2

I'm trying to get a new Windows Server 2003 box working to host an ASP.NET application that uses Windows Authentication.

Here's some info:

  • IIS Anonymous Access is diabled
  • IIS Integrated Windows Authentication is enabled
  • I've tried it with and without Digest Authentication and it is the same result
  • Both my machine and the server are in same active directory domain on the same intranet
  • I'm using IE 6

My symptoms:

  • In Firefox, via either IP or host name, a login box pops up, and if I enter my NT credentials, it works.
  • In IE, via the server IP address, it works perfectly with no login box.
  • In IE, via the server host name, it pops up a login box but even if I put in the correct credentials, it just pops up the box again. This is the problem.

Why won't windows auth work in IE via host name but it will via IP address?

Edit:
Here's something else interesting. If I go into my Internet Explorer advanced settings and disable Windows Authentication, it seems to work just fine. And by work I mean that my test .NET app sees my NT ID as the current user.

RationalGeek
  • 135
  • 1
  • 2
  • 7
  • Two questions: 1) do you have basic authentication enabled as well? 2) is this the default web site? – squillman Feb 17 '11 at 15:18
  • No, it is not the default website. It is a new website I created that runs on a non-standard port. No, basic authentication is not enabled. – RationalGeek Feb 17 '11 at 15:37
  • After more research it seems that the difference is that IE is using Kerberos when I go via host name, but using NTLM when I go via IP. And NTLM is working and Kerberos isn't. Firefox always uses NTLM. Not sure if that helps anyone figure this out. – RationalGeek Feb 17 '11 at 16:04

3 Answers3

1

I hope this article helps you set NTLM as the primary authentication method.

http://support.microsoft.com/kb/215383

In many cases I was never able to get kerberos authentication working correctly. If you wish to further troubleshoot kerberos try using kerbtray on the client computer.

http://www.microsoft.com/downloads/en/details.aspx?familyid=4E3A58BE-29F6-49F6-85BE-E866AF8E7A88&displaylang=en

This also may help: http://support.microsoft.com/kb/299838

pablo
  • 3,040
  • 1
  • 19
  • 23
1

Need to set the SPN?

http://technet.microsoft.com/en-us/library/cc772897(WS.10).aspx

Jeff
  • 56
  • 1
  • Yes I think this is the key problem. I stumbled on that in my own research. Now I need to figure out whether it is easier to add the SPN (through the layers of bureaucracy in my company's network administration) or just try to disable Kerberos as @pablo's answer suggests. – RationalGeek Feb 18 '11 at 12:20
  • Well I tried to figure out a way around setting up the SPN but it looks like that is the best way, so now I'm trying to find the right person in the company to set that up for me. But this seems very likely to be the right answer so I'll give it to ya. Thanks for the help. – RationalGeek Feb 18 '11 at 19:24
0

Just a hint.

Does the hostname contain any dots? I have seen all kind of problems with IE when typing in like so: http://myserver/ It is like IE just needs a dot in the name for working properly.

An easy way to test this is to fake an address: Edit the C:\Windows\System32\drivers\etc\hosts file. Add a line with the server IP and a bogus name - like this: 192.168.10.78 myserver.mycompany.com

And then http://myserver.mycompany.com/

Swift
  • 101
  • 1
  • 1