Hi all,

Why is IE7 unable to login to our IIS websites? We've employed the same
configuration on our web servers for seven years now and never experienced
such a severe incompatibility issue with a web browser.

Our IIS configuration is as follows:

- Version: IIS 5
- Platform: W2KAS SP4
- SSL: none installed
- Anonymous Access: enabled
- Basic Authentication: disabled
- Digest Authentication: disabled
- Integrated Windows Authentication: enabled

Very straightforward. We have chosen these settings for their cross-browser
compatibility whilst allowing web directory security via NTFS permissions.
Again, this has worked flawlessly for seven years.

Needless to say, our support phones are ringing off the hook with, "my
password isn't working." It's hard not to laugh when telling our customers
that Microsoft's latest web browser is incompatible with Microsoft's own web
servers. :-D

Any help is greatly appreciated.

So, is IE6 able to login against these same machines, while
simultaneously IE7 cannot?

And is this an Intranet or Internet scenario? Because that affects the
viability of Integrated Authentication.

In IE Options, there is a checkbox called "Enable Integrated Windows
Authentication" - if your Intranet uses Kerberos, make sure it is
checked. Otherwise, it will be using NTLM.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


Dave wrote:
> Hi all,
>
> Why is IE7 unable to login to our IIS websites? We've employed the same
> configuration on our web servers for seven years now and never experienced
> such a severe incompatibility issue with a web browser.
>
> Our IIS configuration is as follows:
>
> - Version: IIS 5
> - Platform: W2KAS SP4
> - SSL: none installed
> - Anonymous Access: enabled
> - Basic Authentication: disabled
> - Digest Authentication: disabled
> - Integrated Windows Authentication: enabled
>
> Very straightforward. We have chosen these settings for their cross-browser
> compatibility whilst allowing web directory security via NTFS permissions.
> Again, this has worked flawlessly for seven years.
>
> Needless to say, our support phones are ringing off the hook with, "my
> password isn't working." It's hard not to laugh when telling our customers
> that Microsoft's latest web browser is incompatible with Microsoft's own web
> servers. :-D
>
> Any help is greatly appreciated.

> So, is IE6 able to login against these same machines, while
> simultaneously IE7 cannot?

Yes. In fact, every version of IE can login, except IE7.

> And is this an Intranet or Internet scenario? Because that affects the
> viability of Integrated Authentication.

It is an "Internet" scenario in that these pages are accessible from the
public Internet. We employ ADSI scripting to automatically assign Active
Directory logins to our customers. Those permissions control access to
various resources on our network.

> In IE Options, there is a checkbox called "Enable Integrated Windows
> Authentication" - if your Intranet uses Kerberos, make sure it is
> checked. Otherwise, it will be using NTLM.

Hmmm.... I will try this, just to see.

Thank you for your kind reply, David!


> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> Dave wrote:
> > Hi all,
> >
> > Why is IE7 unable to login to our IIS websites? We've employed the same
> > configuration on our web servers for seven years now and never experienced
> > such a severe incompatibility issue with a web browser.
> >
> > Our IIS configuration is as follows:
> >
> > - Version: IIS 5
> > - Platform: W2KAS SP4
> > - SSL: none installed
> > - Anonymous Access: enabled
> > - Basic Authentication: disabled
> > - Digest Authentication: disabled
> > - Integrated Windows Authentication: enabled
> >
> > Very straightforward. We have chosen these settings for their cross-browser
> > compatibility whilst allowing web directory security via NTFS permissions.
> > Again, this has worked flawlessly for seven years.
> >
> > Needless to say, our support phones are ringing off the hook with, "my
> > password isn't working." It's hard not to laugh when telling our customers
> > that Microsoft's latest web browser is incompatible with Microsoft's own web
> > servers. :-D
> >
> > Any help is greatly appreciated.
>
>

Well, it appears that "Enable Windows Authentication" in IE7 has no effect.
That said, I have to backtrack <blush>. The aforementioned IIS settings were
captured from the wrong server. Our IIS configuration is:

- Version: IIS 5
- Platform: W2KAS SP4
- SSL: none installed
- Anonymous Access: enabled
- Basic Authentication: enabled
- Digest Authentication: enabled
- Integrated Windows Authentication: disabled

Again, these are supposed to be the most cross-browser compatible settings
for securing web pages via NTFS file and directory permissions.

