000014216 - Access Manager Agent 4.X for IIS: User is prompted for Windows authentication when the Access Manager Agent is configured for BASIC authentication

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014216
Applies ToIIS 6.0
RSA Access Manager Agents 4.x
Anonymous authentication is enabled on the IIS server
Microsoft Windows Server 2003 SP2
AxM 4.7 Web Agent is configured for BASIC authentication (form-based or non-form-based)
"Integrated Windows Authentication" checkbox is selected
IssueAccess Manager Agent 4.X for IIS: User is prompted for Windows authentication when the Access Manager Agent is configured for BASIC authentication
A Windows authentication popup is displayed when a user tries to access a resource when using the fully qualified domain name. When directly logging on the server (with an administrator account or any other account with enough privileges to access the resource directory), and trying to access the resource using "localhost" on Internet Explorer, the Access Manager login page is displayed, but no windows authentication requested,  and the "login successful" page appears upon entering valid credentials.  However, when the user re-enters the requested URL, they are redirected to the login page again.
CauseWhen using "Anonymous Access", a user account is used by IIS to check for file permissions. Because the IWA checkbox is ticked, if there is any issue with that account (insufficient permissions, invalid password, etc), IIS will try first to use the client Windows user information to access the web content. After that point, if no valid credentials are presented, the user will be prompted to enter a different credential. When logging on the server directly (with an administrator account ,for instance), the windows credentials are valid as IE is the only browser that is capable of dealing with IWA properl.  However because of this, the authentication process in IIS is interrupted in the Access Manager Agent processing flow.
ResolutionCheck the credentials used for anonymous access and also check the permissions for the group the user is a member of.
WorkaroundCredentials used for anonymous access have been changed, the permissions for the login user have been changed
NotesBy default IIS uses a user called IUSR_<machine name> for anonymous access who is a member of "Guests".
To view the user account used by IIS for anonymous access:
-Open the IIS management console
-Expand the server and web sites
-Right click on your web site
-Select "properties"
-Go to the "Directory Security" tab
-Click on the "edit" button in the "Authentication and Access Control" section
Legacy Article IDa46308

Attachments

    Outcomes