473,746 Members | 2,672 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Integrated Windows authentication fails sporadically IE7 clients

I have an intranet site on my LAN which has "anonymous access" turned
OFF, and "integrated Windows authentication" turned on. This allows
me to access the "AUTH_USER" server variable, which I use to look up
application rights in SQL Server. With IE6 clients, this has worked
flawlessly for several years.

Our users are currently running IE6, but my parent agency has
announced an upgrade to IE7 beginning next month, so I have installed
IE7 on a couple machines for testing. What I have observed is that
the AUTH_USER variable is sporadically not available to ASP, when
connecting from the IE7 client. This has the effect of prompting the
user for Windows authentication when they attempt to open any page on
my site. I desperately want to avoid this.

Does anyone know a) why IE7 results in the AUTH_USER variable
sporadically not being available to ASP, and b) if there is anything I
can configure on either client or server that will shore up this flaw?
Jul 8 '08 #1
8 5414
<jo*********@ya hoo.comwrote in message
news:7b******** *************** ***********@a70 g2000hsh.google groups.com...
I have an intranet site on my LAN which has "anonymous access" turned
OFF, and "integrated Windows authentication" turned on. This allows
me to access the "AUTH_USER" server variable, which I use to look up
application rights in SQL Server. With IE6 clients, this has worked
flawlessly for several years.

Our users are currently running IE6, but my parent agency has
announced an upgrade to IE7 beginning next month, so I have installed
IE7 on a couple machines for testing. What I have observed is that
the AUTH_USER variable is sporadically not available to ASP, when
connecting from the IE7 client. This has the effect of prompting the
user for Windows authentication when they attempt to open any page on
my site. I desperately want to avoid this.

Does anyone know a) why IE7 results in the AUTH_USER variable
sporadically not being available to ASP,
No. With windows intergated authentication being the only means to
authenticated the connection must have an AUTH_USER associated with it
before ASP script can begin execution. I can't see how the client of any
description can affect that.
>and b) if there is anything I
can configure on either client or server that will shore up this flaw?
The most likely explanation is that the browser does not recognise the site
as being in the intranet zone. Only the intranet zone will by default use
the current users credentials to authenticate a connection. If the site is
accessed as if it were in the Internet zone the user will see a windows
network logon dialog.

--
Anthony Jones - MVP ASP/ASP.NET
Jul 8 '08 #2
On Jul 8, 5:22 pm, "Anthony Jones" <A...@yadayaday ada.comwrote:
Does anyone know a) why IE7 results in the AUTH_USER variable
sporadically not being available to ASP,

I can't see how the client of any
description can affect that.
Well the IE client is definitely the only difference for this
particular situation. IE6 = AUTH_USER present, IE7 = AUTH_USER not
(always) present.

BUT....!
b) if there is anything I
can configure on either client or server that will shore up this flaw?

The most likely explanation is that the browser does not recognise the site
as being in the intranet zone. Only the intranet zone will by default use
the current users credentials to authenticate a connection. If the site is
accessed as if it were in the Internet zone the user will see a windows
network logon dialog.
Now you're on to something. I started looking through Internet
options as they pertain to security in the Intranet zone and came
across a setting in the "Custom Level" section for the Intranet zone
called, "User Authentication" "Logon". This setting has four
selections:

( ) Anonymous logon
(*) Automatic logon only in Intranet zone
( ) Automatic logon with current user name and password
( ) Prompt for user name and password

This setting on our IE6 machines is "Automatic logon only in Intranet
zone"; it is the same setting on our IE7 machines. HOWEVER -- if I
switch the setting to "Automatic logon with current user name and
password" on my IE7 machines, suddenly the problem goes away: I am no
longer prompted for authentication. This means that -- between IE6
and IE7 -- Microsoft evidently made SOME changes to how that
particular option is being handled.

Side note: I have also -- now that you've called my attention to the
zones issue -- did a little more testing and found that the problem
occurs under the following scenario on the IE7 machines (when the
setting is "Automatic logon only in Intranet zone"):

1. user is currently on an IntERnet site
2. user clicks a web shortcut on their desktop or a URL in an email,
that points to our IntRAnet site

Apparently, under these conditions, IE7 hasn't yet "left" the IntERnet
zone before it begins to authenticate on the IntRAnet site? (Just a
wild guess), and therefore doesn't "see" the IntRAnet site as being in
the IntRAnet zone, so it prompts for authentication. If the user does
not have IE open at all, and just clicks the shortcut or link, the
site opens without prompting for authentication.

