Automatic Logon Problems

[Guest]

I'm having problems with some websites I maintain that use Integrated Windows
Authentication for logging in.

The goal is for people to not be prompted for their login information when
they're logged into their laptop using their domain account, and they're on
the LAN. If they're using their corporate laptop and are outside of the
office, I'd prefer that they still don't have to enter in their login info.
Lastly, if they're at a computer that the company doesn't own they should be
prompted for a username and password.

Two of the sites are located on Windows 2003 Servers. One is located on
Windows 2000. All of the sites are setup to use Integrated Windows
Authentication. The sites are using SSL, so people have to use the Fully
Qualified Domain name whether they're on the LAN or outside of our firewall.
The clients are a mix of Windows XP SP2, and Windows 2003 SP1.

I've added two of the sites to the Intranet Zone, and one to the Trusted
Sites Zone in IE on my work laptop. The intranet zone is set to Automatic
logon only in Intranet Zone, and the trusted sites zone is set to Automatic
logon with current username and password. This works great when I'm in the
office. I can get to all 3 sites without being prompted for a username or
password. Unfortunately, when I take my laptop out of the office, and try to
connect to the sites, one of them works, and two cause IE to display "The
page cannot be displayed" "Cannot find server or DNS Error". One of these
problematic sites is in the Intranet zone and is running on 2003, and the
other is in the Trusted Sites zone and is running on 2000. I can ping the
sites, I can run a tracert to the sites, I can even get to the sites if I go
into the security settings for the two zones and set them to Prompt for a
username and password.

Other people with their computers setup exactly the same as mine can't get
to the site that I can get to (they get the same "Cannot find server or DNS
Error"), and again, to work around this issue for those people I tell them to
set their zone to prompt for a password.

In the advanced settings for IE "Show friendly HTTP error messages" is
Un-checked.

It's my understanding that IE will try Integrated windows authentication
first, if that doesn't work it'll fall back on Basic Authentication. This is
what I'd expect would happen if the laptop is outside of the office using a
proxy server, but during my testing I'm just putting my laptop directly on
the internet, no proxy server, and only one firewall between me and all the
sites.

Does anyone know how to fix this problem? I don't think it's an IIS issue
since things work if I just tell IE to prompt for a password, and because the
site that works for me, doesn't work for other people. I also think it's
strange that I get a "Cannot find server or DNS Error" when I can clearly
connect to the server. I'd expect to see a cannot log in error if anything.

Any help would be greatly appreciated. I've been beating my head against
this wall for about two weeks now, with no results other than a major
headache.

Thanks,

Alex.

 

[Robert Aldwinckle]

I don't think it's an IIS issue since things work if I just tell IE to prompt
for a password

I suspect that this could be indicating is that there are more security options
changing when you go into the Custom Level... dialog than just the one
you want to change. I think you might have to trace with RegMon
(e.g. filter with zone) to see if there are any more differences than just
the prompt.

I also think it's strange that I get a "Cannot find server or DNS Error"
when I can clearly connect to the server.

Unfortunately that messages often means more than it implies.
I think it is best to use a packet trace to figure out exactly what it means.

This is difficult when the protocol involved is https.
In that case there is a utility which facilitates a reghack for you.

<title>KB823193 - INFO: How To Get Windows HTTP 5.1 Certificate And Trace Tools</title>


Good luck

Robert Aldwinckle
---

 

[Guest]

Thanks for getting back to me.

I tried using RegMon, and the only thing that appears to be changing is the
promp for password key. I filtered for iexplorer.exe to narrow down the
search, and only one key changed.

I haven't had an oportunity yet to try using a packet capture, but I do have
http open to one of the machines, so I can try capturing that traffic.

One thing to note though... I tried accessing the sites from a computer
running windows 2000 server that was part of our domain, but outside the
firewall at the time, and that worked fine. So I'm thinking it's an issue
specific to Windows 2003 and Windows XP machines.

Does that make any sense? Coule it be a Kerberos problem? I don't know
much about Kerberos, or why it would cause IE to not prompt for a password,
but it's a thought.

Any more help would be appreciated.

Thanks.

 

[Guest]

We are having the exact same problem you are having with some of our sites.
I was wondering if you have found out anything? I have not been able to get
very far. The only way I can get it to wor is if I remove our domain from
the "Local Intranet" settings. This is not realy a solution since you will
be prompted to login all the time.

Thanks,

Chris

 

[Guest]

Chris,

Short answer:
Disabling “Enable Integrated Windows Authentication (requires restart)†In
the security section of the advanced tab may correct the issue for you.

Long Answer:
I did a packet capture and it appears that the browser is attempting to use
Kerberos first(which makes sense). During the process the machine does a DNS
lookup for the Kerberos servers, and of course can’t find them in public DNS
servers. I’m guessing that I’m getting a "Cannot find server or DNS Error"
because my machine can’t find the Kerberos info in DNS.

