3

I swear I created a question about this a few weeks ago, but maybe I deleted it as I cannot locate it anywhere.

  • ASP.NET 4.0
  • IIS6
  • Windows Server 2003
  • Intranet site using Windows authentication
  • Three servers with same OS and IIS version, each hosting a dev, production, and disaster recovery (DR) version of the same website

Now consider this order of events:

  • User starts out with IE8 and whatever versions of FF and Chrome
  • User is only able to access DR site. Login prompt refuses to authenticate them with their Windows credentials for the other sites, so they cannot log in
  • They install fresh copy of Windows 7 and upgrade to IE9. Now they are able to access the dev and DR sites in IE9. They are able to access all three sites in Chrome.

I verified the following in internet settings:

  • Automatic logon with current user name and password
  • Enable Integrated Windows Authentication

I came upon this in MSKB: http://support.microsoft.com/kb/215383

The NTAuthenticationProviders metabase property is not defined, so IIS should be using Negotiate,NTLM by default.

Other details:

  • This began happening only a few weeks ago. User was able to access our site fine with IE8.
  • No other users are having this issue.

Does anyone know what could be causing his browser to not send the authentication information to the server? Here is a screenshot of the authentication window the user is seeing:

Additional details

Here's what shows in the security event viewer for this user. I blanked out sensitive information with ?.

Event Type:    Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   538
Date:       7/14/2014
Time:       1:27:37 PM
User:       ?\?
Computer:   ?
Description:
User Logoff:
    User Name:  ?
    Domain:     ?
    Logon ID:       (0x0,0x3F99497F)
    Logon Type: 3

Event Type: Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   540
Date:       7/14/2014
Time:       1:27:14 PM
User:       ?\?
Computer:   ?
Description:
Successful Network Logon:
    User Name:  ?
    Domain:     ?
    Logon ID:       (0x0,0x3F997233)
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   ?
    Logon GUID: -
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: ?
    Source Port:    16220

enter image description here

oscilatingcretin
  • 5,493

1 Answers1

1

Enabling automatic NTLM identification is done as follows.

Internet Explorer

  • From IE, Access Internet Settings via "IE -> Tools -> Internet Options", or via Control Panel -> Internet Options
  • Go to the Security tab
  • Click Sites
  • Click either Local Intranet or Trusted sites
  • Add your sites to the list
  • If required, uncheck "Require server verification (https:) for all sites in this zone"
  • Click Close
  • Click Custom level
  • Scroll right to the bottom under User Authentication / Logon and ensure that "Automatic logon with current user name and password" is checked.
  • Click OK

Google Chrome

Google Chrome actually uses the same settings that IE uses, that is the above Control Panel -> Internet Options settings, so nothing more to do.

Firefox

  • Open Firefox and type "about:config" in the address bar (without the quotes)
  • In the 'Filter' field type network.automatic-ntlm-auth.trusted-uris
  • Double-click the above and enter the URLs of sites or entire domains, separated by commas
  • if your sites do no use FQDN (for example http://intranetinstead of http://intranet.domain.com), do also:
    • Set network.automatic-ntlm-auth.allow-non-fqdn to true
    • Set network.negotiate-auth.allow-non-fqdn to true
harrymc
  • 498,455