This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

Access Manager Agent 4.X for IIS: User is prompted for Windows authentication when the Access Manager Agent is configured for BASIC authentication

Article Number

000014216

Applies To

IIS 6.0
RSA Access Manager Agents 4.x
Anonymous authentication is enabled on the IIS server
Microsoft Windows Server 2003 SP2
AxM 4.7 Web Agent is configured for BASIC authentication (form-based or non-form-based)
"Integrated Windows Authentication" checkbox is selected

Issue

Access Manager Agent 4.X for IIS: User is prompted for Windows authentication when the Access Manager Agent is configured for BASIC authentication

A Windows authentication popup is displayed when a user tries to access a resource when using the fully qualified domain name. When directly logging on the server (with an administrator account or any other account with enough privileges to access the resource directory), and trying to access the resource using "localhost" on Internet Explorer, the Access Manager login page is displayed, but no windows authentication requested,  and the "login successful" page appears upon entering valid credentials.  However, when the user re-enters the requested URL, they are redirected to the login page again.

Cause

When using "Anonymous Access", a user account is used by IIS to check for file permissions. Because the IWA checkbox is ticked, if there is any issue with that account (insufficient permissions, invalid password, etc), IIS will try first to use the client Windows user information to access the web content. After that point, if no valid credentials are presented, the user will be prompted to enter a different credential. When logging on the server directly (with an administrator account ,for instance), the windows credentials are valid as IE is the only browser that is capable of dealing with IWA properl.  However because of this, the authentication process in IIS is interrupted in the Access Manager Agent processing flow.

Resolution

Check the credentials used for anonymous access and also check the permissions for the group the user is a member of.

Workaround

Credentials used for anonymous access have been changed, the permissions for the login user have been changed

Notes

By default IIS uses a user called IUSR_<machine name> for anonymous access who is a member of "Guests".
To view the user account used by IIS for anonymous access:
-Open the IIS management console
-Expand the server and web sites
-Right click on your web site
-Select "properties"
-Go to the "Directory Security" tab
-Click on the "edit" button in the "Authentication and Access Control" section
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 04:56 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.