Tuesday, September 23, 2008

Some Instances of IE Not Allowing Access to Secure Site

Per: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr=true

But what it does not say is … if you have a complex site w/ differing directory permissions on different levels you must specify the “NTAuthenticationProviders” property on root as well as the subdirectories. (Note- this is not available via the IIS UI)

Anonymous access (“Allow” checkbox) will override this so it can be set on all subdirs.

In English, the following should be included in the node definition

NTAuthenticationProviders="NTLM"

Else some IE browser will try to use Kerberos authentication (vs. integrated) & you will get a “Cannot access page” error w/ no detail whatsoever.

A quick test of whether or not Kerberos is mucking w/ you can be done using WFetch (screenshot sample below). You want to look for “Authentication:Negotiate” in the response stream. If it is there then IIS is trying to use Kerberos authentication and the above fix will force integrated/NTAuth.

No comments: