Integrated Windows Authentication - Networking

Hi,
I'm having a mare trying to get more info anywhere on the web.
I have an Intranet based web app running on latest version of IIS with .NET & SQL Server 2000 (on different boxes) using Integrated Windows Authentication (the IIS is trusted to the SQL Server box)
It runs fine on IE v6 provided the Enable Integrated Windows Authentication checkbox is ticked.
However on the XDA using Pocket IE (ROM 3.17.03 ENG) it gives Login failed for user 'NT AUTHORITY \ANONYMOUS LOGON' which usually means no Integrated Windows Authentication.
I can't find any docos on whether Integrated Windows Authentication is supported in Pocket PC 2002 - has anyone else come accross this or got any pointers they could help me with?
Thanks

As far as I know, Integrated Windows Authentication means that IIS will use the user's Windows login to authenticate the user. This is normally using your DomainName\Username for windows. When you are on your xda, you are not authenticated by Windows as the xda is not on the domain and you are logging into "Windows" using the same DomainName\Username on your xda. Try changing the IIS setting to use simple authentication so that users are prompted for a username and password to access the website.
I hope this helps

Thanks Illwil.
I can't allow simple authentication on the IIS as it will then screw the security for PC users (ie 99%)
I'm already logging onto the Domain via a dial up connection so it should all be OK
I think its something to do with Pocket IE declaring itself as IE version 4 to the Web Server rather than as Pocket IE
IE v4 doesn't support NTLM authentication (ie Windows Integrated Authentication) whereas I think Pocket IE should.
Also I've got 2002 which means that ByPass proxy server for local sites is automatic so its not that.
Still scrabbling - any help still gratefully received!

An answer after 3 months!
Bit of a dull one I know but just in case anyone was interested (!) I've used some mobile web forms instead of normal web forms - they only support ObjectList as opposed to DataGrid but seem to allow the windows integrated seciruty to work.
Thanks to anyone that gave this some thought.
John

Related

Universal can't connect to Windows Server 2003 - solved

Hello!
I have a Universal in german from T-Mobile Austria and a BlueAngel also from T-Mobile Austria. As we all know the Universal has the new OS Windows Mobile 5.0, the BlueAngel has Windows Mobile 2003.
So and there is a BIG difference between these two OS (OR A BIG BUG, I don't know).
The problem is: With the file-explorer (or Total Commander 2.0, which i prefer) you can connect with WLAN to a share on a computer. Enter the UNC-path under path in the file-explorer, the device asks for a login and it works. So it is unter Windows Mobile 2003 with the BlueAngel. And it doesn't matter to which computer I will connect: to my server with Windows Server 2003 or to my workstation with Windows XP. I enter my domain account and it works.
On the Universal it doesn't work when I will connect to my server with Windows Server 2003. It's absolutely impossible to connect to a share on my server. BUT I CAN connect to a share an my workstation with Windows XP WITH MY DOMAIN ACCOUNT. So what I see in the moment: The NTLM-authentication works because I can connect to any Windows XP with a domain account, but the connection to a share on a server with Windows Server 2003 fails. And this only with the Universal, because in the same time with my BlueAngel it works.
My question is: Has somebody the same ugly problem or maybe I do somethimg wrong, I don't know.
And that's the reason why I can't change my device in this moment and why I love my BlueAngel.
Best regards, Peter
i to have this issue, i can map to xp shares no probs but win2003server shares just loops on the password screen.
big issue for me this
w2k3 issues
Click to expand...
Click to collapse
I had the same issues on w2k3-server before installing the latest updates.
After new W2K3 installation and newest updates: no problems.
The problem could be active directory.
Have a look to "NetBIOS over IP" at IP-settings. Resco Explorer can't map UNCs, only NetBIOS-names, it's my monitoring.
Greetings, Gerd Dubrand
that dosent fix the problem, just tried it, it worked fine on my BA but not on JJ.
I also cannot connect to my Win2003 server via jasjar, but I can connect to my win2000 advanced server. Win2003 server is sbs2003 with all updates applied. Can connect to both via my pda2k. Interesting?
IS the server a DC? you may need to disable the 'Microsoft network server: Digitally sign communications (always)' setting the default DC GPO - http://support.microsoft.com/kb/823659. This is enabled by default for DC's and acan cuase issues when talking to downlevel clients (I've had this problem with samba clients.
It mayalso be set in the local secuirty policy.
But then again this might not be anything to do with it...
Anything in the logs on the server?
GOOD IDEA, TINTOY!!!
Thank you for your samba server and your idea, tintoy. Your hint works!
For all others aigan the solution:
On a Windows Server 2003 domain controller you have to disable 'Microsoft network server: Digitally sign communications (always)'. I haven't this done by Active Directory, i have this done by 'Security settings for domain controller' -> 'Security Options' in 'Management'.
Note: Please excuse when I don't have used the correct names, because I have only a german version of the Windows Server 2003 and I don't know the exact names of the program groups of the english version. But I hope you know, what I mean.
Thank you aigan tintoy, this problem is solved!
See you all again here,
Peter
I confirm this,
network server: Digitally sign communications (always)
change to disabled in the Default Domain Controller Security Settings.
This has just made my day. odd how wm5 is apparently newer but dosent quite work out the box like wm2003 did
np ;-)
Exchange 2003 not connect with mobile 6.1
Someone can write a detailed description ? I have the same problem.
Thanks

