Windows身份验证 - Chrome与Internet Explorer

Question

I have an application deployed to IIS 6.1. When I enter my ASP app in Chrome, popup windows appear and I enter username and password to log into my app successfully. But when I login via Internet Explorer, I can't pass authentication. What could cause such behavior?

Answer 1

Since the article linked by Xhalent shows a 404 now, I dug through Archive.org and found a version back from 2009 .

I don't know how long this Archive.org version stays stable, so I'm quoting the article here:

---

Enabling NTLM Authentication in Firefox and Internet Explorer

This tip is useful for organizations who are standardized on Microsoft technologies (Active Directory, IIS, and ASP.NET) and need to provide minimal-intrusion authentication for their internal web applications. I was stumped for a long time on this one. Here's the scenario:

All of my ASP.NET applications - at this point - are internal to the organization that I work for. We are a strictly Microsoft shop, and, because of this, I always leverage Active Directory in everyway possible. Well, this is great from my (a developer's) perspective, as it means that I don't have to build and maintain a login system. However, I recently started getting feedback from users across the country saying that they were being challenged with a login screen when they accessed the applications. This was okay, as they could still get in using their Active Directory accounts, but sometimes they had to append the domain to the beginning of their name, and it all became kind of a pain.

We are a diverse organization, in that we have many different network configurations. Some of our users are on high-quality T1 connections, while others are still on intermittent - at best - connections. Because of this disparity, I initially blamed the login problem on different network configurations (firewalls, distance to domain controller, etc.), but after doing a bit more research I found that the problem was actually browser related.

By the way, the Internet Explorer setting can also be implemented via group policy (thanks to Chris, James, and Marilyn for helping me figure this one out). Look in the registry at:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains

So, here are the steps you need to take to enable NTLM pass-through authentication in Internet Explorer (6 & 7) and Firefox (2):

Internet Explorer

Note: These instructions apply to both IE 6 and IE 7, although there may be slight differences in the screenshots below.

Note2: For some reason, some of the entries that are added to the Local intranet zone seem to be persistent. You'll delete them in the interface, close all the windows out, come back and they'll reappear. The only way I found to permanently get rid of them was to manually delete the registry entry located at the location cited just above this section.

1. In Internet Explorer, click on Tools and select Internet Options .

2. Next, click on the Security tab at the top of the Internet Options window.

3. Once the contents of the Security tab are displayed, highlight Local intranet and click on the Sites button

4. In the Local intranet dialog that pops up, make sure that the last three boxes are checked and click on the Advanced button.

5. In the next dialog, type the following into the Add this website to the zone text box: " http://www.example.org " (without the quotes) and click on the Add button.

Note: If you'd like to enable Active Directory pass-through authentication for all the sites on a domain, type the following into the Add this website to the zone text box: "http://*.example.org" (without the quotes).

Mozilla Firefox

Note: These instructions have been tested on Firefox 2.0.0.1.

1. In the address bar of your Firefox browser window, type the following: "about:config" (without the quotes) and press Enter.

2. In the configuration page that displays, scroll down to the following entry: "network.automatic-ntlm-auth.trusted-uris" and double-click on it.

3. In the Enter string value that pops up, type " http://www.example.org " (without the quotes) into the text box and click OK .

Note: If you'd like to enable Active Directory pass-through authentication for all of the sites on a domain, type the following into the textbox: ".example.org_" (without the quotes).

Answer 2

I'm not entirely sure exactly what behaviour you're after (you state in a comment that you've enabled anonymous access, however you appear happy with Chrome presenting a challenge response dialog to the user).

The issue is most likely that IE is passing your desktop credentials to the site, but they are being rejected, while Firefox/Chrome are not as doing this, hence the challenge response dialogs.

The options are:

1. Move the site out of the "Local Intranet" zone into (say) the "Trusted Sites" zone:
   1. (For IE8 and below) Tools | Internet Options (IE9) Click on the Cog Icon | Internet Options
   2. Switch to "Security" tab.
   3. Click on "Trusted sites" and press the "Sites" button.
   4. Add the Domain to the list - you may need to clear the "Require server verification (https:) for all sites in this zone" and OK.
   5. Back on the Security tab, click the "Custom level..." button, scroll to the end of the Settings list, and make sure that the User Authentication | Logon is set to "Automatic Logon only in Intranet Zone".
2. Change all Intranet sites to prompt for credentials (I'd advise against this however, because it will cause you pain):
   1. Open the Internet Options dialog as per steps 1.1 and 1.2 above.
   2. Switch to the "Security" tab, and select "Local intranet".
   3. Click on the "Custom level..." button, scroll to the end of the Settings list, and make sure that the User Authentication | Logon is set to "Prompt for user name and password".

Answer 3

You might need to ensure that the deployed site in the Local Intranet zone in IE. The following post discusses how to configure NTLM for IE and Firefox.

Answer 4

Whether you have anonymous access enabled (which you don't appear to), whether you have integrated security enabled, and which type of authentication you have selected for integrated security. Whether you have integrated security enabled in IE.