So, I have a work-around (change the setting to "Automatic logon with
current user name and password"), but either IE6 was wrong and they
fixed it in IE7, or IE6 was right and they broke it in IE7 -- either
way, Microsoft changed something which critically changed the behavior
of this automatic logon in the Intranet zone setting.

Frustrating.
Jul 9 '08 #3
"jo*********@ya hoo.com" wrote:
So, I have a work-around (change the setting to "Automatic logon with
current user name and password")
Scratch that. Now I'm testing again (to show my colleague what I'm talking
about) and now it's prompting me no matter what my setting is. I can no
longer state with any certainty what causes this prompt to occur or not occur.

So, the question remains: why does this happen with IE7, when it did not
happen with IE6? I understand that AUTH_USER is a server variable and it's
controlled by a user's Windows logon, but somehow, it is being affected by
something that changed between IE6 and IE7.

Any other ideas?

Jul 9 '08 #4

"Jon Mundsack" <Jon Mu******@discus sions.microsoft .comwrote in message
news:80******** *************** ***********@mic rosoft.com...
"jo*********@ya hoo.com" wrote:
So, I have a work-around (change the setting to "Automatic logon with
current user name and password")

Scratch that. Now I'm testing again (to show my colleague what I'm
talking
about) and now it's prompting me no matter what my setting is. I can no
longer state with any certainty what causes this prompt to occur or not
occur.
>
So, the question remains: why does this happen with IE7, when it did not
happen with IE6? I understand that AUTH_USER is a server variable and
it's
controlled by a user's Windows logon, but somehow, it is being affected by
something that changed between IE6 and IE7.

Any other ideas?
Is the server name in the URLs being used fully qualified with the domain or
is just the host name?

Are you relying on IE to infer that the host is on the intranet?

Personally I would use a fully qualified servername and add that server
address to the intranet site list in IE. I use this approach a lot whilst
using integrated security.

--
Anthony Jones - MVP ASP/ASP.NET
Jul 9 '08 #5
"Anthony Jones" wrote:
Is the server name in the URLs being used fully qualified with the domain or
is just the host name?

Are you relying on IE to infer that the host is on the intranet?

Personally I would use a fully qualified servername and add that server
address to the intranet site list in IE. I use this approach a lot whilst
using integrated security.
I am not familiar with how to add the domain to a URL. If my URL is:

http://appmonroe2o6ab/ssg/

How would I format this to include the domain?

Unfortunately I can't "add that server address to the intranet site list in
IE" because I work for a County government and my network is owned by the
State, and the State has apparently disabled the intranet site property page
through policies (everything is grayed out). But maybe adding the domain to
the URL will resolve this. Please let me know. And thanks for all your help!

Jul 10 '08 #6
"Anthony Jones" wrote:
Personally I would use a fully qualified servername and add that server
address to the intranet site list in IE. I use this approach a lot whilst
using integrated security.
Hmm, now this is interesting.

Our intranet server is appmonroe2o6ab. There is a fully-qualified version
of this called appmonroe2o6ab. co.monroe.nyene t. When I click a link with
just the server name, it works. When I click a link for the fully-qualified
domain, it prompts for authentication.

What does that reveal? Does that mean that my proxy server is not properly
recognizing appmonroe2o6ab. co.monroe.nyene t as being on our local intranet?

Jul 10 '08 #7
"Jon Mundsack" <Jo*********@di scussions.micro soft.comwrote in message
news:38******** *************** ***********@mic rosoft.com...
"Anthony Jones" wrote:
Personally I would use a fully qualified servername and add that server
address to the intranet site list in IE. I use this approach a lot
whilst
using integrated security.

Hmm, now this is interesting.

Our intranet server is appmonroe2o6ab. There is a fully-qualified version
of this called appmonroe2o6ab. co.monroe.nyene t. When I click a link with
just the server name, it works. When I click a link for the
fully-qualified
domain, it prompts for authentication.

What does that reveal? Does that mean that my proxy server is not
properly
recognizing appmonroe2o6ab. co.monroe.nyene t as being on our local
intranet?
>
The zone choice is made by IE based on the URL without reference to the
finally resolved IP address. Typically IE assumes a lone server name must
be in the intranet since where as a fully qualified name isn't.