activesync 4.1 and exchange server 2003

I'm trying to synchronizise with the exchange server at my work.
But for some reason it doesn't work. I've filled in everything in the right way (address, domein etc.) the fault code is 80070002.
Can somebody help me with this?
same here at home (no firewalls)
Works fine for me. Exchange server needs just some configuration.
Priit said:
Works fine for me. Exchange server needs just some configuration.
Click to expand...
Click to collapse
What kind of configuration?
First, your Outlook Web Access (yes, OWA!) can not use forms based authentication nor SSL encryption. If you don want to use these (you most probably want to use SSL) then you need to create another virtual OWA directory without SSL and force ActiveSync (and Outlook Mobile Access) to use it.
More information at
http://support.microsoft.com/default.aspx?scid=kb;en-us;817379
Check if you can access OMA (Outlook Mobile Access) using http://yourserver/oma and check also Exchange server logs.
I thought this wasn't supported on WM5 until AKU 2.0 comes out (hopefully soon)
So ur saving I have to turn Forms authentication off and ssl off on OWA for my mobile device to work ?
sounds a bit of a poor show.
I need Forms based auth ideally as it goes through firewalls where as the other type does not.
Ours works here and we use SSL.
For the server name make sure you are using the fully qualified domain name that you use from the internet. IE: mail.domain.com. You don't have to put the /exchange on the end.
username, password and domain are all the same as what you use to log in.
OH, and the certificate you use on the server should be for mail.domain.com and not servername.
Hope this helps.
@spartanrob: DirectPush needs AKU2.0. You have always had possibility to sync manually. Or if your operator provides e-mail to SMS then you have the same functionality already today.
@Karzi:
No, I'm not saying you have to turn off SSL and/or forms-based auth., but you need to create another virtual OWA directory, which does not require SSL and forms-based authentication. You can limit access to this directory to localhost only so there will be no security concerns.
@MrHappy:
Your server is probably set up in that way.
Please go read this it helped me with the same error
http://hardware.mcse.ms/archive35-2005-11-248477.html
Basicly says that you have to download the cert from https://server.domain.com/certsrv then install the certificate on your desktop and your handheld then activesync will work....
I was hesitant but it worked for me.... it changed the path in the cert from my ip to my server.domain.com

activesync server sync help!!!!

