Re: Project Professional/PWA login failures

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Cindy (athena_at_smart.net)
Date: 06/14/04 

Date: 14 Jun 2004 13:10:38 -0700

In case anyone is interested, here is what this problem was and how it
can be fixed:

IIS 6.0 was configured to use the following NTAuthenticationProviders
(a property in the metabase): Negotiate,NTLM. Some clients (all XP)
were trying to negotiate their authentication method using Windows
Integrated Authentication, and were attempting to get their
credentials confirmed using kerberos. The attempt to get a kerb ticket
was failing (don't know why, didn't investigate further). The client
was not defaulting back to NTLM after the kerb failure. Clients who
worked were using NTLM first, and were authenticating fine. (This all
showed up in a sniffer capture).

There were two fixes possible:

Server method, fixes for everybody - edit the IIS 6.0 metabase to set
the NTAuthenticationProviders parameter to NTLM (was Negotiate,NTLM).
This forces NTLM authenticate for Windows accounts, which everyone
could do. There were no ill effects to this, as far as I know.

Client method, fixes for that person only - In IE > Tools > Internet
Options > Advanced, UNcheck the property Enable Integrated Windows
Authentication, and close/reopen IE.

Hope this helps someone...

Cindy

"C. Fistler" <C. Fistler@discussions.microsoft.com> wrote in message news:<E01BACE9-2C1C-44A6-BF50-6C78A5F41BE2@microsoft.com>...
> Some of our users (not all) cannot seem to connect to either Project Web Access or through Project Professional.
>
> In PWA, they get a DNS error (which actually shows up as a 401 error for lgnint.asp in IIS logs). I've pasted a couple of examples below, including a successful login. The differences are obvious, but I don't know why....
>
> --------EXAMPLE 1(FAILED)--------
> 2004-06-10 14:03:06 <serverIP> GET /projectserver - 443 - <clientIP>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
> +.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322) 301 0 0
> 2004-06-10 14:03:06 <serverIP> GET /projectserver/LGNINT.ASP
> - 443 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
> +.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322) 401 2 0
> --------EXAMPLE 2 (FAILED)--------
> 2004-06-10 15:55:26 <serverIP> GET /projectserver - 443 - <clientIP>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
> +Q312461;+.NET+CLR+1.0.3705) 301 0 0
> 2004-06-10 15:55:26 <serverIP> GET /projectserver/LGNINT.ASP - 443 -
> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
> +Q312461;+.NET+CLR+1.0.3705) 401 2 0
> --------EXAMPLE 3 (SUCCESSFUL)----------
> 2004-06-09 19:03:39 <serverIP> GET /projectserver - 443 - <clientIP>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
> +Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 301 0 0
> 2004-06-09 19:03:39 <serverIP> GET /projectserver/LGNINT.ASP - 443 -
> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
> +Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 401 2 0
> 2004-06-09 19:03:39 <serverIP> GET /projectserver/ - 443 - <clientIP>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
> +Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 401 1 0
> 2004-06-09 19:03:39 <serverIP> GET /projectserver/LGNINT.ASP - 443
> CORP\<login> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+
> NT+5.1;+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 302 0 0
> 2004-06-09 19:03:39 <serverIP> GET /projectserver/SesStart.asp ref=lgnint.asp
> 443 CORP\<login> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;
> +Windows+NT+5.1;+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 302 0 0
> --------------------
>
> In Project Professional, they get the following:
>
> --------------------
> Project cannot access the Project Server <our URL>.
>
> Please check the Project Server URL in the Collaborate tab of the Options dialog box (Tools menu). Make sure the server is functioning correctly, and is a valid Project Server.
> -------------------
>
> I suspect this is something to do with their login credentials not being passed to Project Server (notice in the successful IIS log entry, the domain login was eventually passed), but am unable to isolate the error as others are working fine. Any help would be appreciated.
>
> C. Fistler
> athena@smart.net

Relevant Pages

  • Re: Project Professional/PWA login failures
    ... Thanks for posting your solution Cindy. ... "We wrote the book on Project Server ... > were trying to negotiate their authentication method using Windows ... > worked were using NTLM first, ...
    (microsoft.public.project.pro_and_server)
  • Authentication issue
    ... We recently changed the authentication type on the virtual server that hosts ... our Project Server 2003 to basic authentication, we then turned it back to ... integrated (NTLM) authentication; the problem that we have now is that users ...
    (microsoft.public.project.pro_and_server)
  • Authentication issue
    ... We recently changed the authentication type on the virtual server that hosts ... our Project Server 2003 to basic authentication, we then turned it back to ... integrated (NTLM) authentication; the problem that we have now is that users ...
    (microsoft.public.project)
  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)