7

I have a website running on a Windows 2003 server on IIS 6, serving pages for a LAN where everybody is working with a domain account. On other machines this works fine, no-one has to login to the website, the dynamic scripts pick-up the account-name from the HTTP request.

Only, when browsing from the server itself (via remote desktop e.g.), Internet Explorer still pops up the domain-login-dialog when navigating to this site. (both the usual URL and http://localhost/). This was no problem on the Windows 2000 server we recently migrated the website from.

Rory
  • 40,559
  • 52
  • 175
  • 261
Stijn Sanders
  • 35,982
  • 11
  • 45
  • 67
  • I had this exact problem a year or so ago. I never solved it (it just went away when my PC got upgraded), so I'll be interested to see what the solution is! – Mark Bell Feb 24 '10 at 16:24

3 Answers3

2

I had this problem or similar and solved it by:

  • adding http://localhost to list of Intranet sites, via IE > Tools > options > security > Local intranet > Sites > advanced > add http://localhost. (This is necessary if you have IE Enhanced Security installed which assigns all intranet Web sites and all UNC paths that are not explicitly listed in the Local intranet zone to the Internet zone, even localhost or other domains that don't contain '.' symbol which would normally be considered intranet by default.)

  • also on Security > Local Intranet > see what level of security you're on, to ensure that logon details are passed through. If it's Custom then click the Custom Level... button, scroll right to the bottom, under User Authentication > logon > for me it's 'Automatic logon only in Intranet zone', which works.

Rory
  • 40,559
  • 52
  • 175
  • 261
  • I never got round to checking up on this, partly because this was not a catastrophic issue. If I check now, I can't seem to reproduce the issue any more. The website has moved onto Windows 2008 Server also. I'll accept this answer anyway since I now know about the User Authentication Custom settings. – Stijn Sanders Jun 08 '12 at 18:50
1

Did you configure IE on your Windows 2003 box for "Enable Integrated Windows Authentication"? This needs to be configured in IE6 to automatically use the logged-in user credentials.

Gerald
  • 23,011
  • 10
  • 73
  • 102
  • I've installed the integrated authentication component, and have been looking on how to configure it. I've tried changing the settings on the Local Intranet zone, and adding http://localhost to the trusted sites, still I get the popup. – Stijn Sanders Feb 25 '10 at 06:54
0

You'll probably have better luck on ServerFault for this issue, as it's probably down to server configuration. Take a look at this KBAlertz.com article, yes it's specific to SharePoint, but some bits are more general. I suspect (given that you've said you've migrated to a new machine), that the issue is around the new machine not being "trusted for delegation" so look at the part titled "Configure trust for delegation for Web parts"

Configure trust for delegation for Web parts To configure the IIS server to be trusted for delegation, follow these steps:

  1. Start Active Directory Users and Computers.
  2. In the left pane, click Computers.
  3. In the right pane, right-click the name of the IIS server, and then click Properties.
  4. Click the General tab, click to select the Trust computer for delegation check box, and then click OK.
  5. Quit Active Directory Users and Computers.

If the application pool identity is configured to use a domain user account, the user account must be trusted for delegation before you can use Kerberos authentication. To configure the domain account to be trusted for delegation, follow these steps:

  1. On the domain controller, start Active Directory Users and Computers.
  2. In the left pane, click Users.
  3. In the right pane, right-click the name of the user account, and then click Properties.
  4. Click the Account tab, under Account Options, click to select the Account is trusted for delegation check box, and then click OK.
  5. Quit Active Directory Users and Computers.

If the application pool identity is a domain user account, you must configure an SPN for that account. To configure a SPN for the domain user account, follow these steps:

  1. Download and install the Setspn.exe command-line tool. To do so, visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en)

  2. Use the Setspn.exe tool to add an SPN for the domain account. To do so, type the following line at the command prompt, and then press ENTER, where ServerName is the fully qualified domain name (FQDN) of the server, Domain is the name of the domain, and UserName is the name of the domain user account:

    Setspn -A HTTP/ServerName Domain\UserName

Rob
  • 45,296
  • 24
  • 122
  • 150