FP2000: Valid Users Cannot Connect to the Web (310757)


The information in this article applies to:

  • Microsoft FrontPage 2000
This article was previously published under Q310757

SYMPTOMS

When you attempt to connect to a FrontPage Web with a valid user account that has been given author or administrator rights, you may be prompted for user credentials three times. You receive an error message similar to the following:
You are not authorized to perform the current operation.
With the same user account, you can connect to the resources through the Network Neighborhood or through Universal Naming Convention (UNC) paths. You can also access those shares across the network that you have been given permission to access.

CAUSE

This behavior occurs when the valid user account is from a trusted domain. When trying to authenticate to an intranet Web server from a different domain with Windows Challenge/Response enabled, the browser attempts to authenticate the user using the security token created at the logon process in their home domain. Although NTLM is a much more secure means of authenticating users, this behavior causes problems with authenticating to a resource on another domain. This issue is commonly referred to as "double-hop" authentication.

The problem with double-hop authentication is that NTLM does not allow a user's rights to be delegated beyond the server they initially log on to. When you log on to your domain, and then attempt to log on to the FrontPage Web on the other domain, the server is unable to pass the credentials to the Web server.

RESOLUTION

To resolve the issue, use either of the following methods.

Method 1: Basic Authentication

  1. Enable Basic Authentication on the Web server.
  2. Give the user or user group the "log on locally" rights to the Web server, as required for Basic Authentication.
  3. If a higher level security is required, configure Secure Sockets Layer (SSL) on the Web server.

Method 2: Digest Authentication

For additional security over Basic Authentication without using SSL, set up Digest Authentication.

For additional information about Digest Authentication, click the article numbers below to view the articles in the Microsoft Knowledge Base:

291373 FP: Repeated Prompts for User Name and Password

222028 Setting Up Digest Authentication for Use with IIS 5.0

MORE INFORMATION

For additional information on authentication, click the article numbers below to view the articles in the Microsoft Knowledge Base:

264921 How IIS Authenticates Browser Clients

230169 Unable to Open or Create Web Folder for Restricted FrontPage Web

Modification Type:MinorLast Reviewed:1/7/2006
Keywords:kbprb KB310757
©2004 Microsoft Corporation. All rights reserved.