In reviewing the Microsoft Knowledgebase, I discovered one anomaly in my
server settings: we have NOT enabled "Store password using reversible
encryption for all users in the domain." According to the MS KB, this is a
requirement of Digest Authentication, suggesting that our users have, for
seven years now, been downgraded to Basic Authentication. [Cripes.] This,
in itself, must be fixed, but to stay on topic, could this anomaly perhaps be
confusing IE7?

Thank you!

"David Wang" wrote:

> So, is IE6 able to login against these same machines, while
> simultaneously IE7 cannot?
>
> And is this an Intranet or Internet scenario? Because that affects the
> viability of Integrated Authentication.
>
> In IE Options, there is a checkbox called "Enable Integrated Windows
> Authentication" - if your Intranet uses Kerberos, make sure it is
> checked. Otherwise, it will be using NTLM.
>
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> Dave wrote:
> > Hi all,
> >
> > Why is IE7 unable to login to our IIS websites? We've employed the same
> > configuration on our web servers for seven years now and never experienced
> > such a severe incompatibility issue with a web browser.
> >
> > Our IIS configuration is as follows:
> >
> > - Version: IIS 5
> > - Platform: W2KAS SP4
> > - SSL: none installed
> > - Anonymous Access: enabled
> > - Basic Authentication: disabled
> > - Digest Authentication: disabled
> > - Integrated Windows Authentication: enabled
> >
> > Very straightforward. We have chosen these settings for their cross-browser
> > compatibility whilst allowing web directory security via NTFS permissions.
> > Again, this has worked flawlessly for seven years.
> >
> > Needless to say, our support phones are ringing off the hook with, "my
> > password isn't working." It's hard not to laugh when telling our customers
> > that Microsoft's latest web browser is incompatible with Microsoft's own web
> > servers. :-D
> >
> > Any help is greatly appreciated.
>
>

Hi Dave,

we had a similar problem here.
We use Win CE 5.0 WebServers with BASIC and NTLM Authentication enabled.
All browsers in the past 'decided' to use BASIC Authentication. IE7 now
'decides' to use NTLM instead. Why NTLM now fails with a Microsoft
Server having it enabled - i don't know - and don't want to :-)
We have disabled NTLM at our servers now and everything works again like
before...
If the returned data from the server contains "WWW-Authenticate: NTLM"
the new IE7 uses NTLM for Authentication.

//joL





*** Sent via Developersdex http://www.developersdex.com ***

This is a multi-part message in MIME format.

------=_NextPart_000_0013_01C746CB.0FA5D4A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Don't read this since you don't want to know, but others can read it. =
:-)

That's been the norm for quite awhile, including IE 6. If NTLM is =
available, NTLM is used and Basic is never used, even if NTLM fails.

http://support.microsoft.com/kb/264921/en-us - in the "Orders of =
precedence" sections:

"If both Basic and Windows Integrated are supported, the browser =
determines which method is used. If the browser supports Kerberos or =
Windows NT Challenge/Response, it uses this method. It does not fall =
back to Basic. If Windows NT Challenge/Response and Kerberos are not =
supported, the browser uses Basic, Digest, or Fortezza if it supports =
these. The order of precedence here is Basic, Digest, and then =
Fortezza."

