cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
positronic_mis
Engaged Sweeper
Hello,

We had authentication working fine with IIS before the upgrade:

https://servername:nonport80/ , login as an athorized domain user or as a named/permitted domain admin.

We allowed two groups of users (Domain Admins & a specific glogal broup -LansweeperUsers) the ability to login & manage the web interface.

I had fought with the previous version 4.1.0.29 and finally realized that I had to edit the C:\Program Files (x86)\Lansweeper\Website\web.config file and add the
<authorization>
<allow roles="Domainname\GlobalGroup,Domainname\Domain Admins" />
<deny users="*" />
</authorization>

section to list the two groups...

After the upgrade I cannot login to lansweeper even as domain admin; at the console or via an IIS page. The web.config file looks fine though.

The configuration tool opens up just fine. IIS has been restarted... same problem...

Any help would be appreciated.

Configuration: Windows 2008 R2 Standard 64x w. SP1.
Lansweeper : C:\Program Files (x86)\Lansweeper\
DB server : SQL Express 2008 R2 64-bit.
Windows authentication; owner = the same user that tries to login (a domain admin account)

Request Filtering is installed.
Windows Authentication is enabled. Anonymous Auth is disabled
Application pool is Classic & .Net Framework v2.0.50727


When I try to visit: https://srvpii47.positronic.com:82/usertest.aspx

I received the folowing

Error Summary
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied. Detailed Error Information
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler PageHandlerFactory-ISAPI-2.0-64
Error Code 0x8009030e
Requested URL https://srvpii47.positronic.com:82/usertest.aspx
Physical Path C:\Program Files (x86)\Lansweeper\website\usertest.aspx
Logon Method Not yet determined
Logon User Not yet determined
Most likely causes:
•The username supplied to IIS is invalid.
•The password supplied to IIS was not typed correctly.
•Incorrect credentials were cached by the browser.
•IIS could not verify the identity of the username and password provided.
•The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled.
•The server is configured to deny login privileges to the authenticating user or the group in which the user is a member.
•Invalid Kerberos configuration may be the cause if all of the following are true:
◦Integrated authentication was used.
◦the application pool identity is a custom account.
◦the server is a member of a domain.
Things you can try:
•Verify that the username and password are correct, and are not cached by the browser.
•Use a different username and password.
•If you are using a custom anonymous account, verify that the password has not expired.
•Verify that the authenticating user or the user's group, has not been denied login access to the server.
•Verify that the account was not locked out due to numerous failed login attempts.
•If you are using authentication and the server is a member of a domain, verify that you have configured the application pool identity using the utility SETSPN.exe, or changed the configuration so that NTLM is the favored authentication type.
•Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.
Links and More InformationThis error occurs when either the username or password supplied to IIS is invalid, or when IIS cannot use the username and password to authenticate the user.
View more information »

Microsoft Knowledge Base Articles:

•907273
•871179
•896861
6 REPLIES 6
Hemoco
Lansweeper Alumni
Please contact us through email about this issue. Our email address is support@lansweeper.com
Please provide us with some screenshots of the problem if possible.
positronic_mis
Engaged Sweeper
When I configure the NTLM provider it's response is (on my Win7 Pro x64 with IE8)

Server is configured for NT authentication

User: OURDOMAIN\techaccount
Type: NTLM

(I've changed the domain & username for privacy reasons but the username is one that is member of the group whom we specified in web.config).



On a different system however when I login as the original domain admin who installed it (Ourdomain\domainadmin1) it just keeps re-prompting me for the username & password over and over again...

So I went back to my PC and cleared ALL deletable items & disabled saving pw's and it still lets me in and thinks I'm OURDOMAIN\techaccount...

David
Hemoco
Lansweeper Alumni
When it works in IE, what is the output of usertest.aspx?
positronic_mis
Engaged Sweeper
The C:\Program Files (x86)\Lansweeper\Website folder has the following NTFS permissions:

- Everyone:F
- System: F
- Administrators: F
- Users(server\Users): RX
- Ourdomain\LansweeperUsers:F
- Creator OWNER: Special
- TrustedInstaller: Special

I need to clarify something: if I set the Windows Integrated Authentication's Providers to use NTLM FIRST, the "Ourdomain\LansweeperUsers" can get in using IE with no login prompt (actually IE passes on the credentials using NTLM auth in the background but that's besides the point.)

If I set it to Negotiate (like it was before), it won't let anyone login...

Do I need to setup an SPN for this?

Firefox 7.0.1 doesn't work no matter if it's set to NTLM or Negotiate...

David
Hemoco
Lansweeper Alumni
The upgrade changes no IIS config, it just copies the files into the website folder if you use IIS.

Can you check the file permissions on the website folder? (set them to everyone full control)
positronic_mis
Engaged Sweeper
Setting the Authentication | Windows Authentication | Providers to NTLM first, then Negotiate fixed the problem.

HOWEVER, when I'm logged in as a different user (other than the ones with access defined in web.config) I'm unable to login with correct credentials.

I'm using IE 8.0 in all cases.

David

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now