Windows Security login window in IE8, IE9, FireFox, but not Chrome?

3

0

I swear I created a question about this a few weeks ago, but maybe I deleted it as I cannot locate it anywhere.

  • ASP.NET 4.0
  • IIS6
  • Windows Server 2003
  • Intranet site using Windows authentication
  • Three servers with same OS and IIS version, each hosting a dev, production, and disaster recovery (DR) version of the same website

Now consider this order of events:

  • User starts out with IE8 and whatever versions of FF and Chrome
  • User is only able to access DR site. Login prompt refuses to authenticate them with their Windows credentials for the other sites, so they cannot log in
  • They install fresh copy of Windows 7 and upgrade to IE9. Now they are able to access the dev and DR sites in IE9. They are able to access all three sites in Chrome.

I verified the following in internet settings:

  • Automatic logon with current user name and password
  • Enable Integrated Windows Authentication

I came upon this in MSKB: http://support.microsoft.com/kb/215383

The NTAuthenticationProviders metabase property is not defined, so IIS should be using Negotiate,NTLM by default.

Other details:

  • This began happening only a few weeks ago. User was able to access our site fine with IE8.
  • No other users are having this issue.

Does anyone know what could be causing his browser to not send the authentication information to the server? Here is a screenshot of the authentication window the user is seeing:

Additional details

Here's what shows in the security event viewer for this user. I blanked out sensitive information with ?.

Event Type:    Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   538
Date:       7/14/2014
Time:       1:27:37 PM
User:       ?\?
Computer:   ?
Description:
User Logoff:
    User Name:  ?
    Domain:     ?
    Logon ID:       (0x0,0x3F99497F)
    Logon Type: 3

Event Type: Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   540
Date:       7/14/2014
Time:       1:27:14 PM
User:       ?\?
Computer:   ?
Description:
Successful Network Logon:
    User Name:  ?
    Domain:     ?
    Logon ID:       (0x0,0x3F997233)
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   ?
    Logon GUID: -
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: ?
    Source Port:    16220

enter image description here

oscilatingcretin

Posted 2014-07-11T17:35:39.607

Reputation: 4 093

Can you clarify your question a bit? You are saying that Chrome works for all three sites but the other browsers don't work specifically when accessing the production site? Is the user logging on to the machine as a domain user and definitely running the browser as that user? – James P – 2014-07-14T11:46:11.987

1Also, what are the error messages? Do you have anything in the Event Viewer of server and client at the time? – harrymc – 2014-07-14T12:14:19.040

@harrymc I updated my question with details. – oscilatingcretin – 2014-07-15T11:52:41.660

"Login prompt refuses to authenticate them with their Windows credentials" - please give the exact error message. – harrymc – 2014-07-15T12:22:28.940

Try also to clear the CRL cache by running certutil -setreg chain\ChainCacheResyncFiletime @now at an Admin command prompt. Also, do you have a domain and do the 3 sites work with http or https? – harrymc – 2014-07-15T13:52:40.013

@harrymc Getting answer to error message (I don't think there is one). Site works with http, not https. As for cleaing CRL cache, it seems that this may require a restart of the Windows Server 2003 machine. Since we have a good number of critical apps on that server, I'd like to explore that as a last resort. Still, does that explain how the user is able to authenticate using Chrome? Why is it only IE8/9 and Firefox that are giving him issues? – oscilatingcretin – 2014-07-15T16:59:11.853

The cache should be cleared on the client. No idea if it's the solution, just trying out ideas, but their not working may also be informative. – harrymc – 2014-07-15T17:05:18.017

@oscilatingcretin: Have you checked that the time/date is correct on the PC the relevant user is using? Ideally it should be synced with the domain as Windows authentication can often break otherwise. – James P – 2014-07-16T08:23:46.753

@oscilatingcretin: Also, have you tried manually adding the sites to the Intranet Zone in IE just in case they are not recognised as such? – James P – 2014-07-16T09:01:49.470

Answers

1

Enabling automatic NTLM identification is done as follows.

Internet Explorer

  • From IE, Access Internet Settings via "IE -> Tools -> Internet Options", or via Control Panel -> Internet Options
  • Go to the Security tab
  • Click Sites
  • Click either Local Intranet or Trusted sites
  • Add your sites to the list
  • If required, uncheck "Require server verification (https:) for all sites in this zone"
  • Click Close
  • Click Custom level
  • Scroll right to the bottom under User Authentication / Logon and ensure that "Automatic logon with current user name and password" is checked.
  • Click OK

Google Chrome

Google Chrome actually uses the same settings that IE uses, that is the above Control Panel -> Internet Options settings, so nothing more to do.

Firefox

  • Open Firefox and type "about:config" in the address bar (without the quotes)
  • In the 'Filter' field type network.automatic-ntlm-auth.trusted-uris
  • Double-click the above and enter the URLs of sites or entire domains, separated by commas
  • if your sites do no use FQDN (for example http://intranetinstead of http://intranet.domain.com), do also:
    • Set network.automatic-ntlm-auth.allow-non-fqdn to true
    • Set network.negotiate-auth.allow-non-fqdn to true

harrymc

Posted 2014-07-11T17:35:39.607

Reputation: 306 093

I've already ensured that the user is doing everything above in IE. Also, doesn't Authentication Package: NTLM in the server log text I posted above indicate that he's using NTLM? – oscilatingcretin – 2014-07-17T12:40:30.773

The server indicates a successful NTLM logon, but I understood the problem is the logon dialog on the client side, so the idea is to set it to use the credentials of the current user. If these credentials are unknown on the server, then the dialog will happen. Since Chrome is working, these credentials indeed seem correct. I wonder if with my above fixes Firefox will also start working. For IE I had in the comments the idea to clear out the credentials cache on the client, but more work may be required. What exactly happens when an access is unsuccessful? – harrymc – 2014-07-17T13:43:53.800

I advised the user to clear the CRL cache. Have had no response. When access is unsuccessful, the prompt just keeps reappearing with no error message at all. He doesn't even get a message saying anything like "login unsuccessful" or "invalid credentials". I'll try more stuff tomorrow. – oscilatingcretin – 2014-07-20T14:58:58.340

Asked: 2014-07-11T17:35:39.607

Viewed: 1 848 times

Active: 2014-07-17T12:08:19.677