Prompts for username and password

Hi guys,

Hopefully someone can help or at least confirm what I am thinking here.

Here is the situation:

We have built a new webserver with Windows Server 2003/IIS 6.0.

We have the default web site set for anonymous authentication. We then a
separate section for employees which requires authentication.

The user accounts are setup locally on this server. This is a standalone
server and is not using AD authentication.

I originally set it up for Integrated Windows authentication only to
discover that was VERY slow and generally not recommended. Was getting
feedback of how slow it was. I then enabled Basic Authentication and it was
much faster. I got a trial certificate to test Basic over SSL and it was
successful.

The problem that I am having is that users are getting prompted when opening
video files which open Media Player and Office files (even though they are
opening within the browser). PDF files open just fine without prompting but
I suspect this is because of IE treating this like a plugin.

If you just save the file it downloads the file fine and then you can open
it with the associated application fine. But when you try to open it with
the application while downloading it (in effect the application is opening
the file from the web server) it prompts for credentials.

Basicly it seems like any separate application that access a file in a
password protected area is going to prompt for credentials. I know I may be
answering my own question here but is there any way that I keep the security
and not get prompted for each app? I want them to be able to login once and
not get prompted for each app.

Am I going to have to make these files enabled for anonymous access in order
not to get prompted? Am I missing anything here?

Thanks for your help.

Re: Prompts for username and password

"Jeff J" wrote in message
news:8F5BA165-A37C-4CC1-BBD6-5D3D02EB574C@microsoft.com...
> Hi guys,
>
> Hopefully someone can help or at least confirm what I am thinking here.
>
> Here is the situation:
>
> We have built a new webserver with Windows Server 2003/IIS 6.0.
>
> We have the default web site set for anonymous authentication. We then a
> separate section for employees which requires authentication.
>
> The user accounts are setup locally on this server. This is a standalone
> server and is not using AD authentication.
>
> I originally set it up for Integrated Windows authentication only to
> discover that was VERY slow and generally not recommended. Was getting
> feedback of how slow it was. I then enabled Basic Authentication and it
> was
> much faster. I got a trial certificate to test Basic over SSL and it was
> successful.
>
> The problem that I am having is that users are getting prompted when
> opening
> video files which open Media Player and Office files (even though they are
> opening within the browser). PDF files open just fine without prompting
> but
> I suspect this is because of IE treating this like a plugin.
>
> If you just save the file it downloads the file fine and then you can open
> it with the associated application fine. But when you try to open it with
> the application while downloading it (in effect the application is opening
> the file from the web server) it prompts for credentials.
>
> Basicly it seems like any separate application that access a file in a
> password protected area is going to prompt for credentials. I know I may
> be
> answering my own question here but is there any way that I keep the
> security
> and not get prompted for each app? I want them to be able to login once
> and
> not get prompted for each app.
>
> Am I going to have to make these files enabled for anonymous access in
> order
> not to get prompted? Am I missing anything here?
>

Making the files anonymously accessible is one route, as would
be use of domain user accounts.
The issue is, the web area is access controlled by use of machine
local accounts on the webserver. Those accounts exist only on
the webserver. When the browsing client attempts to open the
file in a local application, that application runs in the context of
the locally logged in user, and then attempts to load the file to which
of course the execution context of the application (as the local user)
has no permissions (hence the prompt).

Roger

Re: Prompts for username and password

I am having the same issue, but I am using a domain account for my
application pool. Directory Security is set to use Intergrated
Authentication. The only KB article I can find on it suggests that its an
issue with using Basic Authentication, which I am not. Any ideas or
suggestions?

