cancel
Showing results for 
Search instead for 
Did you mean: 

Password Prompt in web browser

anon1m0us1
Level 6

Is there away to change what it says when connecting to the web browser? For example, it says Connect to Server Name. Is there away to change that to a Cname?

1 ACCEPTED SOLUTION

Accepted Solutions

JesusWept3
Level 6
Partner Accredited Certified

#1 - Intranet Zones, firstly look at the servername that is prompting you, make sure something similar is in place in the Intranet Zone, typically the EV Server will have an alias and the actual machine name, it may be prompting you the machine name, but you have the alias in place, or vice versa.

For instance you may have

Alias: EVServer
Actual Machine: myEVServer.myDomain.com

If you have *.myDomain.com listed in the Intranet Zone, and its prompting for a password for EVServer, then you would simply need to add EVServer (the alias) in to the intranet Zone and try again

#4 NTFS Permissions:
This may not apply if you have the "Everyone" permission enabled, how ever on most OS's and most company policies, the drives will be locked down to creator owners, system and the administrators group.

You would set Authenticated Users at the EV Installation directory at the root and have it propogate down with Read, Write and Execute (these are the default three selected when you add a user).
The reason you need execute is that when you go through the web page, IIS takes on Impersonation and it will attempt to run things such as the DirectoryService.exe , and if that user doesn't have permissions you will get the password prompt

#5 Cached Username and Password
This is controled in the User Accounts section, you have a link in the User Control Panel saying "Manage Passwords" and you will have a list of all the servers it has a username and password for.
If you see the EV Server, just try deleting it, as if you have an environment where you have to change your password every 45 days or so, it could be using the old username and password.

But the most important question is, when you enter the username and password, does it work or does it reprompt you for the username and password?

https://www.linkedin.com/in/alex-allen-turl-07370146

View solution in original post

11 REPLIES 11

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

in a typical configuration, users shouldnt be prompted for a password. what are you trying to do?

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

but to answer your priginal question, it is not possible because this is coming from windows (IIS/IWA/Kerberos) and not EV.

JesusWept3
Level 6
Partner Accredited Certified

well the prompt itself is coming from the browser when challenged for authentication.
The only time you would see it prompt is:

1. The Server name listed is not in the Intranet Zone
2. the IE security settings is set to always prompt for a username and password
3. The /EnterpriseVault virtual directory has Integrated Windows Authentication unchecked
4. The EV Installation directory does not have the Authenticated Users permission set through NTFS
5. The user has an old Cached username and password in Windows and its trying to use those
6. You are going through a firewall or ISA etc where you will always be prompted for a username
7. DisableStrictNameChecking isn't in place on the EV Server and you are going to the alias instead of the machine name
8. You are not in the same domain as the EV Server and the domain you are in doesn't have a two way trust with the EV Server

Typically if you put in the password and it works no problems, it is almost always #1, that the server isn't listed in the Intranet Zone

If you type in the username and password and it continually reprompts it is either #4, that the NTFS permissions on the EV Server are locked down so that the user being impersonated cannot read/execute certain IIS files or #7, DisableStrictNameChecking isn't set, however that registry key is part of the best practice registry keys that the EV Installer prompts to put in place for you if it does not exist.


But as Andrew said, you can't change that text as its outside of EV

https://www.linkedin.com/in/alex-allen-turl-07370146

anon1m0us1
Level 6

1. The Server name listed is not in the Intranet Zone - We have our domains in the trusted Sites.
2. the IE security settings is set to always prompt for a username and password- I have it set to Automatic logon only in Intranet Zone
3. The /EnterpriseVault virtual directory has Integrated Windows Authentication unchecked -My virutal directory, EnterpriseVault, has Windows Authentication is set to enabled.
4. The EV Installation directory does not have the Authenticated Users permission set through NTFS. I did not have Authenticated Users on it. I added it as Read. Is this correct?
5. The user has an old Cached username and password in Windows and its trying to use those. No, I cleared Cache.
6. You are going through a firewall or ISA etc where you will always be prompted for a username. No Firewall.
7. DisableStrictNameChecking isn't in place on the EV Server and you are going to the alias instead of the machine name. I added this reg settings during install.
8. You are not in the same domain as the EV Server and the domain you are in doesn't have a two way trust with the EV Server. On the same domain,

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

for #1, i always have the server names, the fqdn's, and the ev aliases listed in the Intranet Zone  (not just the server names)

what function is the user trying to use when they get prompted? shortcut via outlook, owa, archive explorer, search page, etc? please be specific.