At this point rather than throwing a DNS error, I thought that IE would
realize that Kerberos isn’t going to work and try NTLM, but for some reason
it seems to be dying at this point.

After looking at a few web pages that say to make sure that "Enable
Integrated Windows Authentication (requires restart)" is enabled, I decided
to do the opposite and uncheck it. After doing that everything works great,
just as expected. Then I found a web site that says that it seems like when
you disable that option you’re really just disabling Kerberos, and thus
forcing the machine to go directly to NTLM.

I disabled that here on this end and I think it got things working. I still
have to do some more testing to be totally sure though.

I hope someone out there who really knows this stuff can shed some light on
this mysterious "Enable Integrated Windows Authentication (requires restart)"
option in IE.

Thanks a lot. And any thoughts or ideas are greatly appreciated.

Alex.

 

[Robert Aldwinckle]

....

We are having the exact same problem you are having with some of our sites.
I was wondering if you have found out anything? I have not been able to get
very far.

The only way I can get it to wor is if I remove our domain from
the "Local Intranet" settings. This is not realy a solution since you will
be prompted to login all the time.

You seem to be contradicting your first statement. <eg>
"exact problem" does not include OP's workaround?


---

 

[Robert Aldwinckle]

....

Long Answer:
I did a packet capture and it appears that the browser is attempting to use
Kerberos first(which makes sense). During the process the machine does a DNS
lookup for the Kerberos servers, and of course can’t find them in public DNS
servers. I’m guessing that I’m getting a "Cannot find server or DNS Error"
because my machine can’t find the Kerberos info in DNS.

In that case you could try adding the appropriate lookup entry to your
HOSTS file? (Although I don't quite understand why "of course"
it shouldn't be able to find a lookup which could be public.)

At this point rather than throwing a DNS error, I thought that IE would
realize that Kerberos isn’t going to work and try NTLM, but for some reason
it seems to be dying at this point.

After looking at a few web pages that say to make sure that "Enable
Integrated Windows Authentication (requires restart)" is enabled, I decided
to do the opposite and uncheck it. After doing that everything works great,
just as expected. Then I found a web site that says that it seems like when
you disable that option you’re really just disabling Kerberos, and thus
forcing the machine to go directly to NTLM.

I disabled that here on this end and I think it got things working. I still
have to do some more testing to be totally sure though.

Alex,

How does this new information fit with the workaround you had?
Did you try tracing an instance of the workaround too?
If so, were there any differences? (besides timing)
Also by "packet trace" are you including the detail you can
capture using WinHttpTraceCfg (ref. KB823193)?
Otherwise I suspect you would miss too much looking at just
the raw TCP stream.

I hope someone out there who really knows this stuff can shed some light on
this mysterious "Enable Integrated Windows Authentication (requires restart)"
option in IE.



Thanks a lot. And any thoughts or ideas are greatly appreciated.

HTH

Robert
---

 

[Guest]

FYI, I finally came up with an acceptable workaround for us here.

For reason's I don't want to get into here we maintain a copy of our public
domain space internally. So when our users are in the office they use our
internal DNS servers to resolve this site, and when they're out of the office
they use Public DNS servers to resolve the site. This allowed me to make
some changes to DNS that helped me out.

On the web server I setup two virtual sites each responding to different IP
addresses. One uses Integrated Windows Authentication only, and the other
uses Plain Text Authentication (with SSL of course). Our internal DNS
servers point to the Windows Auth site, and the external DNS servers point to
the Plain Text Auth site. The clients still have the site listed in their
Trusted sites zone, so when they're in the office they hit the Windows Auth
site and are allowed right in. When they're out of the office they hit the
Plain text site, and are prompted for authentication, and they still get the
benifits of being in the trusted sites zone.

It's not a great solution, and won't work for everyone, but since we
maintain a copy of DNS internally it worked well for us. Also, since the two
virtual sites point to the directory of files, a change to the pages of the
site effects both internal and external users. There aren't two sets of code
to keep updated.

I hope this helps someone out there

 

[Guest]

Comments added below,
Alex.

....


In that case you could try adding the appropriate lookup entry to your
HOSTS file? (Although I don't quite understand why "of course"
it shouldn't be able to find a lookup which could be public.)

I say "of course" because although I could publish my company's Kerberos
Info in Public DNS and open the ports for it in my firewall, I _wouldn't_ do
it for security reasons, and wouldn't suggest others do it eaither.

I don't think that kind of info can be placed in a Hosts file, since hosts
is just server name to IP address, not Service name to IP address. And if I
could add it, it still wouldn't work since while in the Office people would
have to point to Internal IP addresses, and outside the office they'd have to
point to external IP addresses (which of course leads us to publishing AD to
the internet).