IE automatic logon does not work after XP SP2

After installation of Windows XP SP2, the following problem occurs for all
users that try to access company web sites that require authentication.

PROBLEM DESCRIPTION
Windows XP SP2 machines that receive settings from GPO and logon script, on
an external connection, cannot access web sites that are using automatic
authentication based on the AD account. The result is a 'Page cannot be
displayed' page for all affected sites, regardless of whether http or https
is used.

CAUSE
Windows NT Challenge/Reponse fails (or is not attempted) and Digest
Authentication is not attempted.

WORKAROUND
A temporary workaround is to remove these sites from the Local intranet
zone, after which automatic logon is not attempted (but Digest authentication
is used instead). Original settings will be restored by the logon script when
the users logs on again.

TECHNICAL DETAILS
For these particular web sites, the following authentication methods are
enabled on IIS and attempted in that order:

1. Windows Integrated - Kerberos (automatic logon): will not work on an
external connection because a KDC cannot be reached. If a machine is switched
from a local to an external connection, attempts to access the sites results
in System Event log Events 40960 and 40961, source LSASRV, category SPNEGO.
These errors don't occur when the machine is booted on an external
connection. These errors should not be a problem because the next
authentication method should be tried.

2. Windows Integrated - Windows NT Challenge/Response (automatic logon):
apparently fails (or is not attempted) but there are no Event log entries,
Firewall log entries or IIS log entries (in W3SVC) that indicate why. A
failure would generally result in a Failure Audit in the Security Event log
on the IIS server. Since such an event is not observed and neither any other
events that could be related, it is possible that this authentication method
is not attempted at all, suggesting a client side issue.

3. Digest Authentication (this means an authentication box pops up and the
user needs to enter credentials): this method is not attempted.

The IIS log on the web server just reports one GET when access to any of the
above sites is attempted, e.g.:
2004-11-29 10:24:18 [source IP address] () [destination IP address] 443 GET
/ - 401 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)

Reason why automatic logon is tried is that these sites are in the Local
intranet zone and zone specific settings tell IE to try automatic logon. This
is the same for the Trusted sites zone, so moving the sites to Trusted sites
will have the same result. Removing the sites from all zones or accessing the
sites at their IP address (in which case IE will treat the site the same as
not being in any zone), will force Digest authentication.

The problem seems to be related lsass.exe (service NT LM Security Support
Provider) or related services (e.g. Net logon service, NTLM authentication
protocol, possibly services running under svchost.exe). Changes in SP2 might
prevent some of these process from performing their task: some processes seem
to be prevented by Windows Firewall to listen on high range UDP ports, which
is not the result of unsollicited inbound connections and thus does not show
up in the Windows Firewall log. Somehow after Windows NT Challenge/Response
fails (or is not attempted), IE does not continue attempting Digest
Authentication. The problem might be in the area of changes to RPC, which
were introduced by SP2.

Note: this problem has suddenly disappeared. There have been major changes to
IIS security on the web servers involved. Between the first post and this
reply, all workstations and servers involved were updated (with all Critical
Updates), so possible an update contained a fix for this problem.

Henk

"Henk Thomassen" wrote:

After installation of Windows XP SP2, the following problem occurs for all
users that try to access company web sites that require authentication.

PROBLEM DESCRIPTION
Windows XP SP2 machines that receive settings from GPO and logon script, on
an external connection, cannot access web sites that are using automatic
authentication based on the AD account. The result is a 'Page cannot be
displayed' page for all affected sites, regardless of whether http or https
is used.

CAUSE
Windows NT Challenge/Reponse fails (or is not attempted) and Digest
Authentication is not attempted.

WORKAROUND
A temporary workaround is to remove these sites from the Local intranet
zone, after which automatic logon is not attempted (but Digest authentication
is used instead). Original settings will be restored by the logon script when
the users logs on again.

TECHNICAL DETAILS
For these particular web sites, the following authentication methods are
enabled on IIS and attempted in that order:

1. Windows Integrated - Kerberos (automatic logon): will not work on an
external connection because a KDC cannot be reached. If a machine is switched
from a local to an external connection, attempts to access the sites results
in System Event log Events 40960 and 40961, source LSASRV, category SPNEGO.
These errors don't occur when the machine is booted on an external
connection. These errors should not be a problem because the next
authentication method should be tried.

2. Windows Integrated - Windows NT Challenge/Response (automatic logon):
apparently fails (or is not attempted) but there are no Event log entries,
Firewall log entries or IIS log entries (in W3SVC) that indicate why. A
failure would generally result in a Failure Audit in the Security Event log
on the IIS server. Since such an event is not observed and neither any other
events that could be related, it is possible that this authentication method
is not attempted at all, suggesting a client side issue.

3. Digest Authentication (this means an authentication box pops up and the
user needs to enter credentials): this method is not attempted.

The IIS log on the web server just reports one GET when access to any of the
above sites is attempted, e.g.:
2004-11-29 10:24:18 [source IP address] () [destination IP address] 443 GET
/ - 401 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)

Reason why automatic logon is tried is that these sites are in the Local
intranet zone and zone specific settings tell IE to try automatic logon. This
is the same for the Trusted sites zone, so moving the sites to Trusted sites
will have the same result. Removing the sites from all zones or accessing the
sites at their IP address (in which case IE will treat the site the same as
not being in any zone), will force Digest authentication.

The problem seems to be related lsass.exe (service NT LM Security Support
Provider) or related services (e.g. Net logon service, NTLM authentication
protocol, possibly services running under svchost.exe). Changes in SP2 might
prevent some of these process from performing their task: some processes seem
to be prevented by Windows Firewall to listen on high range UDP ports, which
is not the result of unsollicited inbound connections and thus does not show
up in the Windows Firewall log. Somehow after Windows NT Challenge/Response
fails (or is not attempted), IE does not continue attempting Digest
Authentication. The problem might be in the area of changes to RPC, which
were introduced by SP2.