domain using them.

I've tried this with "Enable Integrated Windows Authentication" checkbox
in IE6 both checked and unchecked, with same results.

I've also accessed the same website from another machine using the same
FQDN, and get the same behavior

Does anyone have any idea about why this might be happening? Is there
something that might prevent IE6 from being able to pass the user's
credentials?

Thanks,
Jim

Re: Win2K3, IIS6, and IE6 - Can"t get IWA/NTLM to work

am 05.12.2006 10:15:19 von Miha Pihler

Hi,

Does user actually have permissions to the content? E.g. is Domain Users
group assigned at least Read permissions on the content of the website? IIS
will always honor NTFS permissions.

For Integrated authentication to work, site must be in Local Intranet zone.
Site entered in format http:/// would by default be in
Internet zone and not in Intranet zone - and Integrated authentication will
not work.

--
Mike
Microsoft MVP - Windows Security

"ohaya" wrote in message
news:%23NV019AGHHA.3616@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> I have a Win2K3 Server with IIS6 on it. In the Default website, I have a
> directory (/iwaprotected) with just a default.asp in it. The machine is a
> member of domain "whatever.com".
>
> When I use IE6 (on the same physical machine) to connect to
> http:///iwaprotected/default.asp, I get a popup login
> window.
>
> However, when I try to login using a valid user (e.g., "whatever\testuser"
> or "testuser@whatever.com") and password, the popup just re-displays.
> After 3 times, I get an 401.1 error.
>
> I know that the username/password are valid, because I can login to the
> Windows domain using them.
>
> I've tried this with "Enable Integrated Windows Authentication" checkbox
> in IE6 both checked and unchecked, with same results.
>
> I've also accessed the same website from another machine using the same
> FQDN, and get the same behavior
>
> Does anyone have any idea about why this might be happening? Is there
> something that might prevent IE6 from being able to pass the user's
> credentials?
>
> Thanks,
> Jim

Re: Win2K3, IIS6, and IE6 - Can"t get IWA/NTLM to work

am 05.12.2006 15:43:36 von ohaya

Hi,

Comments interspersed...

Jim

Miha Pihler [MVP] wrote:
> Hi,
>
> Does user actually have permissions to the content? E.g. is Domain Users
> group assigned at least Read permissions on the content of the website? IIS
> will always honor NTFS permissions.

I will have someone check the above.

For comparison, I have another, separate test configuration consisting
of a DC, and a server that is a member of that other domain, and where
IWA works on my test page. When I click Properties->Security tab on the
test directory and page, it shows that Administrators, IIS_WPG, SYSTEM,
and Users(machinename\Users) have Read permissions, i.e., Domain Users
is not shown. On this system (the one where IWA works), when I look in
Local Users and Groups, it looks like "Domain Users" is a member of "Users".

> For Integrated authentication to work, site must be in Local Intranet zone.
> Site entered in format http:/// would by default be in
> Internet zone and not in Intranet zone - and Integrated authentication will
> not work.

When I access the site in the environment where IWA is not working,
"Internet" is showing up in the lower-right of IE6.

I've seen the above comment before, but in the 2nd environment that I
mentioned above, where IWA *is* working, the only sites in Intranet are
http://localhost, hcp://system, and https://localhost, and I did not
have to add the site to "Intranet", so I'm puzzled about this point?

Jim

Re: Win2K3, IIS6, and IE6 - Can"t get IWA/NTLM to work

am 05.12.2006 15:44:16 von ohaya

Re: Win2K3, IIS6, and IE6 - Can"t get IWA/NTLM to work

am 05.12.2006 18:12:35 von Miha Pihler

Hi,

Any url that is in format:

http://servername or https://servername

is in local intranet zone by default.

Urls in format:

http://server.domain.com or http://10.10.10.10 are in Internet zone by
default and in this case Integrated auth. will not work ...

--
Mike
Microsoft MVP - Windows Security

> Miha Pihler [MVP] wrote:
>> Hi,
>>
>> Does user actually have permissions to the content? E.g. is Domain Users
>> group assigned at least Read permissions on the content of the website?
>> IIS will always honor NTFS permissions.
>
> I will have someone check the above.
>
> For comparison, I have another, separate test configuration consisting of
> a DC, and a server that is a member of that other domain, and where IWA
> works on my test page. When I click Properties->Security tab on the test
> directory and page, it shows that Administrators, IIS_WPG, SYSTEM, and
> Users(machinename\Users) have Read permissions, i.e., Domain Users is not
> shown. On this system (the one where IWA works), when I look in Local
> Users and Groups, it looks like "Domain Users" is a member of "Users".
>
>
>> For Integrated authentication to work, site must be in Local Intranet
>> zone. Site entered in format http:/// would by default
>> be in Internet zone and not in Intranet zone - and Integrated
>> authentication will not work.
>
> When I access the site in the environment where IWA is not working,
> "Internet" is showing up in the lower-right of IE6.
>
> I've seen the above comment before, but in the 2nd environment that I
> mentioned above, where IWA *is* working, the only sites in Intranet are
> http://localhost, hcp://system, and https://localhost, and I did not have
> to add the site to "Intranet", so I'm puzzled about this point?

Re: Win2K3, IIS6, and IE6 - Can"t get IWA/NTLM to work

am 06.12.2006 01:47:25 von ohaya

Hi,

I'm not meaning to disagree, but on the test environment that I have
where IWA works, I can use FQDN hostnames in the URLs, and IWA works.

I still haven't figured out why IWA doesn't work on that other
environment :(...

Still waiting for someone on-site to check the Local Security settings...

Jim

Miha Pihler [MVP] wrote:
> Hi,
>
> Any url that is in format:
>
> http://servername or https://servername
>
> is in local intranet zone by default.
>
> Urls in format:
>
> http://server.domain.com or http://10.10.10.10 are in Internet zone by
> default and in this case Integrated auth. will not work ...
>

Re: Win2K3, IIS6, and IE6 - Can"t get IWA/NTLM to work

am 06.12.2006 17:02:18 von Miha Pihler

I am saying what is by default. This can be changed (not recommended) in the
browser settings...

Again, you can use FQDN with IWA, but you have to add the URL to Local
Intranet zone... (by default)

--
Mike
Microsoft MVP - Windows Security

"ohaya" wrote in message
news:esCF$$MGHHA.536@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> I'm not meaning to disagree, but on the test environment that I have where
> IWA works, I can use FQDN hostnames in the URLs, and IWA works.
>
> I still haven't figured out why IWA doesn't work on that other environment
> :(...
>
> Still waiting for someone on-site to check the Local Security settings...
>
> Jim
>
>
>
> Miha Pihler [MVP] wrote:
>> Hi,
>>
>> Any url that is in format:
>>
>> http://servername or https://servername
>>
>> is in local intranet zone by default.
>>
>> Urls in format:
>>
>> http://server.domain.com or http://10.10.10.10 are in Internet zone by
>> default and in this case Integrated auth. will not work ...
>>