IIS Intermittent access forbidden

[Guest]

Hi all

I have a strange problem with IIS windows pass through authentication. Heres the setup

IIS running with Windows Authentication for our intranet site. ACL has been set to everyone for all web directories. This is all on a windows 2003 server. We add the intranet site to the intranet zone so the windows credentials will automatically get passed to IIS

90% of the time it works fine, but Intermittently we get access forbidden - usually having a WINXP PRO client. Remove the intranet web site from zone, reboot client, add intranet back to intranet zone and pass through credentials works fine. Anyone else come across this behaviour

Pete.

 

[WenJun Zhang[msft]]

Hi Pete,

When the "unable to auto perform windows integrated authenticaiton"
behavior occurs on the XP client again, please test local access to
the site from your IIS6 server with the same sitename(is it
machinename or FQDN or a registered DNS name?) and localhost. If
either of them doesn't prompt for username/password, the integrated
authentication should work OK and the issue is most likely on why
XP's IE no longer sends credential to finish auth with IIS
automantically.

Then please open the XP box's registry and check the zone setting
under following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains
See if the site is at there and its http attribute is still set to 1
(Local Intranet Zone). I noticed we can use a domain group policy to
overwrite local IE's security zone setting but not sure if it applies
to your situation. Here is the detailed reference on IE zone registry:

Description of Internet Explorer security zones registry entries
http://support.microsoft.com/?id=182569

The following article lists some general reasons of IE prompts with
integrated auth:
Internet Explorer May Prompt You for a Password
http://support.microsoft.com/?id=258063

Looking forward to your findings.
Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security

 

[Guest]

WenJun

Thanks for your reply. The server hosting the intranet has the following IIS setup

This might be a little odd, but its due to the .Net installer routines only installing to the default site.....

Default Site - Stopped - has a virtual directory (physical in Inetpub) that hosts our intranet
Intranet Web Site - Running - has virtual directory that points to same physical (physical in Inetpub) as abov

To access the intranet we have an internal DNS for www.intranet.info, this points the IIS servers IP Address and the intranet web site (above) has a host header of www.intranet.inf

When the forbidden problem is apparent, it does seem to be passing some form of credentials automatically to IIS, ie. It doesn't prompt for login information. But my guess is that the problem is client side and not IIS related as when the problem is apparent it seems to only effect one or two users, but everyone else is OK. Restart the clients that have the problem etc. and authentication works fine - this is the basis for me believing this is a client issue and not IIS

The next time the problem is apparent, I will check the registry setting etc. as per your reply, but I would appreciate it if you could clarify the following from your reply

Let me see if I understand your last mail. If we get the 'forbidden' problem, you want me to access the intranet site directly from the hosting machine that is running IIS via Internet Explorer or browse directly from IIS (right click browse) or am I missing the point completely

Thanks in advance, Pete

 

[WenJun Zhang[msft]]

"Let me see if I understand your last mail. If we get the 'forbidden'
problem, you want me to access the intranet site directly from the
hosting machine that is running IIS via Internet Explorer or browse
directly from IIS (right click browse) or am I missing the point
completely?"

[WenJun]
Yes, this is in order to verify if IIS Integrated auth doesn't work
at that time. According to your new statement - "everyone else is OK.
", I believe this is no longer necessary.

A important point in your new thread is you are using host header
like: www.intranet.info. Integrated auth acutally includes two logon
methods - Kerberos and NTLM. When authorization section in request
header is Negotiate (by default), IE and IIS may either choose NTLM
or Kerberos in the end and the one can be affected by host header is
Kerberos. The following KB article contains some related information
of this topic:

Authentication may fail with "401.3" Error if Web site's "Host
Header" differs from server's NetBIOS name
http://support.microsoft.com/default.aspx?scid=kb;EN-US;294382

I wonder what the detailed error message is in the XP user's browser?
Is it just a 401.x error or 403.x forbidden? it can be helpful if
you can paste the error for me to take a look. If the error is just
401.x, per the KB states, you can set the NTAuthenticationProviders
metabase attribute to enforce IIS using NTLM. Please note using
iisreset command to restart IIS is necessary after this change.

cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"

Let me know if the problem persists.
Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security

 

[WenJun Zhang[msft]]

Hi Pete,

Just want to know if you have got any progress on this issue?

Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security

 

[WenJun Zhang[msft]]

You are welcome. : )

Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security

 

[Guest]

Hi WenJun

Well finally I got the access forbidden error on my XP machine (only XP clients seem to have this intermittent issue)
Shows how intermittent the problem is

First of all the error is a 403 and here is the error message
Forbidde
You don't have permission to access / on this server
-------------------------------------------------------------------------------
Apache/2.0.47 (Unix) Server at www.intranet.info Port 8

I did as you asked and tried to browse to the default page from the hosting machine with my credentials and all seemed OK.
On my client that is experiencing the problem, if I then remove www.intranet.info from trusted intranet sites, close the browser, reopen another instance of IE, navigate to the site and I get the 403 without asking for credentials. Reboot the client and access to the site is OK

Any ideas

Pete

 

[Guest]

Carcked it. Although not quite sure why? It just dawned on me that the access forbidden is comming back from a Unix Apache server not IIS

For some reason our internal DNS lookup for www.intranet.info times out and then hits the internet to resolve the address. Then it hits a valid site address with unix servers. Ping showed the external IP addresses. Why the internal DNS lookkup should time out intermittently I dont know, I need to investigate more. Come to think of it why would rebooting the client resolve the issue sometimes. Very odd

Thanks for your involvement. Off to do some digging
Pete.

 

[WenJun Zhang[msft]]

Forbidden
You don't have permission to access / on this server.
----------------------------------------------------------------------
----------
Apache/2.0.47 (Unix) Server at www.intranet.info Port 80

Unbelievable the error is from an Apache server and the root cause is
on DNS resolution..
glad to see 'www.intranet.info' is also an Internet site..

You are always welcome.

Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security