When Integrated Authentication is enabled, users frequently wonder why they are still prompted for username/password. After all, isn't Integrated Authentication supposed to get rid of that?

Thus, the following question has come up several times when users install and use Virtual Server. While the problem looks like one with IIS or even Virtual Server somehow, it can be caused by the web browser's configuration, as described below.

Question:

I have just installed virtual server and am having problems with the administrative website. The host machine is Windows Server 2003 with SP1. The virtual server administrative website is set to allow integrated windows authentication yet when I try to access the page I am prompted for a username/password. If I enter username/password I can access the site. I have granted the appropriate permissions on the site home dir.

The administrative site address is:

http://vsserver.north.root.domain.com:1024/VirtualServer/VSWebApp.exe?view=1

If I enter the following address integrated windows authentication works and I am granted access to the site without being prompted for a username/password:

http://vsserver:1024/VirtualServer/VSWebApp.exe?view=1

The site is not using host headers.

Any ideas would be appreciated

Answer:

Actually, this problem is probably caused by your web browser not auto-authenticating to the VS 2005 admin website because it treats your two URLs as belonging in different Zones. One of the Zones is configured to auto-authenticate with current logged on user credentials and the other is not.

IE's default behavior is to auto-authenticate in Intranet Zone. "http://vsserver:1024" fits the pattern of an Intranet website. Meanwhile, "http://vsserver.north.root.domain.com:1024" fits the pattern of a dotted URL address, which is treated as the Internet Zone, which does not have auto-authenticate enabled.

Thus, IE does not auto-authenticate when you use the dotted URL address, meaning that when IIS requests your administrator credentials to access the VS2005 admin website, you get the user login popup.

To "fix" this, you either:

  1. Change the Zone which contains the second URL (dotted URL address)
  2. Change the auto-authenticate option of the existing Zone of the second URL

I suggest option #1 since you do not want the browser to auto-authenticate against arbitrary Internet websites.

//David