When attempting to access pages through the EnterpriseVault Virtual Directory, users are prompted for authentication even if Integrated Windows Authentication (IWA) is selected.

Article: 100030535
Last Published: 2021-09-29
Ratings: 0 0
Product(s): Enterprise Vault

Problem

With Integrated Windows authentication (formerly called NTLM, and also known as Windows NT Challenge/Response authentication), the user name  and password (credentials) are hashed before being sent across the network. When enabling Integrated Windows Authentication, the client browser proves its knowledge of the password through a cryptographic exchange with the Web server (Enterprise Vault Default Web Site), involving hashing.

Cause

There are a number of possible causes, below are several common scenarios that a user is prompted for credentials when accessing a web page via the \EnterpriseVault Virtual Directory on the Enterprise Vault Server:

Solution

Scenario 1 - Incorrect authentication cached
Windows can be set to provide an option to 'Remember Password'.
This is commonly accessible through:
Start - Settings - Control Panel - Stored User Names and Passwords

Solution:
Remove the invalid entry from Stored User Names and Passwords.

Scenario 2 - Permissions lock-down to the Enterprise Vault\Webapp directory
Even though IIS (Internet Information Services) have the web page set to pass the credentials, it is still necessary to have folder/file permissions to the directory.
On the Enterprise Vault server, the EnterpriseVault Virtual Directory in IIS connects to \Program Files\Enterprise Vault\Webapp.

Solution:
Confirm the user/group in question has read and read & execute permissions to the Webapp folder.

Note: It is common to have Everyone or Domain User's with Full Control to the folder security.

Scenario 3 - Additional security lock-down through Internet Explorer (IE)
Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration places your server and Microsoft Internet Explorer in a configuration that decreases the  exposure of your server to potential attacks that can occur through Web content and application scripts. As a result, some Web sites may not  display or perform as expected.

For details on this functionality, please see the following article from Microsoft:

https://technet2.microsoft.com/WindowsServer/en/library/910d7a79-fd6f-447e-9bb1-bc9e57d54ec41033.mspx?mfr=true
Internet Explorer Enhanced Security Configuration

Solution:
1. Disable Internet Explorer Enhanced Security Configuration for Administrators (And Users if necessary)

2. Open Control Panel - Add/Remove Programs - Windows Components.

3. Select Internet Explorer Enhanced Security Configuration:

4. Deselect "For Administrators Groups"

Scenario 4 - The DNS Alias is not listed under IE (Internet Explorer) Security - Local Intranet
If the Enterprise Vault Server (Computer name or DNS Alias) is not listed in IE as a Trusted Site or Local Intranet, IE will request authentication before opening the requested page.

Solution:
1. Add the http path(s) of the Enterprise Vault server to the Trusted Sites list within the IE where the request is being performed.

2. Open IE - Tools - Internet Options - Security - Local Intranet - Sites

3. Add the Enterprise Vault server names to the sites list.

Note: This can also be set 'globally' to the  within the Mailbox Archiving Policy, under Advanced - List setting from: "Outlook" (or "Desktop") - Add server to Intranet Zone

Scenario 5 - Accessing Archive Explorer or Search Archives Externally through OWA 2007
If ArchiveExplorer or Search Archives is accessed externally through OWA 2007 it is expected behavior to be prompted for authentication as the user is redirected from the OWA Server directly to the Enterprise Vault server and there is not a domain certificate since the user's computer is not currently connected to the Domain.

 

 
Scenario 6 - User Authentication in trusted sites is not set in automatic logon with current username and password
If 'User Authentication' within the 'Trusted Sites' or 'Local Intranet' zone that contains the Enterprise Vault Servers is not set for automatic logon with current username and password users will be prompted for authentication.
 
Solution:
1. Open IE - Tools - Internet Options - Security - 'Local Intranet' or 'Trusted Sites'
 
2. Choose 'Custom Level...'
 
3. Scroll to the last section 'User Authentication' and ensure that 'Automatic logon with current username and password' or 'Automatic logon only in Intranet zone' (if selecting in the 'Intranet zone')
 
4. Select 'OK' twice, close and reopen Internet Explorer and retry the request
 

 

Was this content helpful?