Users are repeatedly prompted to provide their credentials when they access a Web site (886996)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

If users visit a Web site that requires authentication, they may be repeatedly prompted to provide their credentials. This symptom occurs even after the users type valid credentials.

CAUSE

This issue occurs if either of the following conditions are true:
  • The published Web server requires Kerberos authentication.
  • The published Web server and the Microsoft Internet Security and Acceleration (ISA) Server 2004-based computer both have Windows integrated authentication enabled, and both require authentication.

    This condition may occur in a reverse scenario where ISA Server uses the same HTTP headers for authentication that are used by the Web server. When a user accesses ISA Server, they are prompted for credentials. After ISA Server accepts the credentials, ISA Server forwards the request without the credentials to the published Web site. This causes the Web site to also prompt the user for authentication. These multiple authentication requests cause the Web browser to interpret that the credentials are incorrect. Therefore, the user is prompted again for credentials. Users may be prompted to type credentials many times if the Web browser opens several connections.

RESOLUTION

To resolve this issue, use one of the following methods.

Method 1

Enable NTLM authentication only or enable both Kerberos and NTLM authentication on the published Web site and then publish the Web server in ISA Server.

For additional information about how to do this, click the following article numbers to view the articles in the Microsoft Knowledge Base:

324274 How to configure IIS Web site authentication in Windows Server 2003

215383 How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication

For additional information about how to publish Web servers in ISA Server, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx

Method 2

Enable only Basic authentication on both the published Web site and on the corresponding Web listener on the ISA Server computer. To do this, follow these steps:
  1. Enable only Basic authentication on the published Web site.
  2. Enable only Basic authentication on the corresponding Web listener in ISA Server. To do this, follow these steps:
    1. Start the ISA Server Management tool.
    2. Expand the ISA Server-based computer node, and then click Firewall Policy.
    3. In the Details pane, click the corresponding Web publishing rule.
    4. On the Tasks tab, click Edit Selected Rule.
    5. On the Listener tab, click the Web listener, and then click Properties.
    6. On the Preferences tab, click Authentication, click to select the Basic check box, and then click OK three times.

      Note Click Yes if you receive a message that states that passwords will be sent without data encryption.
  3. Enable Basic Delegation on the corresponding Web publishing rule on the ISA Server computer. To do this, follow these steps:
    1. Start the ISA Server Management tool if it is not already started.
    2. Expand the ISA Server-based computer node, and then click Firewall Policy.
    3. In the Details pane, click the corresponding Web publishing rule.
    4. On the Tasks tab, click Edit Selected Rule.
    5. On the Users tab, click to select the Forward Basic authentication credentials (Basic delegation) check box, and then click OK.
Note Because user credentials are sent by plain text in basic authentication, we recommend that you create a secure Web publishing rule in ISA Server to help make traffic more secure. For additional information, see the "Secure Web Publishing rules" topic in the ISA Server Help documentation.
Modification Type:MinorLast Reviewed:4/26/2006
Keywords:kbFirewall kbhowto kbprb KB886996 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.