Hi guys,
Right i have an XDA exec and an XDA mini , ones for work ones for personal use.
I've set up an exchange server at home for the mini however it has to listen on port 8080 (the web outlook frontend).
However I'm trying to connect the activesync client to this via
address:8080 in the server field on the device but it doesn't seem to work
I can obviously access the site via 8080 on http but not via activesync. I've tried this on both the XDA MINI and the XDA EXEC and neither can access the server and i can't move the ports .
does the client support ports?
can you override them?
help!!!!
Activesync works by default over port 80 (non-secure) and 443 (secure) only. There may be a reg hack but I am unaware of one. If your cable or phone company is blocking port 80 just install a certificate, which you REALLY should be using anyway) and connect over 443 using SSL.
this is the problem, both portss 80 and 443 are taken up already by an apache web server.
I have exchange running under a virtual machine on the linux server. The windows 2003 box intergates with the existing mail sub system giving me access to the pop3 and smtp service on the linux side of things so its transparrent.
So apache runs on both port 80 and 443 so I can't bind anything to them.
I was looking into a reg hack if there was one.
If i find anything i'll post it but until then i have the same problem...which is a real annoyance!
the other thing is that the server i'm working with is only allowing port 8080 to be directed to it. Does activesync use any other port for the sync via web? As that might be the other problem.
right i've found a partial solution.
What i've done is use mod_proxy as part of the apache2 stuff to do a reverse proxy to the server over a virtual host on the system...
soo all traffic for the virtual domain foo.com goes to 192.168.1.20 which is the server behind the firewall (which just happens to be a bridged virtual machine).
That means now I can access exchange web via http on port 80 so atcive syn now connect to it.
unforutnately the crap thing is now active sync constantly asks for a username and password all the time and doesn't sync. So I'm guess it can see the server but not get any further...
so does anyone know if active sync needs access to any other ports as I can forward them much easily through the firewall.
help and thoughts please .
HAHAHAHAH GOTCHA
right that did it...
two things..i'd made a mistake int he domain name on active sync and added an E into the domain name where I should have!
also because i'd promoted the VM to a Domain Controller after installing IIS etc I had to re-register the ASP.NET framework so OMA worked.
I now have push mail working on linux out of a VM whilst apache is running on the same box
nice
Can I challenge you to document your setup and post it on a new thread for others to learn from?
yeah i'll do that , currently however I've been having a bit of a war with the SSL setup as the first pass was "open communications"
I've hit a snag where access to to OWA works for everything bar for internet explorer. I think i know the problem and have a solution so once I've tried that I'll document it and get it up here.
I do have reversed proxy SSL working to exchange though so now everything is secure and I can access OWA via firefox so again thats cool.
The I.E thing im certain is an issue with the actually app and that when it detects I.E it trys to be all clever but unfortuantely the domains don't match atm so its https://foo.com/exchange to http://bar.com/exchange and because of the domain name difference its getting a little twitcy.
theres three solutions, re-install everything from scratch (fat chance).
try to convert the active dicrectory domain to the one that matches foo (have you READ the documentation!....80 odd pages or something). Or change the https domain name on apache and redo the certificate (nice and easy but i'll do it tuesday).
once I can get it working seamlessly i'll do the docus

