On Jul 8, 5:22 pm, "Anthony Jones" <A...@yadayadayada.comwrote:
Does anyone know a) why IE7 results in the AUTH_USER variable
sporadically not being available to ASP,
I can't see how the client of any
description can affect that.
Well the IE client is definitely the only difference for this
particular situation. IE6 = AUTH_USER present, IE7 = AUTH_USER not
(always) present.
BUT....!
b) if there is anything I
can configure on either client or server that will shore up this flaw?
The most likely explanation is that the browser does not recognise the site
as being in the intranet zone. Only the intranet zone will by default use
the current users credentials to authenticate a connection. If the site is
accessed as if it were in the Internet zone the user will see a windows
network logon dialog.
Now you're on to something. I started looking through Internet
options as they pertain to security in the Intranet zone and came
across a setting in the "Custom Level" section for the Intranet zone
called, "User Authentication" "Logon". This setting has four
selections:
( ) Anonymous logon
(*) Automatic logon only in Intranet zone
( ) Automatic logon with current user name and password
( ) Prompt for user name and password
This setting on our IE6 machines is "Automatic logon only in Intranet
zone"; it is the same setting on our IE7 machines. HOWEVER -- if I
switch the setting to "Automatic logon with current user name and
password" on my IE7 machines, suddenly the problem goes away: I am no
longer prompted for authentication. This means that -- between IE6
and IE7 -- Microsoft evidently made SOME changes to how that
particular option is being handled.
Side note: I have also -- now that you've called my attention to the
zones issue -- did a little more testing and found that the problem
occurs under the following scenario on the IE7 machines (when the
setting is "Automatic logon only in Intranet zone"):
1. user is currently on an IntERnet site
2. user clicks a web shortcut on their desktop or a URL in an email,
that points to our IntRAnet site
Apparently, under these conditions, IE7 hasn't yet "left" the IntERnet
zone before it begins to authenticate on the IntRAnet site? (Just a
wild guess), and therefore doesn't "see" the IntRAnet site as being in
the IntRAnet zone, so it prompts for authentication. If the user does
not have IE open at all, and just clicks the shortcut or link, the
site opens without prompting for authentication.
So, I have a work-around (change the setting to "Automatic logon with
current user name and password"), but either IE6 was wrong and they
fixed it in IE7, or IE6 was right and they broke it in IE7 -- either
way, Microsoft changed something which critically changed the behavior
of this automatic logon in the Intranet zone setting.
Frustrating.