security works for VPN users, doesnt for local

[SpaceMarine]

sorry for the near-dupe post (also in .security), but im desperately
trying to find an answer to this...

i am attempting to configure security for an intranet web application
in ASP.NET 2. it uses Windows authentication, retrieving roles from
our Active Directory. nothing too unusual.

what is unusual: it works for users that are VPN'ing into our network
from the outside (using cisco vpn), but DOESNT work for normal desktop
users in the office.

for both the browser (IE) pops up the windows login dialog. afterward
VPN users get in and i can see their name, check their
User.IsInRole("foo"), etc.. no problems. in-network users? cant
authenticate their credentials.. get this after 3 failed attempts:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)

....any ideas why?

Windows Server 2003, virtual directory under default website. in
"Directory Security" tab in IIS i have:

- unchecked "Enable anonymous access"

- checked "Integrated Windows authentication"

....my web.config of course uses the Windows authenication mode.



this is maddening! thanks for any help

sm

 

[Jeff Dillon]

What machine is the VPN machine? The web server by chance?

 

[SpaceMarine]

What machine is the VPN machine? The web server by chance?

unlikely, big enterprise, many machines. im not certain tho so ill try
to find out.

 

[SpaceMarine]

sorry for the near-dupe post (also in .security), but im desperately
trying to find an answer to this...

i am attempting to configure security for an intranet web application
in ASP.NET 2. it uses Windows authentication, retrieving roles from
our Active Directory. nothing too unusual.

what is unusual: it works for users that are VPN'ing into our network
from the outside (using cisco vpn), but DOESNT work for normal desktop
users in the office.

for both the browser (IE) pops up the windows login dialog. afterward
VPN users get in and i can see their name, check their
User.IsInRole("foo"), etc.. no problems. in-network users? cant
authenticate their credentials.. get this after 3 failed attempts:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)

...any ideas why?

this was really wigging me out, especially since authentication works
in Firefox. i found the solution.

IE7 has a new, misnamed setting in Internet Options -> Advanced ->
Security -> "Enable Integrated Windows Authentication", checked by
default. this should really read, "Don't Roll-over from Kerberos to
NTLM protocol on Failure", because that's exactly what it does -- if
your server's Kerberos security protocol isnt working, leaving this
checked will cause the process to halt. if you uncheck it, the browser
will re-try the auth attempt using NTLM.

more here:

http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

...so unchecking that box will force NTML authentication. meanwhile,
you can try to figure out why your Kerberos isnt working


sm