I recently upgraded my Intranet web server to Server 2008 x64 running IIS 7.5. The staff website that I maintain uses NTLM to tell which user is viewing the page and display appropriate content based on that. Since the upgrade or MAC clients can no longer connect through Safari and Firefox is no longer accepting the about:config setting of network.automatic-ntlm-auth.trusted-uris. I had to remove the FQDN from that entry for them to not get the 401 page only.
My development server is still a Server 2003 box with IIS6 and the MACs can authenticate to that both through Safari and firefox with no problems.
I checked on the new IIS7 server for the registry key LmCompatibilityLevel located in HKLM\SYSTEM\CurrentControlSet\Control\Lsa but this key is not there. So my understanding is that it will result in level 0 by default allowing LM, NTLM and NTLM v2 auth requests.
Any suggestions on how to get authentication back?
Had a similar problem with Safari forcing users to login innumerable times and this fixed it for me:
In IIS Manager (IIS 7), navigate to the website and right-click on Authentication to "Open feature".
Right-click on "Windows Authentication" and select "Providers" which should display Negotiate & NTLM
Remove "Negotiate" and restart the website and it should work with a single login prompt.
Related
I have an application hosted on my local IIS (Windows 10).
From today I am not able to access the application in the browser (tried in Chrome, Browser and IE).
In the browser, I see 'ERR_CONNECTION_REFUSED'. (Same behaviour if I try to 'Browse Website' from IIS.)
I tried browsing the Default Web Site on localhost and was a success.
I am able to ping the application from the command prompt.
There are no logs related to it in the IIS logs and the event viewer.
In registry,
at path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
it was having 2 values
removed the second one, left the default one.
This fixed my issue.
I am moving some old web applications from an old Server to a Server 2016. We are using a domain account for the application identity and we need to use windows authentication. I am getting a 401.3 error when I try a test.html page on the server. I am only getting this for static content though as I tried a home.aspx page and that page worked.
Things I have tried/checked
Static Content is installed under the Common HTTP Features
The domain account used for the app pool has full access to the directory containing test.html
Tried NTLM first as provider instead of Negotiate on IIS Windows Authentication Providers
Tried "Enable Kernel-mode authentication" checked and unchecked
Tried all settings of "Extended Protection" under Advanced settings for windows authentication.
Tried ProcMon. All I get when I filter for test.html is 2 QueryOpen operations with result SUCCESS
The solution for this was that we need to have the account that was running the application pool set up in the "Impersonate a client after authentication." Our local group policy had this locked down. I am guessing the default install may have IIS_USRS group in this policy but our server did not.
Yesterday we launched our new extranet site and for some reason I cannot access it from home with Internet Exporer. I can hit it from home with chrome and Mozilla. What can be causing this issue?
Edited
I tried flishing the dns of my home PC. I have also tried an IIS reset on the remote server that iis and the site is installed on.
What authentication schemes does the server offer in its WWW-Authenticate header? My first guess is that it's offering Negotiate and you're hitting the problem described here: http://blogs.msdn.com/b/ieinternals/archive/2011/07/06/integrated-windows-authentication-kerberos-ntlm-http-400-error-for-16kb-authorization-header.aspx
If you disable the Integrated Windows Authentication feature in the IE Advanced Settings (and restart) you can verify if that's the issue.
If not, what security zone is the page in, and are your IE security settings set to the defaults? By default, the Internet Zone will prompt for credentials that would have been silently submitted if the target site were in the Intranet zone.
I have deployed an MVC 3 website on IIS of my Windows Server 2003 edition. I have set the authentication to Basic, Integrated, and Windows in order to enable site to use Windows authentication, and automatically log in into website if the user has launched the site from the same domain. If user access the site from another domain, it should prompt the Windows credentials and should allow user to log in.
However the problem is that, user is presented with Windows login prompt every time (irrespective to same or different domain), and also when user provides valid credentials it doesn't allow user to access the site.
What could be the problem here? Or, can anyone provide me proper guide to configure IIS to use Windows Authentication while deployed on Windows Server 2003?
What is the version of IIS you are using ? Could you try to force NTLM authentication and see whether it will change anything ? Followin technet article will tell you how to change to NTML http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true. Please backup the server/iis configs before attempting any modifications to the metabase
I have an old laptop running WinXPpro and both IE8 and CoolNovo which can download an applet just fine from our Win2008 Server R2 SP1 x64 IIS 7.5.7600.16385. I have a new laptop (same hardware) with a x64 Windows7 and IE9 and CoolNovo which can't download the applet (.jar file) from the same server. I can download this .jar file directly as a url and I can download and run the applet over the internet from the .jar product provider on both laptops just fine. So it has something to do with my new laptop. If we add anonymous authentication to the web server, our app works on both too.
Using fiddler, I can see the NTLM authentication conversation on both laptops. On the old one, it works just fine:
A 401 with the WWW-Authenticat Header is present: Negotiate and one for NTLM
Then a 401 (challenge - NTLM type 2),
Followed by a 200 with the client sending the NTLM type 3 header
On the new laptop, I get the first two 401s, but no 200. It simply tries again with the 401s 2 more times.
Any ideas why the new Windows7 laptop would not be sending a 200 NTLM type3 response to the server or what the issue here might be?
Old Laptop: jre6: 1.6.0_30 checked as the user java runtime env. No System java runtime versions checked.
new Laptop: jre6: 1.6.0_31 checked as the user AND system java runtime env.
TVMIA.
I've encountered the same issue and after looking in server security log a have found two strange record just after each unsuccessful logon:
1. 4624 - successful logon. and just after that:
2. 4634 - successful logoff
Very strange... I've googled for these event codes and found this thread:
SCCM reporting not working on W2K8 R2 64-bit
And the solution to this problem is:
1. Open the IIS Manager and go to your site
2. Double click Authentication under IIS
3. Click on Windows Authentication and then choose "Providers..." under Actions
4. Add NTLM if it isn't there and move it to the top.
5. Click OK
It worked for me!