Yesterday we launched our new extranet site and for some reason I cannot access it from home with Internet Exporer. I can hit it from home with chrome and Mozilla. What can be causing this issue?
Edited
I tried flishing the dns of my home PC. I have also tried an IIS reset on the remote server that iis and the site is installed on.
What authentication schemes does the server offer in its WWW-Authenticate header? My first guess is that it's offering Negotiate and you're hitting the problem described here: http://blogs.msdn.com/b/ieinternals/archive/2011/07/06/integrated-windows-authentication-kerberos-ntlm-http-400-error-for-16kb-authorization-header.aspx
If you disable the Integrated Windows Authentication feature in the IE Advanced Settings (and restart) you can verify if that's the issue.
If not, what security zone is the page in, and are your IE security settings set to the defaults? By default, the Internet Zone will prompt for credentials that would have been silently submitted if the target site were in the Intranet zone.
Related
I am moving some old web applications from an old Server to a Server 2016. We are using a domain account for the application identity and we need to use windows authentication. I am getting a 401.3 error when I try a test.html page on the server. I am only getting this for static content though as I tried a home.aspx page and that page worked.
Things I have tried/checked
Static Content is installed under the Common HTTP Features
The domain account used for the app pool has full access to the directory containing test.html
Tried NTLM first as provider instead of Negotiate on IIS Windows Authentication Providers
Tried "Enable Kernel-mode authentication" checked and unchecked
Tried all settings of "Extended Protection" under Advanced settings for windows authentication.
Tried ProcMon. All I get when I filter for test.html is 2 QueryOpen operations with result SUCCESS
The solution for this was that we need to have the account that was running the application pool set up in the "Impersonate a client after authentication." Our local group policy had this locked down. I am guessing the default install may have IIS_USRS group in this policy but our server did not.
I have an Intranet Web Application which uses Windows Authentication. All windows/PC users can login in fine.
There happen to be 2 Mac Users that use Safari as their default browser and prefer it over chrome for Mac.
When trying to access the Intranet Web Application on the network, nothing happens. But when trying to access the Intranet Web Application from another network or source of internet outside the network, the user is able to login.
Is there something I have missed? Any thoughts on this please.
Converting them to Chrome is the last option in this option.
Thanks in advance
If anyone stumbles across this, the answer was simple. In IIS under the Authentication. Setting the providers. I removed Negotiate and kept NTLM. Apple seems to accept this security method.
In a company network there is a web page, which uses kerberos single sign on. I am connecting to this network via VPN.
When using Mac, I can just write in the console kinit username#REALM.LOCAL, I get the ticket and after this I can open the web page in a browser and it works.
The other story happens on windows. I have my PC, I don't want it to become a member of the company domain. Via MIT Kerberos Client I can get a kerberos ticket, but of course no browser is aware of its existence.
Is there a way to feed this ticket to a browser on windows?
Safari is very friendly, it will give your kerberos tickets to anybody. IE and firefox need to be configured to do this and I'm not sure if they will have access to the kerberos tickets unless your windows box is in the AD domain.
Basically, you need to configure your browser to support SPNEGO. With firefox, you need to tweak some variables in about:config See
http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html
for the exact details. IE is a whole lot trickier.
I have a web application with Windows Authentication enabled. It is working only with localhost though I have set Bindings. Ping to IP and hostname returns result.
Any help would be appreciated
Have set authentication to windows and impersonate to true. NTLM has been moved up.
Also tried adding the site to Intranet and Trusted Site list. Windows authentication is enabled in IE as well.
Both the server and client is on the same domain ... in fact it is not at all working in server itself.
Any help would be appreciated.
With the detail you've given it is a bit hard to give concrete advice so I'll give you a method I've used over the years to try and track down where the issues is.
With the current setup put an image on your webserver and try to retrieve it in the browser using the exact address. Do this on the server itself first and if that works then do it on a client machine.
If it works on server but not on client then there could be a client browser issue/a network issue/a dns issue.
If it doesn't work on the server then change the file level and IIS permissions to anonymous for just that image and the folder / website it is in. Then test the URL on the server in a browser and on a client in a browser.
If it works you've got a permissions issue with NTLM.
Hope this helps you narrow things down.
Dorje
I recently upgraded my Intranet web server to Server 2008 x64 running IIS 7.5. The staff website that I maintain uses NTLM to tell which user is viewing the page and display appropriate content based on that. Since the upgrade or MAC clients can no longer connect through Safari and Firefox is no longer accepting the about:config setting of network.automatic-ntlm-auth.trusted-uris. I had to remove the FQDN from that entry for them to not get the 401 page only.
My development server is still a Server 2003 box with IIS6 and the MACs can authenticate to that both through Safari and firefox with no problems.
I checked on the new IIS7 server for the registry key LmCompatibilityLevel located in HKLM\SYSTEM\CurrentControlSet\Control\Lsa but this key is not there. So my understanding is that it will result in level 0 by default allowing LM, NTLM and NTLM v2 auth requests.
Any suggestions on how to get authentication back?
Had a similar problem with Safari forcing users to login innumerable times and this fixed it for me:
In IIS Manager (IIS 7), navigate to the website and right-click on Authentication to "Open feature".
Right-click on "Windows Authentication" and select "Providers" which should display Negotiate & NTLM
Remove "Negotiate" and restart the website and it should work with a single login prompt.