Solved: SOLUTION

Littler-Er · ‎02-15-2011

Hi Folks,

Thanks in advance for any assistance/ideas you can offer. I get this prompt randomly whenever the Vault Cache tries to synchronize. Sometimes, it can be suppressed only by using the DOMAIN\username format to login, but often will return. I have unsuccessfully been working with Support. They haven't been very available, or dedicated and I have been hung up on several times while waiting in the queue.. (another topic)

Environment - Server 2008 R2 Datacenter w/ IIS 7.5

Things we have eliminated, so please don't re-post on these as they have been thoroughly vetted.

Intranet Trusted Zone server additions. - We turned proxy off completely, tried with, without, manual, group policy - none worked, not the cause.
IIS Directory Security - Verified Computer$ account has full access to the proper directories. Validated everyone has read&execute permissions.
IIS Authentication methods - ASP .NET Impersonation, Basic, and Windows authentication on the EnterpriseVault virtual directory are enabled.
UAC has been disabled on both sides, that didn't yeild success either.

My theory - It's something with IIS7 that I don't know, or it's a hidden Desktop Policy setting. This might be given in the client log -
11/02/2011 03:02:09.708[7276]: Desktop Setting: VCUSERCREDPROMPT
11/02/2011 03:02:09.709[7276]: Value: Enterprise Vault needs your account details in order to update your Vault Cache.
11/02/2011 03:02:09.711[7276]: ~DesktopCommonConfig::GetSetting: 0x0
11/02/2011 03:02:09.712[7276]: VCUSERCREDPROMPT = Enterprise Vault needs your account details in order to update your Vault Cache. [Desktop Setting]

Me, nor the 4 engineers I've worked with, nor my teammates, nor our implementation consultant can figure this out. If you can solve this, I would be forever grateful! Thanks

My Symantec Case# 413-776-115

Attached:
Prompt Image
Client Trace

Littler-Er · ‎03-24-2011

Solution was to disable Basic Authentication in IIS.

Sorry for delayed response.

This cost us ~$1500 in Microsoft Premier Support to fix, but the problem was IIS configuration. Basic Authentication ALWAYS prompts for password. This was how my 2003 Server was configured, but when moving to IIS7 on 2008 R2 Server, it changes the priority of the login methods used by the App. I made the switch, and that made the prompt use Integrated Windows Authentication (IWA) from then on.

It WAS NOT Proxy as all of our systems registered with company.com dont' go through the proxy.

Recap:

Turn off Basic Authentication
IWA Should be enabled

View solution in original post

JesusWept3 · ‎02-15-2011

OK so if its rejecting the request it could be for a couple of things

1. Check that DisableLoopBackCheck and DisableStrictNameChecking are set correctly on your server
2. Ensure that whatever server or alias is prompting for the username and password is set correctly in your trusted sites list
3. When it prompts you, have a look at the URL that is requesting it, and make sure that you can get to other pages
4. Look at the IIS logs and match up your request and what is shown in the logs, there could be a specific sub-error code that may shed some light on it
5. Have a look with procmon and see if you are getting any Access Denieds against anything in the \Enterprise Vault installation folder
6. Ensure that proper rights are given to everyone in the EV Folder, when EV connects to the server it will use impersonation, if you do not have the rights as a user to execute a file, then you will get the access denied, or the prompt for the username and password
7. You could use something such as WFETCH or Fiddler to have a look and see what error responses are given straight from IIS itself.

My first and best guess though would be to clear out cached passwords from the user management section in the users control panel, see if your EV Server is listed, if it is, delete the password management for it and try again

https://www.linkedin.com/in/alex-allen-turl-07370146

Jose_Luis_Per1 · ‎03-03-2011

Hi,

Were you able to fix this? I´m having the same problem. I have an opened case with support waiting for response.

If we get this running I´ll post here my comment with the solution in my case.

JesusWept3 · ‎03-03-2011

Did you check the stuff i posted above?

https://www.linkedin.com/in/alex-allen-turl-07370146

Jose_Luis_Per1 · ‎03-03-2011

Yes. Still the same.

I checked for IIS logs and found this when asking for user and password. Don´t know if this is an expected behavior:

2011-03-03 17:54:59 180.176.141.80 GET /EnterpriseVault/DownloadContent.aspx JobId=1526331113704854BABDEDC6B16DF46481p10000EVARCH1.ALTECMEXICO.MX.BSCH 443 - 180.176.102.48 EnterpriseVaultOutlookExt-V9.0.1.1073 401 2 5 0

JesusWept3 · ‎03-03-2011

OK so the question is, when you enter the username and password, does it work ad the vault cache syncs succesfully or does it continue to prompt for usernames and passwords? and have you checked the managed passwords in the user account control?

If it doesn't accept the password, can you check the NTFS permissions on C:\Program Files\Enterprise Vault\WebApp\DownloadContent.aspx and make sure that authenticated users or users have at least Read/Write/Execute to the file?

https://www.linkedin.com/in/alex-allen-turl-07370146

Jose_Luis_Per1 · ‎03-03-2011

When I enter the username and password, it continue to prompt for usernames and passwords untill I kill the Outlook process. I checked the managed passwords in the user account control and the EV server is not there.

On the other hand, I added the Write Permission to Authenticated users on C:\Program Files\Enterprise Vault\WebApp\DownloadContent.aspx and the Webapp folder itself with the same result.

NOW... IT SEEMS ITS ALL ABOUT PROXY SETTINGS. Proxy settinngs including exclusions are set via scrpts through a .PAC file excluding *.domain addresses. I cleared proxy setting on IE and after reseting Vault Cache it works as expected but the issue comes up again as soon as I reconfigure the proxy.

There´s a thread in which someone had the same problem when using scripts to configure proxy but I don´t know if changing the PAC file will help. What are your thoughts?

Here´s the tread´s URL (watch the last post):

https://www-secure.symantec.com/connect/forums/unable-synchronize-vault-cache-using-automatic-config...

Thanks a lot, I really appreciate your help.

JesusWept3 · ‎03-03-2011

my help?! lol you did all the troubleshooting, good job!! :)
I remember the PAC file issue, i thought this may have been addressed formally by symc, will see what i can find

https://www.linkedin.com/in/alex-allen-turl-07370146

Littler-Er · ‎03-24-2011

Solution was to disable Basic Authentication in IIS.

Sorry for delayed response.

This cost us ~$1500 in Microsoft Premier Support to fix, but the problem was IIS configuration. Basic Authentication ALWAYS prompts for password. This was how my 2003 Server was configured, but when moving to IIS7 on 2008 R2 Server, it changes the priority of the login methods used by the App. I made the switch, and that made the prompt use Integrated Windows Authentication (IWA) from then on.

It WAS NOT Proxy as all of our systems registered with company.com dont' go through the proxy.

Recap:

Turn off Basic Authentication
IWA Should be enabled

JesusWept3 · ‎03-24-2011

Disable Basic Auth? demand your money back because that answer is quite frankly just bad advice, i mean sure it fixed it, but is it really the answer?

I can say that on a similar config (2008 x64 IIS7 etc) we have BA and IWA all enabled and don't have these issues

https://www.linkedin.com/in/alex-allen-turl-07370146

VOX

9.01 - Enterprise Vault needs your account details in order to update your Vault cache