cancel
Showing results for 
Search instead for 
Did you mean: 

Being prompted for Credentials

anon1m0us1
Level 6

I am using EV 10.0.1 and IE 8 & 9, I am being prompted with User Credentials when I click on a shortcut, or any EV button in Outlook.

 

1) I did select to Add to local Intranet in the EV Desktop policy.

2) I verified that the server that is prompting is listed in the policy.

3) My GPO has *.companyname.com in the Trusted Zone.

4) I do not have servername.companyname.com in the Trusted Zone since I assumed the EV policy will add it.

I went through that the Technnote of the 9 items to check like adding Domain Users to Webapp Directory ( I gave them Read & Execute), cleared my Windows Password Manager, etc 

 

In addition, I am still being prompted by Outlook to Autoarchive. Does this get disabled with EV policiy or do I need a GPO to disable it?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

But again, you need to focus on the differences between computers that prompt and ones that don't.  If they all have the same EV policy then it isn't an EV configuration but a desktop configuration, like a GPO or something like that causing the issue.

View solution in original post

19 REPLIES 19

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

have a look at my solution here:

https://www-secure.symantec.com/connect/forums/switched-ev-server-new-win2k8-r2-server-now-some-users-prompted-credentials

JesusWept3
Level 6
Partner Accredited Certified

for the permissions of Authenticated Users, you have to give that to the entire EV install directory, not just the webapp, typically you would see that being the issue when you put in your own credentials and it continues prompting and ten you put in the EVAdmin or another admin username/password and it works

Also look at the name of the server prompting you.
I know some environments have the machinename.myDomain.com as the actual machine and they add *.myDomain.com to the trusted site or intranet zone list, but the Alias is something like evServer.otherDomain.com

also you have to specify in the desktop policy the servers to add to the intranet zone

https://www.linkedin.com/in/alex-allen-turl-07370146

anon1m0us1
Level 6

Went through every scenrio and still having the issue.

anon1m0us1
Level 6

Authentcated Users is in the EV install directory.

 

We do not use another domain for the server. It is server.mycompany.com and in IE Local Zone we have *.companyname.com & *.otherdomainforcompany.com. it still does not work.

 

I also have add to Intranet Zone selected in my Desktop Policy.

anon1m0us1
Level 6

Scenario 1 - Incorrect authentication cached

Nothing is Cached

 

Scenario 2 - Permissions lock-down to the Enterprise Vault\Webapp directory

Authenticated Users, Domain Users, have Read & Execute on the whole EV directory. System & Administrators have Full Access.

 

Scenario 3 - Additional security lock-down through Internet Explorer (IE)

This is a Windows 7 machine and does not have Internet Explorer Enhanced Security Configuration for Administrators installed.

Scenario 4 - The DNS Alias is not listed under IE (Internet Explorer) Security - Local Intranet

 I added the Cluster Name, Server name, and both FQDN in a IE GPO with no difference.

I also added Add server to Intranet Zone  in the Policy.

 

Scenario 5 - Accessing Archive Explorer or Search Archives Externally through OWA 2007

I am accessing it through Outlook client 2007.

 

Scenario 6 - User Authentication in trusted sites is not set in automatic logon with current username and password

It’s set correctly in Trusted and Local Zones

 

anon1m0us1
Level 6

I think the issue is with WIndows 7. I checked one of our users on Windows XP and they do not get prompted. Is there a different setting for Windows 7?

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

can you post the SPN settings for your servers?

anon1m0us1
Level 6

Do you want from the servername or cluster name? This is a win2k8 EV Cluster.

 

From the server it is:

MSServerClusterMgmtAPI/evserver1

MSServerClusterMgmtAPI/evserver1.company.com

WSMAN/evserver1.company.com

WSMAN/evserver1

TERMSRV/evserver1.company.com\

TERMSRV/evserver1

RestrictedKrbHost/evserver1

HOST/evserver1

RestrictedKrbHost/evserver1.company.com

HOST/evserver1.company.com

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

you need http and host SPNs for the dns alias

anon1m0us1
Level 6

Why does this work on XP?

 

Also, when you say the DNS Alias, are you referring to the Server DNS or the Cluster DNS?

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

the DNS alias of your EV server

anon1m0us1
Level 6

Here are my SPN's for my Phyiscal Server name (this case called Servername). I am still being prompted. Again, Windows XP is fine, its only in Windows 7.

 

Http/EVClusterName
Http/EVClustername.company.com
Http/Evserver1 <--server Alias
Http/Evserver1.mkllp.com <--server Alias

HOST/Evserver1.company.com <--server Alias

HOST/Evserver1 <--server Alias

HOST/EVClusterName

HOST/EVCluster.Company.com
MSServerClusterMgmtAPI/ServerName
MSServerClusterMgmtAPI/ServerName.Company.com
WSMAN/ServerName.Company.com
WSMAN/ServerName
TERMSRV/ServerName.Company.com

TERMSRV/ServerName
RestrictedKrbHost/ServerName
HOST/ServerName
RestrictedKrbHost/ServerName.Company.com

HOST/ServerName.Company.com
 

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

as this only occurs on Windows 7 machines it probably isn't going to be an EV thing.  You should look at what is different about Win 7, like this article:

http://support.microsoft.com/kb/943280

Do other sites in your organization also prompt you on Win 7 and not Win XP?

anon1m0us1
Level 6

Since adding the SPN's my server does not allow me to log in. It now says "The security database on the server does not have a computer account for this workstation trust relationship"

anon1m0us1
Level 6

Ok, confirmed, the prompting is only happening on my machine, not on every Win7.

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

That being the case this isn't going to be an EV issue but a configuration issue on your machine.  Like IE settings or a saved password or something like that.

anon1m0us1
Level 6

No, the issue seems to be spreading.

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

Can you elaborate on the solution that fixed this issue?

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

But again, you need to focus on the differences between computers that prompt and ones that don't.  If they all have the same EV policy then it isn't an EV configuration but a desktop configuration, like a GPO or something like that causing the issue.