Exchange Sever Push Email Setup - Stuck at Password Prompt

Hi all,
I am new to the HTC (just got one this week , and would love to get push email working from my Exchange 2003 server.
I have used the reg hack to stop WM5 from requiring a valid SLL cert, and installed my Exchange 2003 server's SSL certificate on my device.
However, when I try to connect, the device keeps prompting me for my password, and does not accept it when I enter it.
I have seen this on other forums, but never seen a solution to it. I would be very grateful for any advice.
Great site btw!
first of al .. you don`t need a reghack to get ssl working..
just look at this site.. for your server..
http://www.visualwin.com/SelfSSL/
follow these steps.. remember.. if your server is avalible under
https://blabla.com/exchange name your ssl certificate: blabla.com
After this go to https://blabla.com/exchange install the certificate in youre IE on your pc..
then in IE tools -- options --- content --certificates -- trusted..
find your certificate and export this on your desktop. now with active sync transport your certificate to your mobile and install it, just with clicking on it.
Now the problem that you have is the auth part on your IIS on microsoft-active-sync virtual directory..
On the default directory set plain , ntlm, and windows intergrated
auth options on..
on the microsoft-active-sync only the plain text and ntml.
If this wont work play around with auth settings on microsoft-active-sync virtual dir.. trial and error.. but somewhere there is your answer and youre problem.
IMPORTANT turn of : require secure channel (ssl) on your server
Windows mobile cannot work with that
Yeah SSL needs to be enabled and setup on the exchange server. Also check your user policys to make sure they are set up correctly. We set up exchange systems daily at work and the most common problem we see is someone has messed up their policys in exchange.
Thanks for the reply's
I have had another crack, but am now getting an error on Activesync when sync'ing:
Support Code: 0x85010014
I am not sure what this points to....
I am still a little confused with my IIS6 authentication settings.
My "Exchange" vdir is set to Integrated and Basic authentication.
My "Microsoft-Server-Activesync" app is set to basic only.
My "OMA" app is set to basic only.
The "Exchange" vdir is the only one set to require ssl connections.
Thanks again for your time.
Fixed it! Followed this guide from Microsoft that helps create an oma directory especially for use by Activesync without using SSL:
http://support.microsoft.com/default.aspx?kbid=817379

Opera and NTLM support

Hi all,
since a couple of days I have a new HD2 and it's fantastic!
On my old Diamond I was able to enable the NTLM support in Network section of Opera config file but, with a big surprise, in the current configuration (on HD2) the NTLM is missing (in the Network section and other of configuration file).
Since I need authentication for ISA proxy (via NTLM) on company intranet (my connection is through dedicated APN that link directly on company intranet) I can't use Opera on my HD.
Any suggestion or workaround?
IE works corretly but don't suppport multi touch zoom so I would like to use Opera.
The previous version of Opera installed on Diamod (last italian official ROM) work perfectly.
Thanks all!!
I'm interested in this too (just bookmarking the page really).
I use IE as Opera doesn't work, but would rather use Opera. I browse private folders via IIS and don't have the opportunity to log in with Opera.
johncmolyneux said:
I'm interested in this too (just bookmarking the page really).
I use IE as Opera doesn't work, but would rather use Opera. I browse private folders via IIS and don't have the opportunity to log in with Opera.
Click to expand...
Click to collapse
Doing the same (bookmarking), just for fun I tried to check some webapps on my corporate Intranet set up with IIS integrated authentication and it worked perfectly with IE. I didn't try with Opera. Will do on monday and see if I can come up with a solution
pat12 said:
Doing the same (bookmarking), just for fun I tried to check some webapps on my corporate Intranet set up with IIS integrated authentication and it worked perfectly with IE. I didn't try with Opera. Will do on monday and see if I can come up with a solution
Click to expand...
Click to collapse
Opera doesn't offer a dialog to enter domain authentication. It just says "the server requested a login authentication method that is not supported."
It seems pretty sure of itself
I'm not entirely happy about this, but there appears to be a workround...
http://forums.asp.net/t/305782.aspx
Doesn't help if you don't have admin rights on the server, of course.
You are right on both accounts! It IS very sure of itself. As MS would say, this is not a bug, this is a feature or this is by design.
As for the workaround, I hadn't seen your post until now and being sysadmin for a lot of IIS servers, I thought about the same solution, tested and it works. I came back here to report about it but you beat me to the post by almost 48 hours -
Anyway, it's not a good solution and not everybody with a HD2 has admin rights on the IIS servers of his company.
So we are stuck with IE until maybe a new version of Opera mobile. After all, Opera on desktops supports it (sort of...)
Ok, thanks for support.
What sounds strange to me, is that Opera installed on my old Diamond implement the NTLM authentication and the version on HD2 (newer) not at all. Moreover I installed the Opera 10 beta and, in this version also, the NTLM support is missing (I don't find it in the configuration file).
Why they removed it?

Categories

Resources