JesusWept3
Level 6
Partner Accredited Certified

#1 - Intranet Zones, firstly look at the servername that is prompting you, make sure something similar is in place in the Intranet Zone, typically the EV Server will have an alias and the actual machine name, it may be prompting you the machine name, but you have the alias in place, or vice versa.

For instance you may have

Alias: EVServer
Actual Machine: myEVServer.myDomain.com

If you have *.myDomain.com listed in the Intranet Zone, and its prompting for a password for EVServer, then you would simply need to add EVServer (the alias) in to the intranet Zone and try again

#4 NTFS Permissions:
This may not apply if you have the "Everyone" permission enabled, how ever on most OS's and most company policies, the drives will be locked down to creator owners, system and the administrators group.

You would set Authenticated Users at the EV Installation directory at the root and have it propogate down with Read, Write and Execute (these are the default three selected when you add a user).
The reason you need execute is that when you go through the web page, IIS takes on Impersonation and it will attempt to run things such as the DirectoryService.exe , and if that user doesn't have permissions you will get the password prompt

#5 Cached Username and Password
This is controled in the User Accounts section, you have a link in the User Control Panel saying "Manage Passwords" and you will have a list of all the servers it has a username and password for.
If you see the EV Server, just try deleting it, as if you have an environment where you have to change your password every 45 days or so, it could be using the old username and password.

But the most important question is, when you enter the username and password, does it work or does it reprompt you for the username and password?

https://www.linkedin.com/in/alex-allen-turl-07370146

anon1m0us1
Level 6

I type in the Web url and get prompted for user ID & Password.

anon1m0us1
Level 6

I requested to add the server name into the Trusted site, Right now we use *.domain.com.

 

We do lock down our servers so i added authenticated users with RX permissions.

 

We do not cache user id's or passwords.

 

And yes, once I enter the credentials it works. I also get prompted when I open my outlook.

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

if you look on the EV server in the security event logs do you see any failures? you might have to setup the SPN for the computer accounts in AD. when all else fails, i've seen this help in some environments. it's basically telling kerberos that it's ok to authenticate via the alias name to a computer account by a different name and what protocols to allow. i've posted about this several times on the forum so if you're sure that everything JW said to check is in place then maybe this applies to your situation:

https://www-secure.symantec.com/connect/forums/switched-ev-server-new-win2k8-r2-server-now-some-user...

anon1m0us1
Level 6

Andrew, great post in that link.

I have a question on what you wrote

"do you see failure audits in the security logs? i would check that the SPNs are set properly for the EV servers and service account. it should look something like this:

(note that the physical server name is EVSERVER and the dns alias is vault1.)

C:\>setspn -l EVSERVER
Registered ServicePrincipalNames for CN=EVSERVER,OU=Servers,DC=company,DC=com:
http/vault1.company.com
http/vault1
host/vault1.company.com
host/vault1
TERMSRV/EVSERVER.company.com
TERMSRV/EVSERVER
HOST/EVSERVER
HOST/EVSERVER.company.com"

 

I have a EV Cluster. Which SPN's should I look check? The physcial server or the cluster name?

For example, I have 2 servers called Jack1 & Jack2. The virtual name is Jack. The we have the cluster name for EV servers & Application called JackCluster. So which should have the SPN's defined?

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

in the example, EVSERVER would reflect your cluster name and vault1 would reflect the dns alias