Hi!
One of our development servers has decided to only accept user@domain.com as
user name. domain\user doesn't work. Any ideas as to why?
I turn off anonymous auth. and only keep integrated windows security on.
--
Lars-Erik
Hi Lars,
This is most likely an Active Directory/Domain authenticaton related issue.
Does only this IIS server encounter the problem in the domain?
Also I'd like to suggest you test connecting to a share folder on the
server from a work station, see if domain\username can be used or it still
accepts username@domain.com only. If the result is the same, we can narrow
down the problem isn't on IIS side. I just suspect if the problem is caused
by some credential caching behavior on the domain controller.
Look forward to your test result.
Have a nice weekend.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx .
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
We have a few other IIS servers that accept domain\user. Haven't checked all
the webs on the server in question, but it might be worth mentioning that the
root has a Sharepoint 2007 installation.
I access both administrative and normal shares on the server without
authenticating manually (workstation is member of domain), and via VPN from
home I can use domain\user to authenticate when accessing the shares.
--
Lars-Erik
""WenJun Zhang[msft]"" wrote:
> Hi Lars,
>
> This is most likely an Active Directory/Domain authenticaton related issue.
> Does only this IIS server encounter the problem in the domain?
>
> Also I'd like to suggest you test connecting to a share folder on the
> server from a work station, see if domain\username can be used or it still
> accepts username@domain.com only. If the result is the same, we can narrow
> down the problem isn't on IIS side. I just suspect if the problem is caused
> by some credential caching behavior on the domain controller.
>
> Look forward to your test result.
>
> Have a nice weekend.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
Hi Lars,
In this case, I'd suggest you use tools like webfetch to check the http
request/response rawdata of the authentication handshake. See if this can
give us some clue of the problem. The steps are documented in the following
article:
HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;2842 85
To use, please input:
Host: (The site's domainname/hostheader or servername or just IP address)
Port: (The site's port number if it isn't using the default 80)
Path: (The relative path of a test page on the site. e.g: /index.htm or
just /)
Authenticiation:
Please test the combinations.
NTLM domain\username\password
NTLM
Kerberos domain\username\password
Kerberos
Press Go! to issue http requests to the server and check what responses are
returned. I think comparing the traces should slow us with some details.
Please post the trace results here or send them to me at:
wjzhang@online.microsoft.com (please remove online.)
Also I just wonder if only the problematic web site has the auth problem?
You may create a new site to test if auth works with domain\username. If
it's fine, we can narrow down the problem must be specific to the
applications running in the problem site.
That's all. As always, I'll wait for your update.
Have a great week.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx .
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Hi again. :)
The problem is occuring on all sites on the server in question.
Both methods using NTLM goes through with wfetch, but don't in IE.
I've removed the html content in the output and renamed the site.
Here's the output:
NTLM domain\username\password
started....Reusing existing connection (source port
50577)\nSEC_I_CONTINUE_NEEDED - InitializeSecurityContext\nREQUEST:
**************\nGET /management/activitystatusoverview.aspx HTTP/1.1\r\n
Host: the.site.xx\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHAXAAAADw==\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 401 Unauthorized\r\n
Content-Length: 1539\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAADgAOADgAAAAVgoniMPm8uRBoc4gAAAAAAAAAAHQAdABG AAAABQLODgAAAA9PAE0ATgBJAEMATwBNAAIADgBPAE0ATgBJAEMATwBNAAEA CABGAFMAMAAyAAQAFABvAG0AbgBpAGMAbwBtAC4AbgBvAAMAHgBmAHMAMAAy AC4AbwBtAG4AaQBjAG8AbQAuAG4AbwAFABQAbwBtAG4AaQBjAG8AbQAuAG4A bwAAAAAA\r\n
X-Powered-By: ASP.NET\r\n
Date: Mon, 10 Sep 2007 10:11:47 GMT\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n
HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">\r\n
Hi Lars,
So the current problem is kerberos protocol doesn't work for integrated
authentication but NTLM is fine. If you disable 'Enable integrated windows
authentication' in IE Internet Options->Advanced, I assume using
domain\username should work. The option doesn't actually turn off
integrated auth but switch IE from using Kerberos to NTLM.
For the cause of Kerberos protocol doesn't work, has the web site's
application pool identity been changed to a custom acount other than
Network Service or Local System? If so, this is a known issue and you will
need to manually set new SPN for this custom account. Please refer tp:
You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to
invalid credentials" error message when you try to access a Web site that
is part of an IIS 6.0 application pool
http://support.microsoft.com/?id=871179
I hope the info will be of help.
Thanks.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx .
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Yes, and yes! :)
Tanks a lot.
I don't suppose you could point me to a decent article explaining the
difference between kerberos and NTLM?
--
Lars-Erik
""WenJun Zhang[msft]"" wrote:
> Hi Lars,
>
> So the current problem is kerberos protocol doesn't work for integrated
> authentication but NTLM is fine. If you disable 'Enable integrated windows
> authentication' in IE Internet Options->Advanced, I assume using
> domain\username should work. The option doesn't actually turn off
> integrated auth but switch IE from using Kerberos to NTLM.
>
> For the cause of Kerberos protocol doesn't work, has the web site's
> application pool identity been changed to a custom acount other than
> Network Service or Local System? If so, this is a known issue and you will
> need to manually set new SPN for this custom account. Please refer tp:
>
> You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to
> invalid credentials" error message when you try to access a Web site that
> is part of an IIS 6.0 application pool
> http://support.microsoft.com/?id=871179
>
> I hope the info will be of help.
>
> Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
Hi Lar,
For the curt infomation about the difference of Kerberos and NLTM when
being used by IIS for integrated auth, you can take a look at:
Integrated Windows Authentication (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/5
23ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
If you want to know more details about the protocols, refer to the
following documents:
Logon and Authentication Technologies
http://technet2.microsoft.com/windowsserver/en/library/78cb5 d3c-d0b2-4d20-a6
93-fa66bde1a63b1033.mspx?mfr=true
How the Kerberos Version 5 Authentication Protocol Works
http://technet2.microsoft.com/windowsserver/en/library/4a1da a3e-b45c-44ea-a0
b6-fe8910f92f281033.mspx?mfr=true
Microsoft NTLM
http://msdn2.microsoft.com/en-us/library/aa378749.aspx
I'd glad to hear the problem has been figured out now. Please feel free to
let me know if you have any further question.
You are always welcome. :-)
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx .
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks a lot :)
--
Lars-Erik
""WenJun Zhang[msft]"" wrote:
> Hi Lar,
>
> For the curt infomation about the difference of Kerberos and NLTM when
> being used by IIS for integrated auth, you can take a look at:
>
> Integrated Windows Authentication (IIS 6.0)
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/5
> 23ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
>
> If you want to know more details about the protocols, refer to the
> following documents:
>
> Logon and Authentication Technologies
> http://technet2.microsoft.com/windowsserver/en/library/78cb5 d3c-d0b2-4d20-a6
> 93-fa66bde1a63b1033.mspx?mfr=true
>
> How the Kerberos Version 5 Authentication Protocol Works
> http://technet2.microsoft.com/windowsserver/en/library/4a1da a3e-b45c-44ea-a0
> b6-fe8910f92f281033.mspx?mfr=true
>
> Microsoft NTLM
> http://msdn2.microsoft.com/en-us/library/aa378749.aspx
>
> I'd glad to hear the problem has been figured out now. Please feel free to
> let me know if you have any further question.
>
> You are always welcome. :-)
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>