I wrote:
Even when I do all of the above, I do not have pass-through
authentication. I'm really stumped.
[NOTE: The lack of continuity in this message is due to the fact that it was
a work in progress throughout the debugging steps I outline below. Please
forgive any seeming contradictions that may result.]
I think I have a partial explanation for my problem: the Internet Explorer
Enhanced Security Configuration (I'll just refer to it as the IEESC from
here on). I'll return to this in a moment.
The suggestion that I put the server in my local intranet zone got me
thinking. I don't believe I had ever tried that before, but I'm certain that
if I try it now, pass-through authentication fails. But I recently rebuilt
and have been testing Windows Server 2003 as my local OS**, and even though
I removed the IEESC for administrator groups, it *was* part of the original
install, which may be a factor.
On a hunch, I went to a Win2K machine (all updates, most recent IE version),
and tried connecting to my development server, which is Win2K/IIS 5. Instead
of the usual [HTTP 401.2 - Unauthorized: Logon failed due to server
configuration], I was met with an NT Challenge dialog.
This was an improvement, but still did not represent pass-though
authentication. From this different behavior, I inferred that perhaps the
IEESC was to blame for my complete inability to connect, though it's still
possible that some policy or privacy setting is tripping the whole thing up.
I tried another test, applying the same access control settings to an old
web server sitting on the local switch (our actual web servers are a few
miles away in another facility). Both my Win2K machine and my local machine
worked correctly!
I started wondering what might be different about my development server. The
answer turned out to be that it has a DNS entry. When I point my browser to
{
http://machine/application/ }, I get pass the pass-through authentication
I desire from every machine. But when I point to {
http://machine.company.com/application/ }, the Win2K machine puts up an NT
Challenge dialog box and the 2003 machine just rolls to the HTTP 401.2 page.
Pointing to the IP Address causes this second behavior, as well.
This behavior occurs despite the status bar showing Local Intranet zone on
each machine. The reason my test worked on the local switch was that the
local server has no DNS entry, meaning I had to use the machine name only.
When I switched to IP address for the local server, I was again rejected,
even after adding that IP address to the Local Intranet zone.
I find this to be an awfully frustrating "feature". At least it has
generated an interesting discussion.
**I put a lot of tools on my own site and use it as a start page for my web
browsers, and discovered some time back that I don't even generate the
majority of traffic to my own site -- my coworkers use it quite frequently,
necessitating the need for a server version of the OS (Professional limits
IIS to 10 simultaneous sessions, which wasn't nearly enough). Anyway, I've
been evaluating Windows Server 2003, and figured the local machine was the
logical place to start.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.