06-26-2012 10:37 AM
I am using EV 10.0.1 and IE 8 & 9, I am being prompted with User Credentials when I click on a shortcut, or any EV button in Outlook.
1) I did select to Add to local Intranet in the EV Desktop policy.
2) I verified that the server that is prompting is listed in the policy.
3) My GPO has *.companyname.com in the Trusted Zone.
4) I do not have servername.companyname.com in the Trusted Zone since I assumed the EV policy will add it.
I went through that the Technnote of the 9 items to check like adding Domain Users to Webapp Directory ( I gave them Read & Execute), cleared my Windows Password Manager, etc
In addition, I am still being prompted by Outlook to Autoarchive. Does this get disabled with EV policiy or do I need a GPO to disable it?
Thanks.
Solved! Go to Solution.
07-08-2012 03:49 PM
But again, you need to focus on the differences between computers that prompt and ones that don't. If they all have the same EV policy then it isn't an EV configuration but a desktop configuration, like a GPO or something like that causing the issue.
06-26-2012 11:26 AM
have a look at my solution here:
https://www-secure.symantec.com/connect/forums/switched-ev-server-new-win2k8-r2-server-now-some-users-prompted-credentials
06-26-2012 01:31 PM
for the permissions of Authenticated Users, you have to give that to the entire EV install directory, not just the webapp, typically you would see that being the issue when you put in your own credentials and it continues prompting and ten you put in the EVAdmin or another admin username/password and it works
Also look at the name of the server prompting you.
I know some environments have the machinename.myDomain.com as the actual machine and they add *.myDomain.com to the trusted site or intranet zone list, but the Alias is something like evServer.otherDomain.com
also you have to specify in the desktop policy the servers to add to the intranet zone
06-26-2012 02:48 PM
Went through every scenrio and still having the issue.
06-26-2012 02:50 PM
Authentcated Users is in the EV install directory.
We do not use another domain for the server. It is server.mycompany.com and in IE Local Zone we have *.companyname.com & *.otherdomainforcompany.com. it still does not work.
I also have add to Intranet Zone selected in my Desktop Policy.
06-26-2012 03:35 PM
Scenario 1 - Incorrect authentication cached
Nothing is Cached
Scenario 2 - Permissions lock-down to the Enterprise Vault\Webapp directory
Authenticated Users, Domain Users, have Read & Execute on the whole EV directory. System & Administrators have Full Access.
Scenario 3 - Additional security lock-down through Internet Explorer (IE)
This is a Windows 7 machine and does not have Internet Explorer Enhanced Security Configuration for Administrators installed.
Scenario 4 - The DNS Alias is not listed under IE (Internet Explorer) Security - Local Intranet
I added the Cluster Name, Server name, and both FQDN in a IE GPO with no difference.
I also added Add server to Intranet Zone in the Policy.
Scenario 5 - Accessing Archive Explorer or Search Archives Externally through OWA 2007
I am accessing it through Outlook client 2007.
Scenario 6 - User Authentication in trusted sites is not set in automatic logon with current username and password
It’s set correctly in Trusted and Local Zones
06-26-2012 10:12 PM
I think the issue is with WIndows 7. I checked one of our users on Windows XP and they do not get prompted. Is there a different setting for Windows 7?
06-27-2012 10:11 AM
can you post the SPN settings for your servers?
06-27-2012 10:18 AM
Do you want from the servername or cluster name? This is a win2k8 EV Cluster.
From the server it is:
MSServerClusterMgmtAPI/evserver1
MSServerClusterMgmtAPI/evserver1.company.com
WSMAN/evserver1.company.com
WSMAN/evserver1
TERMSRV/evserver1.company.com\
TERMSRV/evserver1
RestrictedKrbHost/evserver1
HOST/evserver1
RestrictedKrbHost/evserver1.company.com
HOST/evserver1.company.com
06-27-2012 10:28 AM
you need http and host SPNs for the dns alias
06-27-2012 10:32 AM
Why does this work on XP?
Also, when you say the DNS Alias, are you referring to the Server DNS or the Cluster DNS?
06-27-2012 11:02 AM
the DNS alias of your EV server
06-27-2012 11:41 AM
Here are my SPN's for my Phyiscal Server name (this case called Servername). I am still being prompted. Again, Windows XP is fine, its only in Windows 7.
Http/EVClusterName
Http/EVClustername.company.com
Http/Evserver1 <--server Alias
Http/Evserver1.mkllp.com <--server Alias
HOST/Evserver1.company.com <--server Alias
HOST/Evserver1 <--server Alias
HOST/EVClusterName
HOST/EVCluster.Company.com
MSServerClusterMgmtAPI/ServerName
MSServerClusterMgmtAPI/ServerName.Company.com
WSMAN/ServerName.Company.com
WSMAN/ServerName
TERMSRV/ServerName.Company.com
TERMSRV/ServerName
RestrictedKrbHost/ServerName
HOST/ServerName
RestrictedKrbHost/ServerName.Company.com
HOST/ServerName.Company.com
06-27-2012 12:39 PM
as this only occurs on Windows 7 machines it probably isn't going to be an EV thing. You should look at what is different about Win 7, like this article:
http://support.microsoft.com/kb/943280
Do other sites in your organization also prompt you on Win 7 and not Win XP?
06-27-2012 04:19 PM
Since adding the SPN's my server does not allow me to log in. It now says "The security database on the server does not have a computer account for this workstation trust relationship"
06-28-2012 08:33 AM
Ok, confirmed, the prompting is only happening on my machine, not on every Win7.
07-06-2012 07:05 AM
That being the case this isn't going to be an EV issue but a configuration issue on your machine. Like IE settings or a saved password or something like that.
07-06-2012 10:46 AM
No, the issue seems to be spreading.
07-08-2012 01:57 PM
Can you elaborate on the solution that fixed this issue?
07-08-2012 03:49 PM
But again, you need to focus on the differences between computers that prompt and ones that don't. If they all have the same EV policy then it isn't an EV configuration but a desktop configuration, like a GPO or something like that causing the issue.