"Roger Abell [MVP]" wrote:

>
> "Jeff J" wrote in message
> news:8F5BA165-A37C-4CC1-BBD6-5D3D02EB574C@microsoft.com...
> > Hi guys,
> >
> > Hopefully someone can help or at least confirm what I am thinking here.
> >
> > Here is the situation:
> >
> > We have built a new webserver with Windows Server 2003/IIS 6.0.
> >
> > We have the default web site set for anonymous authentication. We then a
> > separate section for employees which requires authentication.
> >
> > The user accounts are setup locally on this server. This is a standalone
> > server and is not using AD authentication.
> >
> > I originally set it up for Integrated Windows authentication only to
> > discover that was VERY slow and generally not recommended. Was getting
> > feedback of how slow it was. I then enabled Basic Authentication and it
> > was
> > much faster. I got a trial certificate to test Basic over SSL and it was
> > successful.
> >
> > The problem that I am having is that users are getting prompted when
> > opening
> > video files which open Media Player and Office files (even though they are
> > opening within the browser). PDF files open just fine without prompting
> > but
> > I suspect this is because of IE treating this like a plugin.
> >
> > If you just save the file it downloads the file fine and then you can open
> > it with the associated application fine. But when you try to open it with
> > the application while downloading it (in effect the application is opening
> > the file from the web server) it prompts for credentials.
> >
> > Basicly it seems like any separate application that access a file in a
> > password protected area is going to prompt for credentials. I know I may
> > be
> > answering my own question here but is there any way that I keep the
> > security
> > and not get prompted for each app? I want them to be able to login once
> > and
> > not get prompted for each app.
> >
> > Am I going to have to make these files enabled for anonymous access in
> > order
> > not to get prompted? Am I missing anything here?
> >
>
> Making the files anonymously accessible is one route, as would
> be use of domain user accounts.
> The issue is, the web area is access controlled by use of machine
> local accounts on the webserver. Those accounts exist only on
> the webserver. When the browsing client attempts to open the
> file in a local application, that application runs in the context of
> the locally logged in user, and then attempts to load the file to which
> of course the execution context of the application (as the local user)
> has no permissions (hence the prompt).
>
> Roger
>
>
>

Re: Prompts for username and password

You do not have the same issue as Jeff.
- Your issue is likely related to double hop.
- Jeff's issue is related to user misunderstanding.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 26, 9:37 am, ITLackey
wrote:
> I am having the same issue, but I am using a domain account for my
> application pool. Directory Security is set to use Intergrated
> Authentication. The only KB article I can find on it suggests that its an
> issue with using Basic Authentication, which I am not. Any ideas or
> suggestions?
>
>
>
> "Roger Abell [MVP]" wrote:
>
> > "Jeff J" wrote in message
> >news:8F5BA165-A37C-4CC1-BBD6-5D3D02EB574C@microsoft.com...
> > > Hi guys,
>
> > > Hopefully someone can help or at least confirm what I am thinking here.
>
> > > Here is the situation:
>
> > > We have built a new webserver with Windows Server 2003/IIS 6.0.
>
> > > We have the default web site set for anonymous authentication. We then a
> > > separate section for employees which requires authentication.
>
> > > The user accounts are setup locally on this server. This is a standalone
> > > server and is not using AD authentication.
>
> > > I originally set it up for Integrated Windows authentication only to
> > > discover that was VERY slow and generally not recommended. Was getting
> > > feedback of how slow it was. I then enabled Basic Authentication and it
> > > was
> > > much faster. I got a trial certificate to test Basic over SSL and it was
> > > successful.
>
> > > The problem that I am having is that users are getting prompted when
> > > opening
> > > video files which open Media Player and Office files (even though they are
> > > opening within the browser). PDF files open just fine without prompting
> > > but
> > > I suspect this is because of IE treating this like a plugin.
>
> > > If you just save the file it downloads the file fine and then you can open
> > > it with the associated application fine. But when you try to open it with
> > > the application while downloading it (in effect the application is opening
> > > the file from the web server) it prompts for credentials.
>
> > > Basicly it seems like any separate application that access a file in a
> > > password protected area is going to prompt for credentials. I know I may
> > > be
> > > answering my own question here but is there any way that I keep the
> > > security
> > > and not get prompted for each app? I want them to be able to login once
> > > and
> > > not get prompted for each app.
>
> > > Am I going to have to make these files enabled for anonymous access in
> > > order
> > > not to get prompted? Am I missing anything here?
>
> > Making the files anonymously accessible is one route, as would
> > be use of domain user accounts.
> > The issue is, the web area is access controlled by use of machine
> > local accounts on the webserver. Those accounts exist only on
> > the webserver. When the browsing client attempts to open the
> > file in a local application, that application runs in the context of
> > the locally logged in user, and then attempts to load the file to which
> > of course the execution context of the application (as the local user)
> > has no permissions (hence the prompt).
>
> > Roger- Hide quoted text -
>
> - Show quoted text -

