| Author |
Message |
James Glover
Guest
|
 Posted:
Thu Jan 20, 2005 8:59 pm Post subject:
Unneccessary Authenitication Dialogs |
|
|
Windows Server 2003 - basic installation, IIS installed
ASP.NET intranet site utilizing Windows (NT) Authentication
Problem: On some page visits some users are prompted for credentials (for
web server) unneccessarily
Click cancel to the dialog and the web page renders just fine, everything
works, just interupted by the dialog
We have not been able to identify what is common about the pages the error
occurs on or anything common
about the users.
1st we thought it was a 3rd party calendar control (eWorldUI), but we do not
think that now
2nd we thought it was a custom .dll that needed database access...but that
doesn't seem to be it either
Also the calendar control and custom .dll are not present on all of the
pages the error occurs
I have used performance monitor to verify that no anonymous requests are
occuring.
Does anyone know of a way to audit the NT authentication process so we could
identify why the dialog is displayed...
hopefully identify what resource the users do not have access to?
James Glover
Eastridge Technology, Inc. |
|
| Back to top |
|
 |
James Glover
Guest
|
| Posted:
Fri Jan 21, 2005 2:52 am Post subject:
Re: Unneccessary Authenitication Dialogs |
|
|
Solution:
Turns out that on every page with a Calendar control we also used a
CompareValidator, which requires access the following .js file:
\aspnet_client\system_web\1_1_4322\WebUIValidation.js
Someone had changed the permissions on this directory to be restricted to
Administrators only. Our test server had the
appropriate Read only permissions for the Everyone group and Users group.
We had thought all along that the error was some
type of file permissions error, it was just really hard to track down the
culprit.
Now to figure out why someone changed the permissions.
James |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Jan 21, 2005 2:59 pm Post subject:
Re: Unneccessary Authenitication Dialogs |
|
|
Perhaps more importantly one needs to understand why
the page did work after they dismissed the authentication
prompt without logging in. You said the .js was ACL'd
for Administrators only.
I use an audit SACL set to Everyone Fail Full that is
inherited onto all areas that map into vdirs (i.e. on all
content served by IIS). That way, I have a heads up in
the security event log when something is failing in the
content served by IIS due to file access (as well as
what account tried to access how and where). This
auditing causes very few event log messages and when
it does it is always something that needs attention.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"James Glover" <jglover@nospam.eastridge.net> wrote in message
news:uHUiYFz$EHA.1400@TK2MSFTNGP11.phx.gbl...
| Quote: | Solution:
Turns out that on every page with a Calendar control we also used a
CompareValidator, which requires access the following .js file:
\aspnet_client\system_web\1_1_4322\WebUIValidation.js
Someone had changed the permissions on this directory to be restricted to
Administrators only. Our test server had the
appropriate Read only permissions for the Everyone group and Users group.
We had thought all along that the error was some
type of file permissions error, it was just really hard to track down the
culprit.
Now to figure out why someone changed the permissions.
James
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in