03-16-2012 11:07 AM
Is there away to change what it says when connecting to the web browser? For example, it says Connect to Server Name. Is there away to change that to a Cname?
Solved! Go to Solution.
03-16-2012 02:02 PM
#1 - Intranet Zones, firstly look at the servername that is prompting you, make sure something similar is in place in the Intranet Zone, typically the EV Server will have an alias and the actual machine name, it may be prompting you the machine name, but you have the alias in place, or vice versa.
For instance you may have
Alias: EVServer
Actual Machine: myEVServer.myDomain.com
If you have *.myDomain.com listed in the Intranet Zone, and its prompting for a password for EVServer, then you would simply need to add EVServer (the alias) in to the intranet Zone and try again
#4 NTFS Permissions:
This may not apply if you have the "Everyone" permission enabled, how ever on most OS's and most company policies, the drives will be locked down to creator owners, system and the administrators group.
You would set Authenticated Users at the EV Installation directory at the root and have it propogate down with Read, Write and Execute (these are the default three selected when you add a user).
The reason you need execute is that when you go through the web page, IIS takes on Impersonation and it will attempt to run things such as the DirectoryService.exe , and if that user doesn't have permissions you will get the password prompt
#5 Cached Username and Password
This is controled in the User Accounts section, you have a link in the User Control Panel saying "Manage Passwords" and you will have a list of all the servers it has a username and password for.
If you see the EV Server, just try deleting it, as if you have an environment where you have to change your password every 45 days or so, it could be using the old username and password.
But the most important question is, when you enter the username and password, does it work or does it reprompt you for the username and password?
03-16-2012 01:24 PM
in a typical configuration, users shouldnt be prompted for a password. what are you trying to do?
03-16-2012 01:25 PM
but to answer your priginal question, it is not possible because this is coming from windows (IIS/IWA/Kerberos) and not EV.
03-16-2012 01:34 PM
well the prompt itself is coming from the browser when challenged for authentication.
The only time you would see it prompt is:
1. The Server name listed is not in the Intranet Zone
2. the IE security settings is set to always prompt for a username and password
3. The /EnterpriseVault virtual directory has Integrated Windows Authentication unchecked
4. The EV Installation directory does not have the Authenticated Users permission set through NTFS
5. The user has an old Cached username and password in Windows and its trying to use those
6. You are going through a firewall or ISA etc where you will always be prompted for a username
7. DisableStrictNameChecking isn't in place on the EV Server and you are going to the alias instead of the machine name
8. You are not in the same domain as the EV Server and the domain you are in doesn't have a two way trust with the EV Server
Typically if you put in the password and it works no problems, it is almost always #1, that the server isn't listed in the Intranet Zone
If you type in the username and password and it continually reprompts it is either #4, that the NTFS permissions on the EV Server are locked down so that the user being impersonated cannot read/execute certain IIS files or #7, DisableStrictNameChecking isn't set, however that registry key is part of the best practice registry keys that the EV Installer prompts to put in place for you if it does not exist.
But as Andrew said, you can't change that text as its outside of EV
03-16-2012 01:47 PM
1. The Server name listed is not in the Intranet Zone - We have our domains in the trusted Sites.
2. the IE security settings is set to always prompt for a username and password- I have it set to Automatic logon only in Intranet Zone
3. The /EnterpriseVault virtual directory has Integrated Windows Authentication unchecked -My virutal directory, EnterpriseVault, has Windows Authentication is set to enabled.
4. The EV Installation directory does not have the Authenticated Users permission set through NTFS. I did not have Authenticated Users on it. I added it as Read. Is this correct?
5. The user has an old Cached username and password in Windows and its trying to use those. No, I cleared Cache.
6. You are going through a firewall or ISA etc where you will always be prompted for a username. No Firewall.
7. DisableStrictNameChecking isn't in place on the EV Server and you are going to the alias instead of the machine name. I added this reg settings during install.
8. You are not in the same domain as the EV Server and the domain you are in doesn't have a two way trust with the EV Server. On the same domain,
03-16-2012 01:54 PM
for #1, i always have the server names, the fqdn's, and the ev aliases listed in the Intranet Zone (not just the server names)
what function is the user trying to use when they get prompted? shortcut via outlook, owa, archive explorer, search page, etc? please be specific.
03-16-2012 02:02 PM
#1 - Intranet Zones, firstly look at the servername that is prompting you, make sure something similar is in place in the Intranet Zone, typically the EV Server will have an alias and the actual machine name, it may be prompting you the machine name, but you have the alias in place, or vice versa.
For instance you may have
Alias: EVServer
Actual Machine: myEVServer.myDomain.com
If you have *.myDomain.com listed in the Intranet Zone, and its prompting for a password for EVServer, then you would simply need to add EVServer (the alias) in to the intranet Zone and try again
#4 NTFS Permissions:
This may not apply if you have the "Everyone" permission enabled, how ever on most OS's and most company policies, the drives will be locked down to creator owners, system and the administrators group.
You would set Authenticated Users at the EV Installation directory at the root and have it propogate down with Read, Write and Execute (these are the default three selected when you add a user).
The reason you need execute is that when you go through the web page, IIS takes on Impersonation and it will attempt to run things such as the DirectoryService.exe , and if that user doesn't have permissions you will get the password prompt
#5 Cached Username and Password
This is controled in the User Accounts section, you have a link in the User Control Panel saying "Manage Passwords" and you will have a list of all the servers it has a username and password for.
If you see the EV Server, just try deleting it, as if you have an environment where you have to change your password every 45 days or so, it could be using the old username and password.
But the most important question is, when you enter the username and password, does it work or does it reprompt you for the username and password?
03-16-2012 02:20 PM
I type in the Web url and get prompted for user ID & Password.
03-16-2012 02:29 PM
I requested to add the server name into the Trusted site, Right now we use *.domain.com.
We do lock down our servers so i added authenticated users with RX permissions.
We do not cache user id's or passwords.
And yes, once I enter the credentials it works. I also get prompted when I open my outlook.
03-16-2012 02:47 PM
if you look on the EV server in the security event logs do you see any failures? you might have to setup the SPN for the computer accounts in AD. when all else fails, i've seen this help in some environments. it's basically telling kerberos that it's ok to authenticate via the alias name to a computer account by a different name and what protocols to allow. i've posted about this several times on the forum so if you're sure that everything JW said to check is in place then maybe this applies to your situation:
03-19-2012 08:34 AM
Andrew, great post in that link.
I have a question on what you wrote
"do you see failure audits in the security logs? i would check that the SPNs are set properly for the EV servers and service account. it should look something like this:
(note that the physical server name is EVSERVER and the dns alias is vault1.)
C:\>setspn -l EVSERVER
Registered ServicePrincipalNames for CN=EVSERVER,OU=Servers,DC=company,DC=com:
http/vault1.company.com
http/vault1
host/vault1.company.com
host/vault1
TERMSRV/EVSERVER.company.com
TERMSRV/EVSERVER
HOST/EVSERVER
HOST/EVSERVER.company.com"
I have a EV Cluster. Which SPN's should I look check? The physcial server or the cluster name?
For example, I have 2 servers called Jack1 & Jack2. The virtual name is Jack. The we have the cluster name for EV servers & Application called JackCluster. So which should have the SPN's defined?
03-19-2012 08:54 AM
in the example, EVSERVER would reflect your cluster name and vault1 would reflect the dns alias