Re: Prompts for username and password

Understood, originally I thought it was the double hop as well... through
some more digging I discovered the issue can be fixed by changing settings in
IE. If you add the site to eitehr intranet or trusted zone and teh change the
settings for that zone to use current creditentials everyting works like a
charm.

Hope this helps someone...

"David Wang" wrote:

> You do not have the same issue as Jeff.
> - Your issue is likely related to double hop.
> - Jeff's issue is related to user misunderstanding.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> On Feb 26, 9:37 am, ITLackey
> wrote:
> > I am having the same issue, but I am using a domain account for my
> > application pool. Directory Security is set to use Intergrated
> > Authentication. The only KB article I can find on it suggests that its an
> > issue with using Basic Authentication, which I am not. Any ideas or
> > suggestions?
> >
> >
> >
> > "Roger Abell [MVP]" wrote:
> >
> > > "Jeff J" wrote in message
> > >news:8F5BA165-A37C-4CC1-BBD6-5D3D02EB574C@microsoft.com...
> > > > Hi guys,
> >
> > > > Hopefully someone can help or at least confirm what I am thinking here.
> >
> > > > Here is the situation:
> >
> > > > We have built a new webserver with Windows Server 2003/IIS 6.0.
> >
> > > > We have the default web site set for anonymous authentication. We then a
> > > > separate section for employees which requires authentication.
> >
> > > > The user accounts are setup locally on this server. This is a standalone
> > > > server and is not using AD authentication.
> >
> > > > I originally set it up for Integrated Windows authentication only to
> > > > discover that was VERY slow and generally not recommended. Was getting
> > > > feedback of how slow it was. I then enabled Basic Authentication and it
> > > > was
> > > > much faster. I got a trial certificate to test Basic over SSL and it was
> > > > successful.
> >
> > > > The problem that I am having is that users are getting prompted when
> > > > opening
> > > > video files which open Media Player and Office files (even though they are
> > > > opening within the browser). PDF files open just fine without prompting
> > > > but
> > > > I suspect this is because of IE treating this like a plugin.
> >
> > > > If you just save the file it downloads the file fine and then you can open
> > > > it with the associated application fine. But when you try to open it with
> > > > the application while downloading it (in effect the application is opening
> > > > the file from the web server) it prompts for credentials.
> >
> > > > Basicly it seems like any separate application that access a file in a
> > > > password protected area is going to prompt for credentials. I know I may
> > > > be
> > > > answering my own question here but is there any way that I keep the
> > > > security
> > > > and not get prompted for each app? I want them to be able to login once
> > > > and
> > > > not get prompted for each app.
> >
> > > > Am I going to have to make these files enabled for anonymous access in
> > > > order
> > > > not to get prompted? Am I missing anything here?
> >
> > > Making the files anonymously accessible is one route, as would
> > > be use of domain user accounts.
> > > The issue is, the web area is access controlled by use of machine
> > > local accounts on the webserver. Those accounts exist only on
> > > the webserver. When the browsing client attempts to open the
> > > file in a local application, that application runs in the context of
> > > the locally logged in user, and then attempts to load the file to which
> > > of course the execution context of the application (as the local user)
> > > has no permissions (hence the prompt).
> >
> > > Roger- Hide quoted text -
> >
> > - Show quoted text -
>
>
>

Re: Prompts for username and password

Does your web server name have dots in it because if so, it gets
treated as dottedIP and Internet Zone, which does not automatically
login.

