Windows Auth Problem

[John]

I have an intranet site that uses Windows Authentication. It is open to all
domain users. When I attempt to hit the site it asks me for my credentials.
I give it the same domain user name and password I used to log into Windows
and it lets me in. It is my understanding that if I am already logged in to
Windows with proper credentials it should not ask me for them again, but it
does.

IIS is configured to not allow annonymous access and only use Integrated
Windows Authentication.

My web.config contains the following:
<authentication mode="Windows"/>
<allow users="*" />
<identity impersonate="true" />

I don't think I should need those last two. But it doesn't work either way.
All I really need is to be able to identify the user so I may display
user-specific data. I'd like to do this without having them log in if they
are already logged in as a domain user. What setting am I missing?

Thanks,

John

 

[Walter Wang [MSFT]]

Hi John,

If you're using IE and IE's security setting is set correctly (IE Options:
Advanced/Security: (check) Enable Integrated Windows Authentication), this
should work out-of-box.

I've just tested it on my side using a simple web application:

web.config:

<system.web>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<identity impersonate="true"/>



Default.aspx.cs:

protected void Page_Load(object sender, EventArgs e)
{
Response.Write(Request.LogonUserIdentity.Name);
}


It should print out current user's logon name when viewed in IE.

If your settings are correct, would you please create a simple web site
like above and test it? Thanks.

References:

#Integrated Windows Authentication - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Integrated_Windows_Authentication

#Integrated Windows Authentication (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5
23ae943-5e6a-4200-9103-9808baa00157.mspx
* Integrated Windows authentication is supported by only Internet Explorer
2 and later.
* Integrated Windows authentication does not work over HTTP proxy
connections.



Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John]

Hi Walter,

Thank you for the reply. I had already tested a very simple page using
User.Identity.Name. I changed it to do exactly as you've indicated and I get
the same behavior. IE is also set as indicated. I also get the same
behavior with Firefox. I've tried this on three different machines--one XP
and two Server 2003--browsing locally (localhost) as well as remotely and
get the same result.

Here's a funny twist: I just tested this code on a Virtual PC session that
is not on the domain; it's in a workgroup. It worked as expected and
properly recognized me and displayed my local machine username. So I'm
wondering if there's some Active Directory setting that is incorrect. Is
that possible?

John

 

[Walter Wang [MSFT]]

Hi John,

It might not be related to Active Directory settings since you mentioned
that after you input user/password the login is successful.

Another place to check is IE options, Security tab:

When you click on the "Custom Level" button, you will see "User
Authentication" part in the Security Settings dialog: it displays following
options:

* Anonymous logon
* Automatic logon only in Intranet zone
* Automatic logon with current user name and password
* Prompt for user name and password

The default setting should be second one "Automatic logon only in Intranet
zone". Is it possible that your intranet site isn't recogonized as "Local
intranet"? You can select the "Local intranet" zone and click on button
"Sites" to view/change the settings.

Let me know your findings.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John]

Hi Walter,

Sorry I took so long to respond. I've been away for a while. Anyway, I
followed your suggestions and got it to work with IE. But something about
this is not right. My IE was already set for "Automatic logon only in
Intranet zone" (the default). But to get it to work on a development server
I had to add http://devserver as a local intranet site. To get it to work
with my web server on my local box I had to add http://localhost as a local
intranet site. That shouldn't be, should it? So it seems Local Intranet
doesn't recognize anything on its own--it only looks in the list I provide.
I would think that if the domain controller/DNS server knows how to find
"devserver" on our local network then it should report that back to IE as
being local intranet. And at the least, it should know that "localhost" is
local... No?

Our network admin is looking into a way to push specific sites to the local
intranet list through an IE policy, although that seems like a kludge. That
also doesn't help the Firefox users. But who cares about them anyway,
right?

If you have any further advice on this please let me know. Thanks.

John

 

[John]

One more thing. I noticed there's an "Include all local (intranet) sites
not listed in other zones" checkbox. If I check this it works without
adding sites to the list. But I'm not sure what this is really doing. Is
this a safe setting or is it simply allowing every site that is not listed
somewhere else? Since it's not on by default I assume it is not a
recommended setting. And since it wasn't checked by default, either way
we'll need some kind of policy change to get all users' workstations
working. I just want to make sure we're making the right (and safe) policy
changes. Thanks again.
John

 

[Walter Wang [MSFT]]

Hi John,

Do you mean that the site is not recogonized by intranet sizes even if the
option "Automatically detect intranet network" is checked? It's my
understanding that this is the default setting and this is the option that
make your local websites and localhost be recogonized as intranet sites.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John]

Walter,

That setting is only available in IE7. I, and most of us, are using IE6.
But even in IE7, that setting does not help. The only ways we've found to
make it work is add the server to the list or select the "Include all local
sites" checkbox.

John

 

[Walter Wang [MSFT]]

John,

Here's some rules about how IE determines a URL belongs to intranet zone or
not:

1) By the presense of or lack of dots (periods) in the domain name:

http://DOMAINNAME -> Intranet Zone
http://DOMAINNAME.COM -> Internet Zone
http://192.168.1.15 -> Internet Zone

2) Besides above rule, IE also uses proxy settings (bypass list, proxy.pac,
etc), whatever goes to the proxy will be in the internet zone. Whatever
doesn't hit the proxy (host in bypass list, "return DIRECT" in proxy.pac)
will be in intranet.

3) For IE6, IE also provides the following configuration box for the
intranet zone (Internet Options -> Security -> Local Intranet -> Sites) :

* Include all local (intranet) sites not listed in other zones
* Include all sites that bypass the proxy server
* Include all network paths (UNCs)

These three options are checked by default in IE6; in IE7, the
"Automatically detect intranet network" is checked by default.

Therefore, I think the option you mentioned is required to make it work
correctly. Would you please tell me why the option needs to unselected on
your side?


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John]

Walter,

Thank you for the thorough explaination. That's good info to know. I was
mistaken about the new IE7 option. The site works as expected when that
checkbox is selected. And since that is the default, we will be ok with
that. But IE6 remains to be a problem. IE6's default configuration does
not have the "Include all local (intranet) sites not listed in other zones"
option selected. We either need this, or we need to add the site to the
list. That's the only way we can hit the site without it asking for a
logon. Regarding the number of dots, our development server is named
"labweb" (no dots). We develop locally using "localhost" (no dots). Yet
neither of these work unless we turn on the above option or add these to the
intranet site list. I would think that http://localhost is always
considered an intranet site, but evidently it is not. I still think we're
doing something wrong, I just don't know what. BTW, we have no proxy
servers.

Thanks,

John

 

[Walter Wang [MSFT]]

Hi John,

It's my understanding that on Windows XP SP2 and Windows Server 2003 with
IE6, those settings are checked by default. Anyway, you could use group
policy in your domain to enforce these settings are checked:

#How to set advanced settings in Internet Explorer by using Group Policy
Objects
http://support.microsoft.com/kb/274846


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[John]

Thanks Walter. We'll do that.
John