If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
IE automatic logon does not work after XP SP2
After installation of Windows XP SP2, the following problem occurs for all
users that try to access company web sites that require authentication. PROBLEM DESCRIPTION Windows XP SP2 machines that receive settings from GPO and logon script, on an external connection, cannot access web sites that are using automatic authentication based on the AD account. The result is a 'Page cannot be displayed' page for all affected sites, regardless of whether http or https is used. CAUSE Windows NT Challenge/Reponse fails (or is not attempted) and Digest Authentication is not attempted. WORKAROUND A temporary workaround is to remove these sites from the Local intranet zone, after which automatic logon is not attempted (but Digest authentication is used instead). Original settings will be restored by the logon script when the users logs on again. TECHNICAL DETAILS For these particular web sites, the following authentication methods are enabled on IIS and attempted in that order: 1. Windows Integrated - Kerberos (automatic logon): will not work on an external connection because a KDC cannot be reached. If a machine is switched from a local to an external connection, attempts to access the sites results in System Event log Events 40960 and 40961, source LSASRV, category SPNEGO. These errors don't occur when the machine is booted on an external connection. These errors should not be a problem because the next authentication method should be tried. 2. Windows Integrated - Windows NT Challenge/Response (automatic logon): apparently fails (or is not attempted) but there are no Event log entries, Firewall log entries or IIS log entries (in W3SVC) that indicate why. A failure would generally result in a Failure Audit in the Security Event log on the IIS server. Since such an event is not observed and neither any other events that could be related, it is possible that this authentication method is not attempted at all, suggesting a client side issue. 3. Digest Authentication (this means an authentication box pops up and the user needs to enter credentials): this method is not attempted. The IIS log on the web server just reports one GET when access to any of the above sites is attempted, e.g.: 2004-11-29 10:24:18 [source IP address] () [destination IP address] 443 GET / - 401 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) Reason why automatic logon is tried is that these sites are in the Local intranet zone and zone specific settings tell IE to try automatic logon. This is the same for the Trusted sites zone, so moving the sites to Trusted sites will have the same result. Removing the sites from all zones or accessing the sites at their IP address (in which case IE will treat the site the same as not being in any zone), will force Digest authentication. The problem seems to be related lsass.exe (service NT LM Security Support Provider) or related services (e.g. Net logon service, NTLM authentication protocol, possibly services running under svchost.exe). Changes in SP2 might prevent some of these process from performing their task: some processes seem to be prevented by Windows Firewall to listen on high range UDP ports, which is not the result of unsollicited inbound connections and thus does not show up in the Windows Firewall log. Somehow after Windows NT Challenge/Response fails (or is not attempted), IE does not continue attempting Digest Authentication. The problem might be in the area of changes to RPC, which were introduced by SP2. |
Ads |
#2
|
|||
|
|||
IE automatic logon does not work after XP SP2
Note: this problem has suddenly disappeared. There have been major changes to
IIS security on the web servers involved. Between the first post and this reply, all workstations and servers involved were updated (with all Critical Updates), so possible an update contained a fix for this problem. Henk "Henk Thomassen" wrote: After installation of Windows XP SP2, the following problem occurs for all users that try to access company web sites that require authentication. PROBLEM DESCRIPTION Windows XP SP2 machines that receive settings from GPO and logon script, on an external connection, cannot access web sites that are using automatic authentication based on the AD account. The result is a 'Page cannot be displayed' page for all affected sites, regardless of whether http or https is used. CAUSE Windows NT Challenge/Reponse fails (or is not attempted) and Digest Authentication is not attempted. WORKAROUND A temporary workaround is to remove these sites from the Local intranet zone, after which automatic logon is not attempted (but Digest authentication is used instead). Original settings will be restored by the logon script when the users logs on again. TECHNICAL DETAILS For these particular web sites, the following authentication methods are enabled on IIS and attempted in that order: 1. Windows Integrated - Kerberos (automatic logon): will not work on an external connection because a KDC cannot be reached. If a machine is switched from a local to an external connection, attempts to access the sites results in System Event log Events 40960 and 40961, source LSASRV, category SPNEGO. These errors don't occur when the machine is booted on an external connection. These errors should not be a problem because the next authentication method should be tried. 2. Windows Integrated - Windows NT Challenge/Response (automatic logon): apparently fails (or is not attempted) but there are no Event log entries, Firewall log entries or IIS log entries (in W3SVC) that indicate why. A failure would generally result in a Failure Audit in the Security Event log on the IIS server. Since such an event is not observed and neither any other events that could be related, it is possible that this authentication method is not attempted at all, suggesting a client side issue. 3. Digest Authentication (this means an authentication box pops up and the user needs to enter credentials): this method is not attempted. The IIS log on the web server just reports one GET when access to any of the above sites is attempted, e.g.: 2004-11-29 10:24:18 [source IP address] () [destination IP address] 443 GET / - 401 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) Reason why automatic logon is tried is that these sites are in the Local intranet zone and zone specific settings tell IE to try automatic logon. This is the same for the Trusted sites zone, so moving the sites to Trusted sites will have the same result. Removing the sites from all zones or accessing the sites at their IP address (in which case IE will treat the site the same as not being in any zone), will force Digest authentication. The problem seems to be related lsass.exe (service NT LM Security Support Provider) or related services (e.g. Net logon service, NTLM authentication protocol, possibly services running under svchost.exe). Changes in SP2 might prevent some of these process from performing their task: some processes seem to be prevented by Windows Firewall to listen on high range UDP ports, which is not the result of unsollicited inbound connections and thus does not show up in the Windows Firewall log. Somehow after Windows NT Challenge/Response fails (or is not attempted), IE does not continue attempting Digest Authentication. The problem might be in the area of changes to RPC, which were introduced by SP2. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Tip: When SP2 is *not* an available Automatic Update | Knack | Windows XP Help and Support | 0 | December 6th 04 07:33 PM |
SP2 - add network places logon problem | AndrewB | Windows Service Pack 2 | 1 | October 1st 04 01:23 PM |
XP sp2 network bridge DHCP does not work | Harri Pesonen | Windows Service Pack 2 | 1 | September 10th 04 10:42 AM |