Problems with IWA and zone security

I have a front end server with Exchange 2003 and Windows SharePoint
Services 3.0 installed on it. WSS and Exchange both share the same
virtual directory in IIS. I am currently setting up the WSS as an
intranet portal for our corporate users and both Exchange and WSS use
SSL.

My problem lies in that I want to use Integrated Windows
Authentication for the WSS portal so that I can set a group policy to
make that the home page in IE. However, to get the IWA to work
properly, I had to add https://mydomain.com to the intranet zone.
When I add our domain to the intranet zone, IWA works correctly and
when a user goes to https://mydomain.com/exchange the IWA is also
picked up properly there.

This is where things get confusing. When a user goes off the LAN and
connects to https://mydomain.com there is no problem with
authentication because the user is still logged onto the local machine
with cached domain credentials. However, when a user tries to connect
to https://mydomain.com/exchange they get a "You're not connected to
the internet" error screen in IE. I am pulling my hair out on this
one because it's hard to test until I am home at night.

Does anyone have any idead of what's wrong or the best way to
accomplish what I'm trying to do? Any help would be greatly
appreciated.

Re: Problems with IWA and zone security

Hi,

IE reporting that it doesn't have an internet connection does not sound like
an IWA or IIS issue.

You can use a tool like Ethereal or Fiddler to verify the exact URLs that IE
is requesting. Beyond that, you need to check client-side settings (like
proxy settings, connection settings etc) to work out why IE is giving you
that error.

Cheers
Ken


"acastleberry" wrote in message
news:1173275937.133400.143490@p10g2000cwp.googlegroups.com.. .
>I have a front end server with Exchange 2003 and Windows SharePoint
> Services 3.0 installed on it. WSS and Exchange both share the same
> virtual directory in IIS. I am currently setting up the WSS as an
> intranet portal for our corporate users and both Exchange and WSS use
> SSL.
>
> My problem lies in that I want to use Integrated Windows
> Authentication for the WSS portal so that I can set a group policy to
> make that the home page in IE. However, to get the IWA to work
> properly, I had to add https://mydomain.com to the intranet zone.
> When I add our domain to the intranet zone, IWA works correctly and
> when a user goes to https://mydomain.com/exchange the IWA is also
> picked up properly there.
>
> This is where things get confusing. When a user goes off the LAN and
> connects to https://mydomain.com there is no problem with
> authentication because the user is still logged onto the local machine
> with cached domain credentials. However, when a user tries to connect
> to https://mydomain.com/exchange they get a "You're not connected to
> the internet" error screen in IE. I am pulling my hair out on this
> one because it's hard to test until I am home at night.
>
> Does anyone have any idead of what's wrong or the best way to
> accomplish what I'm trying to do? Any help would be greatly
> appreciated.
>

Re: Problems with IWA and zone security

On Mar 7, 8:58 pm, "Ken Schaefer"
wrote:
> Hi,
>
> IE reporting that it doesn't have an internet connection does not sound like
> an IWA or IIS issue.
>
> You can use a tool like Ethereal or Fiddler to verify the exact URLs that IE
> is requesting. Beyond that, you need to check client-side settings (like
> proxy settings, connection settings etc) to work out why IE is giving you
> that error.
>
> Cheers
> Ken
>
> "acastleberry" wrote in message
>
> news:1173275937.133400.143490@p10g2000cwp.googlegroups.com.. .
>
> >I have a front end server with Exchange 2003 and Windows SharePoint
> > Services 3.0 installed on it. WSS and Exchange both share the same
> > virtual directory in IIS. I am currently setting up the WSS as an
> > intranet portal for our corporate users and both Exchange and WSS use
> > SSL.
>
> > My problem lies in that I want to use Integrated Windows
> > Authentication for the WSS portal so that I can set a group policy to
> > make that the home page in IE. However, to get the IWA to work
> > properly, I had to addhttps://mydomain.comto the intranet zone.
> > When I add our domain to the intranet zone, IWA works correctly and
> > when a user goes tohttps://mydomain.com/exchangethe IWA is also
> > picked up properly there.
>
> > This is where things get confusing. When a user goes off the LAN and
> > connects tohttps://mydomain.comthere is no problem with
> > authentication because the user is still logged onto the local machine
> > with cached domain credentials. However, when a user tries to connect
> > tohttps://mydomain.com/exchangethey get a "You're not connected to
> > the internet" error screen in IE. I am pulling my hair out on this
> > one because it's hard to test until I am home at night.
>
> > Does anyone have any idead of what's wrong or the best way to
> > accomplish what I'm trying to do? Any help would be greatly
> > appreciated.

