Cannot browse SharePoint or IIS site with IE7 or later…

Had one of the Oakton team start work at the client I’m currently based at and spent the better part of 3 hours getting IE working on his machine so it could browse the SharePoint sites.

Here is his setup:

  • Workstation Computer running IE8, Win 7 (We upgraded to IE9 as well, no change)
  • Workstation Computer is not a Member of the domain (it’s a member of the Oakton domain, just not the clients domain)
  • Internet Explorer on the Workstation Computer has “Enable Integrated Authentication” TICKED in the Browser’s advanced settings
  • Client uses an ISA proxy server for Network users
  • Site was set up to (correctly) use Kerberos Authentication (SPN’s configured and tested)

Every time we tried to load the internal site, we immediately got the browser page “Page Cannot be Displayed” – There was not even a delay while the query died – it was an immediate page load. Browsing Google, etc seemed to be a bit flaky but it eventually worked after the second refresh.

Essentially there appears to be a problem with the way non domain member devices running IE7, with Windows Integrated Authentication enabled and Windows Vista / 7 works with Kerberos Sites on Windows 2008 and later servers (it may also affect 2003 – not sure) – The temporary workaround is to disable the Authentication option in IE’s advanced settings and restart the browser:

image

This forces the browser to use NTLM Authentication and so it does not care which domain you belong to, just as long as you can authenticate to the service using valid credentials. If you find this works (unticking the Auth Credentials option) then it may be worth going to your Security Policy (start – run – GPEDIT.MSC) and changing the “Network Security: LAN Manager Authentication Level” setting to “Send LM & NTLM Responses” to the one shown:

image

This will avoid sending the NTLMv2 responses (which the Proxy Server understands) and then having authentication fail because you’re logged into a non-domain-registered device. It will also start prompting you to log into the authenticated intranet sites again.

Note: This may also affect devices like smartphones and tablet devices, as well as Workgroup-style network setups… basically any configuration running a modern SOE and leveraging ISA server with devices that are not Domain members.

http://social.msdn.microsoft.com/Forums/en-IE/iewebdevelopment/thread/9e56fa7c-e0c1-4930-9612-0ad5436ad9f3 – clues in here led me down the path of enlightenment.

Cheers

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Cannot browse SharePoint or IIS site with IE7 or later…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s