We are having the exact same problem you are having with some of our sites.
I was wondering if you have found out anything? I have not been able to get
very far. The only way I can get it to wor is if I remove our domain from
the "Local Intranet" settings. This is not realy a solution since you will
be prompted to login all the time.

Thanks,

Chris

"Jinseng" wrote:

> Thanks for getting back to me.
>
> I tried using RegMon, and the only thing that appears to be changing is the
> promp for password key. I filtered for iexplorer.exe to narrow down the
> search, and only one key changed.
>
> I haven't had an oportunity yet to try using a packet capture, but I do have
> http open to one of the machines, so I can try capturing that traffic.
>
> One thing to note though... I tried accessing the sites from a computer
> running windows 2000 server that was part of our domain, but outside the
> firewall at the time, and that worked fine. So I'm thinking it's an issue
> specific to Windows 2003 and Windows XP machines.
>
> Does that make any sense? Coule it be a Kerberos problem? I don't know
> much about Kerberos, or why it would cause IE to not prompt for a password,
> but it's a thought.
>
> Any more help would be appreciated.
>
> Thanks.
>
> "Robert Aldwinckle" wrote:
>
> > "Jinseng" <Jinseng@discussions.microsoft.com> wrote in message news:1C93E355-D38D-4414-930A-DBA6E3B03AD0@microsoft.com
> > ....
> > > I don't think it's an IIS issue since things work if I just tell IE to prompt
> > > for a password
> >
> >
> > I suspect that this could be indicating is that there are more security options
> > changing when you go into the Custom Level... dialog than just the one
> > you want to change. I think you might have to trace with RegMon
> > (e.g. filter with zone) to see if there are any more differences than just
> > the prompt.
> >
> >
> > > I also think it's strange that I get a "Cannot find server or DNS Error"
> > > when I can clearly connect to the server.
> >
> >
> > Unfortunately that messages often means more than it implies.
> > I think it is best to use a packet trace to figure out exactly what it means.
> >
> > This is difficult when the protocol involved is https.
> > In that case there is a utility which facilitates a reghack for you.
> >
> > <title>KB823193 - INFO: How To Get Windows HTTP 5.1 Certificate And Trace Tools</title>
> >
> >
> > Good luck
> >
> > Robert Aldwinckle
> > ---
> >
> >
> > > I'm having problems with some websites I maintain that use Integrated Windows
> > > Authentication for logging in.
> > >
> > > The goal is for people to not be prompted for their login information when
> > > they're logged into their laptop using their domain account, and they're on
> > > the LAN. If they're using their corporate laptop and are outside of the
> > > office, I'd prefer that they still don't have to enter in their login info.
> > > Lastly, if they're at a computer that the company doesn't own they should be
> > > prompted for a username and password.
> > >
> > > Two of the sites are located on Windows 2003 Servers. One is located on
> > > Windows 2000. All of the sites are setup to use Integrated Windows
> > > Authentication. The sites are using SSL, so people have to use the Fully
> > > Qualified Domain name whether they're on the LAN or outside of our firewall.
> > > The clients are a mix of Windows XP SP2, and Windows 2003 SP1.
> > >
> > > I've added two of the sites to the Intranet Zone, and one to the Trusted
> > > Sites Zone in IE on my work laptop. The intranet zone is set to Automatic
> > > logon only in Intranet Zone, and the trusted sites zone is set to Automatic
> > > logon with current username and password. This works great when I'm in the
> > > office. I can get to all 3 sites without being prompted for a username or
> > > password. Unfortunately, when I take my laptop out of the office, and try to
> > > connect to the sites, one of them works, and two cause IE to display "The
> > > page cannot be displayed" "Cannot find server or DNS Error". One of these
> > > problematic sites is in the Intranet zone and is running on 2003, and the
> > > other is in the Trusted Sites zone and is running on 2000. I can ping the
> > > sites, I can run a tracert to the sites, I can even get to the sites if I go
> > > into the security settings for the two zones and set them to Prompt for a
> > > username and password.
> > >
> > > Other people with their computers setup exactly the same as mine can't get
> > > to the site that I can get to (they get the same "Cannot find server or DNS
> > > Error"), and again, to work around this issue for those people I tell them to
> > > set their zone to prompt for a password.
> > >
> > > In the advanced settings for IE "Show friendly HTTP error messages" is
> > > Un-checked.
> > >
> > > It's my understanding that IE will try Integrated windows authentication
> > > first, if that doesn't work it'll fall back on Basic Authentication. This is
> > > what I'd expect would happen if the laptop is outside of the office using a
> > > proxy server, but during my testing I'm just putting my laptop directly on
> > > the internet, no proxy server, and only one firewall between me and all the
> > > sites.
> > >
> > > Does anyone know how to fix this problem? I don't think it's an IIS issue
> > > since things work if I just tell IE to prompt for a password, and because the
> > > site that works for me, doesn't work for other people. I also think it's
> > > strange that I get a "Cannot find server or DNS Error" when I can clearly
> > > connect to the server. I'd expect to see a cannot log in error if anything.
> > >
> > > Any help would be greatly appreciated. I've been beating my head against
> > > this wall for about two weeks now, with no results other than a major
> > > headache.
> > >
> > > Thanks,
> > >
> > > Alex.
> > >
> >
> >
> >

Chris,

Short answer:
Disabling “Enable Integrated Windows Authentication (requires restart)” In
the security section of the advanced tab may correct the issue for you.