However such settings can be overriden.

Do you have a proxy server between the client IE and the server? If so that
opens a much larger can of worms.
--
Anthony Jones - MVP ASP/ASP.NET
Jul 10 '08 #8

"Jon Mundsack" <Jon Mu******@discus sions.microsoft .comwrote in message
news:F0******** *************** ***********@mic rosoft.com...
"Anthony Jones" wrote:
Is the server name in the URLs being used fully qualified with the
domain or
is just the host name?

Are you relying on IE to infer that the host is on the intranet?

Personally I would use a fully qualified servername and add that server
address to the intranet site list in IE. I use this approach a lot
whilst
using integrated security.

I am not familiar with how to add the domain to a URL. If my URL is:

http://appmonroe2o6ab/ssg/

How would I format this to include the domain?

Unfortunately I can't "add that server address to the intranet site list
in
IE" because I work for a County government and my network is owned by the
State, and the State has apparently disabled the intranet site property
page
through policies (everything is grayed out). But maybe adding the domain
to
the URL will resolve this. Please let me know. And thanks for all your
help!
>
You won't be able to add sites to the zone if they have locked it down.

--
Anthony Jones - MVP ASP/ASP.NET
Jul 10 '08 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
2390
by: Marino | last post by:
Hi all, I have a Windows 2003 server, which is also a terminal server for application, with sql 2000 installed. My company has developed an application that uses SQL 2000 as its database. The application is a client/server one. In each client computer there's a link to the application on the server. There is no problem with Windows 98, Windows 2000 pro, Windows xp pro clients, but the windows 95 ones cannot log in to the database. The...
8
1974
by: tcg_gilbert | last post by:
I'm developing a web application for our local intranet that will allow users to pull up a webpage and update or deleted or insert records into a database as well as run reports etc... Our DB server is on a Win2k3 OS using SQL Server 2000 Our Web server is on a separate Win2kr OS using IIS 6 Both the servers and the clients are part of the same domain. We've turned anonymous access off on the web and are passing the integrated...
2
1492
by: Vinodi | last post by:
Hi, I have a peculiar problem (or maybe not). I have SQL clients installed on XP boxes. These XP boxes are a member of let us say "XYZ" domain. SQL Server is installed on one of the boxes having Windows 2000 Server in the same network. The installation has been done on local domain account. Since SQl Server has been installed with Windows authentication, what happens if the XYZ domain fails. Will it be possible for all clients to access...
4
8544
by: Ravikanth[MVP] | last post by:
Hi It is possible that IIS and SQL Server can reside on Seperate Machines and you can use Integrated Windows Authentication to connect. Ravikanth >-----Original Message-----
9
2508
by: Tom B | last post by:
In my web.config file I've specified Windows for the authentication, in IIS I've set it to Integrated Authentication. But my SQL connection is still showing Anonymous. Is there somewhere else I need to check? Thanks Win 2003, SQL Server 2000
2
3437
by: Rob Mayo | last post by:
What I'm trying to do is Create an ASP.Net app that has both Windows-authenticated users and Anonymous users. The idea is this: When authenticated users attempt to access the site, their credentials are passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER server variable to access their accounts. These people would never have to log in to the app, only their machines on the network. When anonymous users attempt to...
4
6805
by: Andrew | last post by:
Hey all, I would like to preface my question by stating I am still learning ASP.net and while I am confident in the basics and foundation, the more advanced stuff is still a challenge. Ok. :)
5
4399
by: cdlipfert | last post by:
Our intranet is running under windows integrated security. We have domain users that want to access our intranet site via ssl vpn. SSL VPN can not authenticate against services that run under windows integrated security. In order to get around this issue it seems that we would need to create a login page on a separate site that runs under anonymous security. Then pass the users credentials to the site running under integrated security. ...
3
13803
by: =?Utf-8?B?RGFuZGFuIFpoYW5n?= | last post by:
Now I have a web application, a web service and a SQL Server database. The Web application will invoke the web service, the web service invokes the SQL Server stored procedure. I let the web service run in an application pool which runs under a domain user, this domain user has permissions of accessing database and the connection to database is trusted connection. All these work well. The web application will be used in internet (not...
0
8800
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9508
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9350
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
9218
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
8229
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6772
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4586
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4836
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3292
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.