When attempting to access pages through the EnterpriseVault Virtual Directory, users are prompted for authentication even if Integrated Windows Authentication (IWA) is selected.
Problem
With Integrated Windows authentication (formerly called NTLM, and also known as Windows NT Challenge/Response authentication), the user name and password (credentials) are hashed before being sent across the network. When enabling Integrated Windows Authentication, the client browser proves its knowledge of the password through a cryptographic exchange with the Web server (Enterprise Vault Default Web Site), involving hashing.
Cause
There are a number of possible causes, below are several common scenarios that a user is prompted for credentials when accessing a web page via the \EnterpriseVault Virtual Directory on the Enterprise Vault Server:
Solution
Scenario 1 - Incorrect authentication cached
Windows can be set to provide an option to 'Remember Password'.
This is commonly accessible through:
Start - Settings - Control Panel - Stored User Names and Passwords
Solution:
Remove the invalid entry from Stored User Names and Passwords.
Scenario 2 - Permissions lock-down to the Enterprise Vault\Webapp directory
Even though IIS (Internet Information Services) have the web page set to pass the credentials, it is still necessary to have folder/file permissions to the directory.
On the Enterprise Vault server, the EnterpriseVault Virtual Directory in IIS connects to \Program Files\Enterprise Vault\Webapp.
Solution:
Confirm the user/group in question has read and read & execute permissions to the Webapp folder.
Note: It is common to have Everyone or Domain User's with Full Control to the folder security.
Scenario 3 - Additional security lock-down through Internet Explorer (IE)
Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration places your server and Microsoft Internet Explorer in a configuration that decreases the exposure of your server to potential attacks that can occur through Web content and application scripts. As a result, some Web sites may not display or perform as expected.
For details on this functionality, please see the following article from Microsoft:
https://technet2.microsoft.com/WindowsServer/en/library/910d7a79-fd6f-447e-9bb1-bc9e57d54ec41033.mspx?mfr=true
Internet Explorer Enhanced Security Configuration
Solution:
1. Disable Internet Explorer Enhanced Security Configuration for Administrators (And Users if necessary)
2. Open Control Panel - Add/Remove Programs - Windows Components.
3. Select Internet Explorer Enhanced Security Configuration:
4. Deselect "For Administrators Groups"
Scenario 4 - The DNS Alias is not listed under IE (Internet Explorer) Security - Local Intranet
If the Enterprise Vault Server (Computer name or DNS Alias) is not listed in IE as a Trusted Site or Local Intranet, IE will request authentication before opening the requested page.
Solution:
1. Add the http path(s) of the Enterprise Vault server to the Trusted Sites list within the IE where the request is being performed.
2. Open IE - Tools - Internet Options - Security - Local Intranet - Sites
3. Add the Enterprise Vault server names to the sites list.
Note: This can also be set 'globally' to the within the Mailbox Archiving Policy, under Advanced - List setting from: "Outlook" (or "Desktop") - Add server to Intranet Zone
Scenario 5 - Accessing Archive Explorer or Search Archives Externally through OWA 2007
If ArchiveExplorer or Search Archives is accessed externally through OWA 2007 it is expected behavior to be prompted for authentication as the user is redirected from the OWA Server directly to the Enterprise Vault server and there is not a domain certificate since the user's computer is not currently connected to the Domain.