Long Answer:
I did a packet capture and it appears that the browser is attempting to use
Kerberos first(which makes sense). During the process the machine does a DNS
lookup for the Kerberos servers, and of course can’t find them in public DNS
servers. I’m guessing that I’m getting a "Cannot find server or DNS Error"
because my machine can’t find the Kerberos info in DNS.

At this point rather than throwing a DNS error, I thought that IE would
realize that Kerberos isn’t going to work and try NTLM, but for some reason
it seems to be dying at this point.

After looking at a few web pages that say to make sure that "Enable
Integrated Windows Authentication (requires restart)" is enabled, I decided
to do the opposite and uncheck it. After doing that everything works great,
just as expected. Then I found a web site that says that it seems like when
you disable that option you’re really just disabling Kerberos, and thus
forcing the machine to go directly to NTLM.

I disabled that here on this end and I think it got things working. I still
have to do some more testing to be totally sure though.

I hope someone out there who really knows this stuff can shed some light on
this mysterious "Enable Integrated Windows Authentication (requires restart)"
option in IE.

Thanks a lot. And any thoughts or ideas are greatly appreciated.

Alex.


"Chris" wrote:

>
> We are having the exact same problem you are having with some of our sites.
> I was wondering if you have found out anything? I have not been able to get
> very far. The only way I can get it to wor is if I remove our domain from
> the "Local Intranet" settings. This is not realy a solution since you will
> be prompted to login all the time.
>
> Thanks,
>
> Chris
>

"Chris" <Chris@discussions.microsoft.com> wrote in message
news:0183008A-964A-45EB-8C08-95BE99EAF76E@microsoft.com
....
>> > "Jinseng" <Jinseng@discussions.microsoft.com> wrote in message
news:1C93E355-D38D-4414-930A-DBA6E3B03AD0@microsoft.com
>> > ....
>> > > I don't think it's an IIS issue since things work if I just tell IE to prompt
>> > > for a password


> We are having the exact same problem you are having with some of our sites.
> I was wondering if you have found out anything? I have not been able to get
> very far.

> The only way I can get it to wor is if I remove our domain from
> the "Local Intranet" settings. This is not realy a solution since you will
> be prompted to login all the time.


You seem to be contradicting your first statement. <eg>
"exact problem" does not include OP's workaround?


---

"Jinseng" <Jinseng@discussions.microsoft.com> wrote in message
news8D52D00-DA8C-4268-8571-9650F1752142@microsoft.com
....
> Long Answer:
> I did a packet capture and it appears that the browser is attempting to use
> Kerberos first(which makes sense). During the process the machine does a DNS
> lookup for the Kerberos servers, and of course can’t find them in public DNS
> servers. I’m guessing that I’m getting a "Cannot find server or DNS Error"
> because my machine can’t find the Kerberos info in DNS.


In that case you could try adding the appropriate lookup entry to your
HOSTS file? (Although I don't quite understand why "of course"
it shouldn't be able to find a lookup which could be public.)


>
> At this point rather than throwing a DNS error, I thought that IE would
> realize that Kerberos isn’t going to work and try NTLM, but for some reason
> it seems to be dying at this point.
>
> After looking at a few web pages that say to make sure that "Enable
> Integrated Windows Authentication (requires restart)" is enabled, I decided
> to do the opposite and uncheck it. After doing that everything works great,
> just as expected. Then I found a web site that says that it seems like when
> you disable that option you’re really just disabling Kerberos, and thus
> forcing the machine to go directly to NTLM.
>
> I disabled that here on this end and I think it got things working. I still
> have to do some more testing to be totally sure though.


Alex,

How does this new information fit with the workaround you had?
Did you try tracing an instance of the workaround too?
If so, were there any differences? (besides timing)
Also by "packet trace" are you including the detail you can
capture using WinHttpTraceCfg (ref. KB823193)?
Otherwise I suspect you would miss too much looking at just
the raw TCP stream.


>
> I hope someone out there who really knows this stuff can shed some light on
> this mysterious "Enable Integrated Windows Authentication (requires restart)"
> option in IE.


You're in the wrong newsgroup for that sort of expertise I think. <w>


>
> Thanks a lot. And any thoughts or ideas are greatly appreciated.


HTH

Robert
---