security works for VPN users, doesnt for local

S

SpaceMarine

sorry for the near-dupe post (also in .security), but im desperately
trying to find an answer to this...

i am attempting to configure security for an intranet web application
in ASP.NET 2. it uses Windows authentication, retrieving roles from
our Active Directory. nothing too unusual.

what is unusual: it works for users that are VPN'ing into our network
from the outside (using cisco vpn), but DOESNT work for normal desktop
users in the office.

for both the browser (IE) pops up the windows login dialog. afterward
VPN users get in and i can see their name, check their
User.IsInRole("foo"), etc.. no problems. in-network users? cant
authenticate their credentials.. get this after 3 failed attempts:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)

....any ideas why?

Windows Server 2003, virtual directory under default website. in
"Directory Security" tab in IIS i have:

- unchecked "Enable anonymous access"

- checked "Integrated Windows authentication"

....my web.config of course uses the Windows authenication mode.



this is maddening! thanks for any help

sm
 
S

SpaceMarine

sorry for the near-dupe post (also in .security), but im desperately
trying to find an answer to this...

i am attempting to configure security for an intranet web application
in ASP.NET 2. it uses Windows authentication, retrieving roles from
our Active Directory. nothing too unusual.

what is unusual: it works for users that are VPN'ing into our network
from the outside (using cisco vpn), but DOESNT work for normal desktop
users in the office.

for both the browser (IE) pops up the windows login dialog. afterward
VPN users get in and i can see their name, check their
User.IsInRole("foo"), etc.. no problems. in-network users? cant
authenticate their credentials.. get this after 3 failed attempts:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)

...any ideas why?

this was really wigging me out, especially since authentication works
in Firefox. i found the solution.

IE7 has a new, misnamed setting in Internet Options -> Advanced ->
Security -> "Enable Integrated Windows Authentication", checked by
default. this should really read, "Don't Roll-over from Kerberos to
NTLM protocol on Failure", because that's exactly what it does -- if
your server's Kerberos security protocol isnt working, leaving this
checked will cause the process to halt. if you uncheck it, the browser
will re-try the auth attempt using NTLM.

more here:

http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

...so unchecking that box will force NTML authentication. meanwhile,
you can try to figure out why your Kerberos isnt working :)


sm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top