Hello,
I'm dealing with an issue with a new build at one of my sites where I don't control the AD structure. I'm having an issue automatically logging in with a CNAME and honestly I'm having a hard time figuring out why so I'd appreciate any assistance the community can provide. I'm running 10.7 and the site has requested to be CAC enabled which from my understanding will prevent the Export to PDF option because Anonymous authentication must be disabled. Is anyone using CAC Authentication with Anonymous (required for local user login), Forms (required for local user login - if not enabled user won't get the login page) and Windows authentication active? Just curious if that's possible and whether Export to PDF is still working for you. Part of the issue I'm having troubleshooting this is I have to access a virtual workstation remotely and can't pass my CAC credentials to it because I have to route through another server first so right now I'm just using an Administrator account rather than an actual user account but the information I have listed below came from a user trying to access the site. He accessed the site via 4 different methods using HTTPS and I've listed his outcomes below. All four methods are in the SSL cert. I decided to try uninstalling the website and when I tried installing it I'm getting a Configuration wizard popup suggesting that Microsoft IIS or some of its required components are not currently installed and I should click Yes to install them. When I do it fails with Installation of Microsoft Internet Information Service has failed. Please install it manually and then run Configuration Wizard again. I'm thinking this may be security tools related so I'll address that Monday with my security folks unless anyone has something to try in the meantime. I've tried to list my settings below but if you need to know anything else, please let me know. The user is logging into the same domain as the Orion server.
IE Settings (have to verify Version)
Intranet Zone - Automatic Logon only in Intranet Zone
Trusted Site Zone - Automatic Logon with current username and password
Proxy server in use - Presume that Automatically detect intranet network, Include all local (intranet) sites not listed in other zones and include all sites that bypass the proxy server are checked.
Policy Settings
Access this computer from the Network - Administrators, Authenticated users
Impersonate a client after authentication - Administrators, IIS_IUSRS, LOCAL SERVICE, NETWORK SERVICE, SERVICE
Allow Logon Locally - Administrators, Authenticated Users (Logon Fallback Enabled)
Interactive Logon: Require smart card - Not defined
Network access: Do not allow storage of passwords and credentials for Network authentication - Enabled (have to verify if scheduled reports are working)
Local Group Settings
User group - NT AUTHORITY\Authenticated Users, NT AUTHORITY\INTERACTIVE, Domain Users, NT AUTHORITY\IUSR (wasn't there which may be the reason I couldn't cancel authentication and get the login page - need to verify)
Automatic Login is enabled on both the configuration wizard and webconsole
1. https://hostname - works because hostname is automatically placed in Intranet Zone
2. https://Orion IP - works in Intranet Zone and IP is listed in Proxy exception
3. https://Server CNAME - maps to IP and user gets prompted for credentials and the page errors out (not sure of the error right now). CNAME is listed in proxy server exception list
4. https://orion - maps to CNAME and can be pinged and user gets prompted for credentials but can't access the site (not listed in proxy server exception list)
At my other sites I generally use the Intranet Zone so my question is has anyone had a problem automatically logging on with their site in the Trusted Sites zone? Are there any settings in the zones that need to be disabled to prevent access issues with the Orion website? Thanks so much for taking the time to review and respond.
Robert