Thanks for the response, Ken. I am not saying that IE reporting that
it doesn't have a connection is a IWA or IIS issue, I'm saying that
the only way that I can get IWA to work is to place my domain in the
intranet security zone and THAT is what creates the problem. By
placing https://mydomain.com in the intranet security zone, my users
can sucessfully connect to https://mydomain.com and https://mydomain.com/exchange
on our LAN. BUT, when they go OFF LAN, they can connect to https://mydomain.com
without problem, but https://mydomain.com/exchange will not connect.
I beleive that the underlying problem is the way that IWA works and I
am not sure if my setup is correct to make this happen like I want it
to happen.

Re: Problems with IWA and zone security

"acastleberry" wrote in message
news:1173364253.926321.20930@q40g2000cwq.googlegroups.com...
> On Mar 7, 8:58 pm, "Ken Schaefer"
> wrote:
>> Hi,
>>
>> IE reporting that it doesn't have an internet connection does not sound
>> like
>> an IWA or IIS issue.
>>
>> You can use a tool like Ethereal or Fiddler to verify the exact URLs that
>> IE
>> is requesting. Beyond that, you need to check client-side settings (like
>> proxy settings, connection settings etc) to work out why IE is giving you
>> that error.
>>
>> Cheers
>> Ken
>>
>> "acastleberry" wrote in message
>>
>> news:1173275937.133400.143490@p10g2000cwp.googlegroups.com.. .
>>
>> >I have a front end server with Exchange 2003 and Windows SharePoint
>> > Services 3.0 installed on it. WSS and Exchange both share the same
>> > virtual directory in IIS. I am currently setting up the WSS as an
>> > intranet portal for our corporate users and both Exchange and WSS use
>> > SSL.
>>
>> > My problem lies in that I want to use Integrated Windows
>> > Authentication for the WSS portal so that I can set a group policy to
>> > make that the home page in IE. However, to get the IWA to work
>> > properly, I had to addhttps://mydomain.comto the intranet zone.
>> > When I add our domain to the intranet zone, IWA works correctly and
>> > when a user goes tohttps://mydomain.com/exchangethe IWA is also
>> > picked up properly there.
>>
>> > This is where things get confusing. When a user goes off the LAN and
>> > connects tohttps://mydomain.comthere is no problem with
>> > authentication because the user is still logged onto the local machine
>> > with cached domain credentials. However, when a user tries to connect
>> > tohttps://mydomain.com/exchangethey get a "You're not connected to
>> > the internet" error screen in IE. I am pulling my hair out on this
>> > one because it's hard to test until I am home at night.
>>
>> > Does anyone have any idead of what's wrong or the best way to
>> > accomplish what I'm trying to do? Any help would be greatly
>> > appreciated.
>
> Thanks for the response, Ken. I am not saying that IE reporting that
> it doesn't have a connection is a IWA or IIS issue, I'm saying that
> the only way that I can get IWA to work is to place my domain in the
> intranet security zone and THAT is what creates the problem. By
> placing https://mydomain.com in the intranet security zone, my users
> can sucessfully connect to https://mydomain.com and
> https://mydomain.com/exchange
> on our LAN. BUT, when they go OFF LAN, they can connect to
> https://mydomain.com
> without problem, but https://mydomain.com/exchange will not connect.
> I beleive that the underlying problem is the way that IWA works and I
> am not sure if my setup is correct to make this happen like I want it
> to happen.

Hi,

Can you get a network packet capture (using Ethereal/Wireshark) to verify
that IE is indeed attempting a connection to the website?

If IE is attempting NTLM auth, and this is failing then you typically get a
401 error. If IE is attempting Kerberos Auth and failing, then I'm not sure
what error you would get, but I don't think you should get a "not connected
to the internet" type error.

That is why I'm wondering what proxy, or PAD, or other proxy auto-discovery
stuff your browser may have configured.

But again, the best way to find out exactly what is happening is to see if
IE is even attempting to go out from your client. And the best way to do
this is with Fiddler or a packet capture tool.

Cheers
Ken


--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken