Integrated Windows Authentication not working
I am having trouble getting IWA to work from any of my Windows 7 machines joined to the domain.Currently I'm testing IE8.I have verified that the following are set:1. Internet Options, Advanced, Enable IWA (checked)2. Internet Options, Security, Trusted Sites (the server I want to send credentials to through IWA is local to my LAN and is in this list)3. Internet Options, Security, Local Intranet, Advanced, "Enable logon in intranet zone only" (checked)When I navigate to the server I want to send credentials to through IWA, I am prompted for NTLM authentication. This shouldn't happen. Still, entering my credentials in domain\username format doesn't work (they are not accepted).Ironically, this problem exists for other popular browsers in Windows 7.I have seen documentation of having to modifiy certain Local Security Policy options, but none looked to be the culprit.Thoughts?
November 4th, 2009 11:29pm
Let's review your list:1) Internet Options, Advanced, Enable IWA (checked)Good, this should have been enabled by default anyways. Really, integrated auth is established at the Web server, and the client will either participate or no2)Internet Options, Security, Trusted Sites (the server I want to send credentials to through IWA is local to my LAN and is in this list)OK, so you have added the Web site to the "Trusted Sites security zone. This means that when you connect, in the status bar at the bottom right it now says Trusted Site.3) Internet Options, Security, Local Intranet, Advanced, "Enable logon in intranet zone only" (checked)OK, this is where you went wrong. You put the Web site in the Trusted site zone, but now you are editing Local Intranet. Where do you want the site, Local Intranetor Trusted Sites.- If you decide to put it in Local Intranet, remove it from the Trusted Sites zone and add it to the Local Intranet zone. With your setting in option 3, you are done.- If you really meant to place it in the Trusted Sites zone, go Tools|Internet Options. Select Trusted Sites, and then click Custom Level. *you define how authentication will work for all Trusted Sites*. Go to the very bottom of the list of options and select the option to allow automatic logon with the current user name and password. By default, only Local Intranet zones allow integrated authentication. You need to make this change either locally, or through GPO or the IEAK to make it corporate wideBrian
Free Windows Admin Tool Kit Click here and download it now
November 5th, 2009 12:57am
Well, you can only put the URL in one zone, Trusted Sites or Local Intranet.The URL is in the Trusted Sites zones.The Trusted Sites,Custom levelsetting is at the default of "Automatic logon with current username and password".The Local Intranet, Custom level setting is at the default of "Automatic logon only in Intranet zone".I believe this is what you are asking.Could Extended Protection for Authentication on Windows 7 have anything to do with IWA not working?
November 5th, 2009 1:16am
The solution I was looking for ended up being disabling the EAP for Windows 7. Official documentation has not been released as of last week, but the fix is to set these Registry changes on the Windows 7 workstation:
HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection (Create DWORD value of 1) (Add this property if it doesnt exist)
HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\LmCompatibilityLevel (Default DWORD value of 3)
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2009 12:55am
The solution I was looking for ended up being disabling the EAP for Windows 7. Official documentation has not been released as of last week, but the fix is to set these Registry changes on the Windows 7 workstation:
HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection (Create DWORD value of “1”) (Add this property if it doesn’t exist)
HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\LmCompatibilityLevel (Default DWORD value of “3”)
Will this work for Windows XP? I don't know if this is the fix, but I have had a couple of users lately who have not been able to connect to intranet sites after resetting Internet Explorer. On one the user previously had a malware that had been
removed by Malwarebytes.
After resetting Internet Explorer, we normally run gpupdate /force to update the users Zone settings, but that hasn't resolved the issue. I have checked Trusted Sites and none of the intranet sites appear to be missing.
I checked:
1. Internet Options, Advanced, Enable IWA (checked)
2. Internet Options, Security, Trusted Sites (the server I want to send credentials to through IWA is local to my LAN and is in this list)
3. Internet Options, Security, Local Intranet, Advanced, "Enable logon in intranet zone only" (checked)
Everything appears to be in order.
On our last user she was in IE 7, so I thought maybe doing Windows Updates and upgrading her to IE 8 would refresh something and resolve the issue, but it did not.
Again, would the above registry keys be something to try for Windows XP? If not, does anyone have any suggestions when all settings appear to be correct, and IWA used to work, but does not after an IE reset?
I don't know if this matters, but on the other user we were resetting IE because we found for some reason this resolves an issue where people are unable to login to Salesforce Chatter.
February 8th, 2011 7:40pm