security works for VPN users, doesnt for local

Discussion in 'ASP .Net' started by SpaceMarine, May 22, 2008.

  1. SpaceMarine

    SpaceMarine Guest

    sorry for the near-dupe post (also in .security), but im desperately
    trying to find an answer to this...

    i am attempting to configure security for an intranet web application
    in ASP.NET 2. it uses Windows authentication, retrieving roles from
    our Active Directory. nothing too unusual.

    what is unusual: it works for users that are VPN'ing into our network
    from the outside (using cisco vpn), but DOESNT work for normal desktop
    users in the office.

    for both the browser (IE) pops up the windows login dialog. afterward
    VPN users get in and i can see their name, check their
    User.IsInRole("foo"), etc.. no problems. in-network users? cant
    authenticate their credentials.. get this after 3 failed attempts:

    HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
    credentials.
    Internet Information Services (IIS)

    ....any ideas why?

    Windows Server 2003, virtual directory under default website. in
    "Directory Security" tab in IIS i have:

    - unchecked "Enable anonymous access"

    - checked "Integrated Windows authentication"

    ....my web.config of course uses the Windows authenication mode.



    this is maddening! thanks for any help

    sm
     
    SpaceMarine, May 22, 2008
    #1
    1. Advertising

  2. SpaceMarine

    Jeff Dillon Guest

    What machine is the VPN machine? The web server by chance?

    "SpaceMarine" <> wrote in message
    news:...
    > sorry for the near-dupe post (also in .security), but im desperately
    > trying to find an answer to this...
    >
    > i am attempting to configure security for an intranet web application
    > in ASP.NET 2. it uses Windows authentication, retrieving roles from
    > our Active Directory. nothing too unusual.
    >
    > what is unusual: it works for users that are VPN'ing into our network
    > from the outside (using cisco vpn), but DOESNT work for normal desktop
    > users in the office.
    >
    > for both the browser (IE) pops up the windows login dialog. afterward
    > VPN users get in and i can see their name, check their
    > User.IsInRole("foo"), etc.. no problems. in-network users? cant
    > authenticate their credentials.. get this after 3 failed attempts:
    >
    > HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
    > credentials.
    > Internet Information Services (IIS)
    >
    > ...any ideas why?
    >
    > Windows Server 2003, virtual directory under default website. in
    > "Directory Security" tab in IIS i have:
    >
    > - unchecked "Enable anonymous access"
    >
    > - checked "Integrated Windows authentication"
    >
    > ...my web.config of course uses the Windows authenication mode.
    >
    >
    >
    > this is maddening! thanks for any help
    >
    > sm
     
    Jeff Dillon, May 23, 2008
    #2
    1. Advertising

  3. SpaceMarine

    SpaceMarine Guest

    On May 22, 7:48 pm, "Jeff Dillon" <>
    wrote:
    > What machine is the VPN machine? The web server by chance?


    unlikely, big enterprise, many machines. im not certain tho so ill try
    to find out.
     
    SpaceMarine, May 23, 2008
    #3
  4. SpaceMarine

    SpaceMarine Guest

    On May 22, 2:24 pm, SpaceMarine <> wrote:
    > sorry for the near-dupe post (also in .security), but im desperately
    > trying to find an answer to this...
    >
    > i am attempting to configure security for an intranet web application
    > in ASP.NET 2. it uses Windows authentication, retrieving roles from
    > our Active Directory. nothing too unusual.
    >
    > what is unusual: it works for users that are VPN'ing into our network
    > from the outside (using cisco vpn), but DOESNT work for normal desktop
    > users in the office.
    >
    > for both the browser (IE) pops up the windows login dialog. afterward
    > VPN users get in and i can see their name, check their
    > User.IsInRole("foo"), etc.. no problems. in-network users? cant
    > authenticate their credentials.. get this after 3 failed attempts:
    >
    > HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
    > credentials.
    > Internet Information Services (IIS)
    >
    > ...any ideas why?


    this was really wigging me out, especially since authentication works
    in Firefox. i found the solution.

    IE7 has a new, misnamed setting in Internet Options -> Advanced ->
    Security -> "Enable Integrated Windows Authentication", checked by
    default. this should really read, "Don't Roll-over from Kerberos to
    NTLM protocol on Failure", because that's exactly what it does -- if
    your server's Kerberos security protocol isnt working, leaving this
    checked will cause the process to halt. if you uncheck it, the browser
    will re-try the auth attempt using NTLM.

    more here:

    http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

    ...so unchecking that box will force NTML authentication. meanwhile,
    you can try to figure out why your Kerberos isnt working :)


    sm
     
    SpaceMarine, Jul 3, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Warnock
    Replies:
    12
    Views:
    655
    Olrik Larsen
    Sep 10, 2003
  2. lurker
    Replies:
    1
    Views:
    730
    Disco Octopus
    Apr 5, 2005
  3. Maciej
    Replies:
    0
    Views:
    842
    Maciej
    Aug 31, 2006
  4. CRON
    Replies:
    10
    Views:
    583
    Jonathan N. Little
    Oct 20, 2006
  5. Replies:
    3
    Views:
    465
    alex23
    May 27, 2008
Loading...

Share This Page