Ray

<joL> wrote in message news:uY7xjbuRHHA.3412 [at] TK2MSFTNGP02.phx.gbl...
>
> Hi Dave,
>
> we had a similar problem here.
> We use Win CE 5.0 WebServers with BASIC and NTLM Authentication =
enabled.
> All browsers in the past 'decided' to use BASIC Authentication. IE7 =
now
> 'decides' to use NTLM instead. Why NTLM now fails with a Microsoft
> Server having it enabled - i don't know - and don't want to :-)
> We have disabled NTLM at our servers now and everything works again =
like
> before...
> If the returned data from the server contains "WWW-Authenticate: NTLM"
> the new IE7 uses NTLM for Authentication.
>
> //joL
>
>
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
------=_NextPart_000_0013_01C746CB.0FA5D4A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.5730.11" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>Don't read this since you don't want to =
know, but
others can read it. :-)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>That's been the norm for quite awhile, =
including IE
6. If NTLM is available, NTLM is used and Basic is never used, even if =
NTLM
fails.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><A href=3D"http://support.microsoft.com/kb/264921/en-us"><FONT =
face=3DArial
size=3D2>http://support.microsoft.com/kb/264921/en-us</FONT></A><FONT =
face=3DArial
size=3D2> - in the "Orders of precedence" sections:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>"If both Basic and Windows Integrated =
are
supported, the browser determines which method is used. <STRONG>If the =
browser
supports Kerberos or Windows NT Challenge/Response, it uses this method. =
It does
not fall back to Basic.</STRONG> If Windows NT Challenge/Response and =
Kerberos
are not supported, the browser uses Basic, Digest, or Fortezza if it =
supports
these. The order of precedence here is Basic, Digest, and then
Fortezza."</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Ray</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><joL> wrote in message </FONT><A
href=3D"news:uY7xjbuRHHA.3412 [at] TK2MSFTNGP02.phx.gbl"><FONT face=3DArial
size=3D2>news:uY7xjbuRHHA.3412 [at] TK2MSFTNGP02.phx.gbl</FONT></A><FONT =
face=3DArial
size=3D2>...</FONT></DIV><FONT face=3DArial size=3D2>> <BR>> Hi =
Dave,<BR>>
<BR>> we had a similar problem here.<BR>> We use Win CE 5.0 =
WebServers
with BASIC and NTLM Authentication enabled.<BR>> All browsers in the =
past
'decided' to use BASIC Authentication. IE7 now<BR>> 'decides' to use =
NTLM
instead. Why NTLM now fails with a Microsoft<BR>> Server having it =
enabled -
i don't know - and don't want to :-)<BR>> We have disabled NTLM at =
our
servers now and everything works again like<BR>> before...<BR>> If =
the
returned data from the server contains "WWW-Authenticate: NTLM"<BR>> =
the new
IE7 uses NTLM for Authentication.<BR>> <BR>> //joL<BR>> =
<BR>>
<BR>> <BR>> <BR>> <BR>> *** Sent via Developersdex </FONT><A =

href=3D"http://www.developersdex.com"><FONT face=3DArial
size=3D2>http://www.developersdex.com</FONT></A><FONT face=3DArial =
size=3D2>
***</FONT></BODY></HTML>

------=_NextPart_000_0013_01C746CB.0FA5D4A0--

I've been searching for an answer to a similar situation. My server configuration is:

Basic Auth - enabled
Digest Auth - checked but greyed out?!
Integrated Windows Auth - disabled

All of this is SSL required.

I'll keep poking around and report back if I find anything, but thankfully our IT dept. has requested nobody update to IE7 for separate reasons. This will not be permanent though so I need to find a solution before everyone starts upgrading.


EggHeadCafe.com - .NET Developer Portal of Choice
http://www.eggheadcafe.com

Any results for what?
An answer for what similar situation?


<Steve Elsner> wrote in message news:200728135256steve.elsner [at] scala.com...
| I've been searching for an answer to a similar situation. My server
configuration is:
|
| Basic Auth - enabled
| Digest Auth - checked but greyed out?!
| Integrated Windows Auth - disabled
|
| All of this is SSL required.
|
| I'll keep poking around and report back if I find anything, but thankfully
our IT dept. has requested nobody update to IE7 for separate reasons. This
will not be permanent though so I need to find a solution before everyone
starts upgrading.
|
|
| EggHeadCafe.com - .NET Developer Portal of Choice
| http://www.eggheadcafe.com