These are hardly issues with IIS. They are all user misunderstanding
of the security ramifications of "auto-login" by browser and when it
is secure to do so.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 26, 4:37 pm, ITLackey
wrote:
> Understood, originally I thought it was the double hop as well... through
> some more digging I discovered the issue can be fixed by changing settings in
> IE. If you add the site to eitehr intranet or trusted zone and teh change the
> settings for that zone to use current creditentials everyting works like a
> charm.
>
> Hope this helps someone...
>
>
>
> "David Wang" wrote:
> > You do not have the same issue as Jeff.
> > - Your issue is likely related to double hop.
> > - Jeff's issue is related to user misunderstanding.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Feb 26, 9:37 am, ITLackey
> > wrote:
> > > I am having the same issue, but I am using a domain account for my
> > > application pool. Directory Security is set to use Intergrated
> > > Authentication. The only KB article I can find on it suggests that its an
> > > issue with using Basic Authentication, which I am not. Any ideas or
> > > suggestions?
>
> > > "Roger Abell [MVP]" wrote:
>
> > > > "Jeff J" wrote in message
> > > >news:8F5BA165-A37C-4CC1-BBD6-5D3D02EB574C@microsoft.com...
> > > > > Hi guys,
>
> > > > > Hopefully someone can help or at least confirm what I am thinking here.
>
> > > > > Here is the situation:
>
> > > > > We have built a new webserver with Windows Server 2003/IIS 6.0.
>
> > > > > We have the default web site set for anonymous authentication. We then a
> > > > > separate section for employees which requires authentication.
>
> > > > > The user accounts are setup locally on this server. This is a standalone
> > > > > server and is not using AD authentication.
>
> > > > > I originally set it up for Integrated Windows authentication only to
> > > > > discover that was VERY slow and generally not recommended. Was getting
> > > > > feedback of how slow it was. I then enabled Basic Authentication and it
> > > > > was
> > > > > much faster. I got a trial certificate to test Basic over SSL and it was
> > > > > successful.
>
> > > > > The problem that I am having is that users are getting prompted when
> > > > > opening
> > > > > video files which open Media Player and Office files (even though they are
> > > > > opening within the browser). PDF files open just fine without prompting
> > > > > but
> > > > > I suspect this is because of IE treating this like a plugin.
>
> > > > > If you just save the file it downloads the file fine and then you can open
> > > > > it with the associated application fine. But when you try to open it with
> > > > > the application while downloading it (in effect the application is opening
> > > > > the file from the web server) it prompts for credentials.
>
> > > > > Basicly it seems like any separate application that access a file in a
> > > > > password protected area is going to prompt for credentials. I know I may
> > > > > be
> > > > > answering my own question here but is there any way that I keep the
> > > > > security
> > > > > and not get prompted for each app? I want them to be able to login once
> > > > > and
> > > > > not get prompted for each app.
>
> > > > > Am I going to have to make these files enabled for anonymous access in
> > > > > order
> > > > > not to get prompted? Am I missing anything here?
>
> > > > Making the files anonymously accessible is one route, as would
> > > > be use of domain user accounts.
> > > > The issue is, the web area is access controlled by use of machine
> > > > local accounts on the webserver. Those accounts exist only on
> > > > the webserver. When the browsing client attempts to open the
> > > > file in a local application, that application runs in the context of
> > > > the locally logged in user, and then attempts to load the file to which
> > > > of course the execution context of the application (as the local user)
> > > > has no permissions (hence the prompt).
>
> > > > Roger- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -