3

I have a website running on IIS and using Windows Authentication. All users that are configured to get access to the site are form a AD domain (not local users). In the properties of a Website, I have set to use the AD domain as the realm.

Now, when using Firefox, Safari or Chrome - Everything is fine. When the user tries to open the site, he get's the login box. he enters simply "username" and "password" (let's pretend that it's an actual login and password :P) and he get's into the site.

When using IE, however, things get nasty. When the user tries to open the site - he get's the login box. User enters the "username" and "password" again, but those get rejected! And when the second time login box pops up - it has the username filled in as "web-server-domain-name\username" which is wrong, because web-server-domain-name is not the domain where all users reside (it's "ad-domain"). I've spent days trying to figure out what's going on... Note, that if I manually enter "ad-domain\username" - I get accepted into the site without problems. So, my guess is that IE sends wrong username if domain is not specified.

Anyway, IE is the only browser that triggers this behavior!

Is it possible to do a server-side fix? Maybe it's possible to somehow auto-map the users to AD users?

If it's not solvable server-side - is there a client-side fix for this?

Thank you.

PS: I'm more of a programmer than a sys-admin, so configuring servers isn't the strong side of mine... :P

UPDATE:

@Evan: Yes, "Digest authentication for Windows domain servers" is also enabled.

@Eric: IIS version is 6.0. The authentication methods enabled are: Integrated and digest - all other methods are disabled. As for the security log. I looked at it, when doing "username" and "password" login in Chrome/Firefox and when doing "ad-domain\username" and "password" login from IE - the generated log messages are the same (I see no difference, anyway). When entering "username" and "password" I don't see any errors in the security (or any other) log, so can't tell what method it's trying to use.

UPDATE 2:

As suggested by Eric in the comments - I played around with Fiddler... While playing with it, I noticed, that when "username" and "password" is entered in FF and IE - the "Authorization" header value (encrypted) sent by IE is longer (almost two times) than one sent by FF.

I tried to disable Windows Integrated authentication and only leave the Digest enabled - that fixed the problem (meaning, IE used the right realm just like other browsers), but that caused bazillion other problems with my site, because with Digest - user impersonation on the server doesn't work (that causes problems, when connecting to database etc).

Any ideas?

Paulius Maruška
  • 131
  • 1
  • 4
  • 1
    You can't have only "Integrated Windows authentication" selected because the "Realm" setting wouldn't be available. Do you also have "Digest authentication" or "Basic authentication" enabled, too? – Evan Anderson Oct 26 '09 at 16:26
  • Please post your IIS version, although it sounds like you're using IIS 6.0. Can you check the security log on the IIS box to see exactly which authentication type is being used by each browser? My guess is that IE and Firefox/Safari/Chrome are negotiating different authentication types with the server. Have you experimented with Web Fiddler? You should track the session negotiation with that tool. Please post which authentication methods you have enabled in IIS: Anonymous, Integrated Windows, Digest, Basic, etc. – Eric H Oct 26 '09 at 19:28
  • Is the web server a member of the AD domain where the users reside? – joeqwerty Oct 26 '09 at 17:28

2 Answers2

1

This can happen if the Windows server (which runs IIS 6.0) and the Windows clients (using IE to access your website) are all part of a local network (LAN).

Also relevant is that you have the "Integrated Windows authentication" enabled as you need to use and validate the users from an AD domain.

Let's call the name of this AD domain ad_domain_name.

In this scenario (LAN + integrated auth), the authentication process between Windows clients and server use AD domain security by design.

You can check if this is the case trying this (on Windows client):

  1. Close All IE windows
  2. Open IE
  3. Access your website and get the login box
  4. Into "username" field write : ad_domain_name\username
  5. Into "password" file write the password of this user

This procedure should permit the login at the first try.

I have observerd this beavour many times and usually all this is regarded by Microsoft people as 'desired security feature' in case of local network. And usually was treated as a non-problem as the login procedure can be done anyways.

I do not know if there is an IIS (and/or Windows server) configuration that can avoid all this mess, but I'm as curious as you to know.

DavAlPi
  • 111
  • 3
0

I usually solve this by making sure the site falls into the Intranet zone in IE which will do prompt-less authentication.

JamesR
  • 1,061
  • 5
  • 6
  • Yeah, I edited my question a little. The thing is - I don't want to get rid of the login box. I want to solve the thing, that when the username is entered without a domain - it would automatically recognize that it's a user from Active Directory domain. – Paulius Maruška Oct 26 '09 at 16:23