Re: CompanyWeb - Password Dialogue Box in Terminal Server only

Hi Alan,

Thanks for your update.

Based on the information you provided, we can conclude that the problem
lies in the security settings of IE. For current situation, let us perform
the following tests to further isolate the issue.

I. Let us change back the setting "Zone to Site Assignment List" from
option "Enable" to option "Not configured" on the group policy you have
configured.

II. Configure trusted sites and security settings of IE using policy
setting "Security Zones and Content Ratings". Generally we use the policy
"Security Zones and Content Ratings" to configure trusted sites and
security settings of IE rather than the policy "Zone to Site Assignment
List", since we can configure more settings of IE using the policy. I
suggest that you do as follows:

1. Open the default domain policy in Group Policy Object Editor, locate the
"Security Zones and Content Ratings" policy in User Configuration\Windows
Settings\Internet Explorer Maintenance\Security policy, select the "Import
the current security zone settings", and then click the "Modify Settings"
button to add sites to the trusted sites. And also you can configure other
settings here as you need.

2. If you want to prevent users from modifying the security zones
configuration, you can enable the "Security Zones: Do not allow users to
add/delete sites"(Computer Settings\Administrative Templates\Windows
Components\Internet Explorer).

III. After you edit the group policy settings, please run command "gpupdate
/force"(no quotation marks) on the server box and all client computers
including the TS server to take effects the changes. If the policy still
can not be applied, you need re-logon computers to apply the policy.

IV. Please logon the terminal server with domain admin account and open IE
to check if the policy is applied to the TS server. If yes, please logon
one XP workstation with the problematic user account and setup RDP session
to the TS server, and open IE to check if the IE policy is applied still in
RDP session. If yes, please try to access the companyweb site to check if
the issue is resolved.

Note: If the "Security Zones and Content Ratings" policy can not be applied
on the TS server properly, we need separate the policy apply issue to the
companyweb access issue. Let us perform test as follows:

a. On the TS server and open IE, then manually add the companyweb site to
the trusted sites of the IE.

b. Logon one XP workstation and setup RDP session to the TS server with the
problematic user account, then please try to access the companyweb site,
what is the result? If there is not trusted sites listed in IE of the RDP
session, please try to manually add it and then test the issue again and
let me know the result.

If the policy still can not apply to the TS server, please kindly help me
collect some information for analyze:

1. Please help me collect the GPO policy report.

You can locate the domain policy in Group Policy Management console, right
click the policy to choose Save Reports.. item to save the policy report.
Please mail them to my working mailbox: v-yanniw@xxxxxxxxxxxxxx

2. On the SBS server, click Start -> Run, type in "gpmc.msc", click OK.
Right-click Group Policy Results and click Group Policy Results Wizard...,
click Next, select "Another computer", type the name of the TS server and
click Next. Select "Select a specific user" and then select one problematic
user, click Next. Follow the instructions to generate a group policy result
report, right-click the report and click Save Report. Then send it to me at
v-yanniw@xxxxxxxxxxxxxx

3. Install the GPMC tool on the TS server and then logoff the domain admin
user. Then setup RDP connection from one XP workstation with one domain
user account. Launch the GPMC tool to recreate a Group Policy results by
choosing "This Computer", "Current User". And also mail the report to me.

You can down the tool and get more information in the following link:
http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

I appreciate your time. I am glad to help-).

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Alan" <alan@xxxxxxxxx>
References: <eILaLe9nGHA.4736@xxxxxxxxxxxxxxxxxxxx>
<SiekomMoGHA.4632@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: CompanyWeb - Password Dialogue Box in Terminal Server only
Date: Tue, 11 Jul 2006 23:07:57 +1200
Lines: 142
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-RFC2646: Format=Flowed; Original
Message-ID: <OI6QLpNpGHA.3820@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: smtp.kingduff.co.nz 210.54.249.249
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:280457
X-Tomcat-NG: microsoft.public.windows.server.sbs


Hi Jenny,

I have answered inline below:

""Jenny wu [MSFT]"" <v-yanniw@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:SiekomMoGHA.4632@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Alan,

Thanks for posting here.

Before we go any further, pleas kindly help me collect some
information to
isolate the issue so that it can be resolved in more efficient
manner.

1. First Can I confirm with you that where users setup a RDP
session? Does
user locally logon his/her XP workstation and setup RDP session to
the
terminal server or user locally logon the terminal server and setup
RDP
session to his/her workstation to view the companyweb site?


They are logged onto their own workstation, and then creating a RD
session on the TS.


2. When the RDP session setup, please open IE and click
Tools->Internet
Options->Security, highlight Local intranet and choose Custom level
button
to open its properties page. What option is checked under User
Authentication- Logon. By default, the option "Automatic logon only
in
Intranet zone" is checked. And the Reset custom settings is
Medium-low. If
not, please verify it and then re-open the IE to see if what the
result is.
And also please try to check the option "Automatic logon with
current user
name and password" to see if it helps.


User Authentication- Logon = "Automatic logon only in Intranet zone"

I hit reset to Medium-Low but no access to CompanyWeb.

I also changed it to "Automatic logon with current user name and
password" and still no access to CompanyWeb.


3. Have you added the companyweb site or internal web sites to
trusted
sites in IE? If yes, please also check the User Authentication
setting. By
default, the option "Automatic logon with current user name and
password"
is checked. If not, please verifying it and re-open the IE to test
again.


We have locked down the ability to add sites to the trusted site zone
using GPO.

Interestingly, when I checked the trusted sites within the RD session
on the TS, none of the sites listed in GPO were shown (the list was
empty). The GPO used is:

Administrative Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Site to Zone Assignment List

HTTP:\\CompanyWeb is listed in there along with two other sites and
they all have a value of '2' which should be trusted zone. This comes
through properly on the workstations for all domain users (except
domain admins).

This appears to be the problem? If so, then why is the GPO not being
applied to the TS session? Is there a separate GPO that I have to
apply?


4. What is the credential user input to setup the RDP session? Does
the
user name and password have permissions to view the companyweb site?


Yes - I have confirmed that from their normal workstation. They can
see the CompanyWeb site from there with the same username / password
authentication.


5. Please try to open the companyweb site on the terminal server,
what is
the result?


Do you mean from a console session logged onto the TS as Domain Admin
(no other users can log onto the console directly)?

If so, I can access the CompanyWeb site under that situation, and also
if I create a Remote Desktop session to the TS as the Domain Admin I
can also access the CompanyWeb site.



It seems likely that the issues is in point 3 above?

Thanks,

Alan.
--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:

1bupdvc02@xxxxxxxxxxxxxx

This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb







.