iis security: Hi - having just setup a new server, with SSL - and a new virtual
directory with a site sitting behind it (in .net) - I find when
accessing the site using IE, I am prompted with a popup box asking for
the username and password - if I use Firefox or Mozilla - I can freely
use the site.

Is there a setting either in IIS or IE which is known to cause this?

Thanks for any help,

Mark



*** Sent via Developersdex http://www.developersdex.com ***

Hi - I've noticed if I go into IE Options, Security, then Security
Settings for the Internet, and then under User Authentication/Logon, I
select Anonymouse Logon - IE no longer prompts me for username and
password.

Do I have to have this instruction on my front pgae, asking my users to
change their IE settings?

Is there any easier way of accomplishing this, without seemingly asking
users to change security settings?

Thanks, Mark



*** Sent via Developersdex http://www.developersdex.com ***

What you are asking about is a client-side behavior that cannot be dictated
by server-side configuration. So no, there is no easy way to do this without
it being a security hole in IE.

IE has decided that for access to the "Internet", it is not going to
broadcast the local user's name and password to the website unless it
requires authentication -- a fairly secure choice.

In general, in an Intranet scenario, you should have control of the clients
to make them treat your website as "intranet", which then enables automatic
logon and avoids the login prompt. In an Internet scenario, users have no
relation to each other (no guarantee that the remote user has an account to
login with on your server), so the IE behavior is desirable.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hi - I've noticed if I go into IE Options, Security, then Security
Settings for the Internet, and then under User Authentication/Logon, I
select Anonymouse Logon - IE no longer prompts me for username and
password.

Do I have to have this instruction on my front pgae, asking my users to
change their IE settings?

Is there any easier way of accomplishing this, without seemingly asking
users to change security settings?

Thanks, Mark



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Hi David - thank you.

So this is just a situation I have to put up with? I still can't
understand though, as the site is setup to allow anonymous access - so
surely the webserver is not prompting IE for anything? Every page the
user visits they are prompted for a username and password - this can't
be right.

I did read another post:
http://groups.google.com/groups?hl=en&lr=&threadm=OHMCfGdrDHA.3180%40TK2
MSFTNGP11.phx.gbl&rnum=3&prev=/groups%3Fhl%3Den%26q%3Diis%2Bie%2Banonymo
us%2Blogin%2Bprompt%2Bfor%2Busername%26spell%3D1 - which suggested that
IIS and the Windows SAM DB is out of sync...

Sorry if I seem a little confused - but I'm really struggling here,

Thanks, Mark




*** Sent via Developersdex http://www.developersdex.com ***

Setting up anonymous access in IIS simply means that IIS will attempt to
login the specified Anonymous User in IIS configuration to execute all
requests -- IIS will not negotiate authentication with the browser to obtain
the user context to execute the given request. In other words, view
authentication as using the browsing user's name/password, while anonymous
authentication is IIS using a hardcoded but configurable username/password.

Now, it could be possible that the specified Anonymous User in IIS
configuration is incorrect (i.e. the username/password is inconsistent with
the real username/password in the local SAM or AD), in which case when IIS
attempts to logon the Anonymous User for anonymous requests, it fails and
thus returns a 401.1 -- which will then cause the web browser to pop up the
login dialog. Realize that IIS is not negotiating authentication with the
browser -- it is simply returning a 401.1 because the anonymous credentials
are wrong -- so when the user gives username/password to the login dialog,
it is totally ignored by IIS, which then retries anonymous authentication,
still with incorrect username/password, returns 401.1 again... and the cycle
continues until the client gives up.

All this are simply server side configuration issues. I've honestly not had
an IIS server configured with anonymous authentication enabled require login
regardless of the browsers I've used -- so there is something funny with
your server configuration/setup.

Can you give the web log entries for those requests that trigger the login
dialog box. Make sure the browser caches are all cleared, and navigate to
two different web pages and show the web log entries for them all, along
with Authentication protocols enabled for the URLs in question and any
custom ISAPI/products on the server.

You can also try running AuthDiag to see what it detects.

http://www.microsoft.com/downloads/details.aspx?FamilyId=E90FE777-4A21-4066-BD22-B931F7572E9A&displaylang=en

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hi David - thank you.

So this is just a situation I have to put up with? I still can't
understand though, as the site is setup to allow anonymous access - so
surely the webserver is not prompting IE for anything? Every page the
user visits they are prompted for a username and password - this can't
be right.

I did read another post:
http://groups.google.com/groups?hl=en&lr=&threadm=OHMCfGdrDHA.3180%40TK2
MSFTNGP11.phx.gbl&rnum=3&prev=/groups%3Fhl%3Den%26q%3Diis%2Bie%2Banonymo
us%2Blogin%2Bprompt%2Bfor%2Busername%26spell%3D1 - which suggested that
IIS and the Windows SAM DB is out of sync...

Sorry if I seem a little confused - but I'm really struggling here,

Thanks, Mark




*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Hi David - thank you again - having started looking at this right back
to basics (and having a good break) - the parent domain, which is behind
SSL - did have authentication set - this was propogating through. I've
allowed anonymous access to this too, and now have no problems.

Cheers, Mark



*** Sent via Developersdex http://www.developersdex.com ***