Web Authentication via SSO not working (4347558)

Web Authentication via SSO not working

Consider the following scenario:

- Internet Information Service (IIS) is installed on a computer that is running Windows 7 or Windows Server 2008 R2 in a domain.

- Anonymous Authentication is disabled and Windows Authentication enabled for the One Identity Manager(1IM) web portal.

- The DefaultAppPool application pool or another application pool that uses ApplicationPoolIdentity is used as the identity for the 1IM web portal.

- Connection to the 1IM web portal is with a URL that refers to the IP address of the web server.

- Internet Explorer (IE) is configured to use "Automatic logon with username and password" for the appropriate security zone for the IP address based URL.

In this scenario, users that access the web portal are seeing one of the following issues:

- Users get incorrectly prompted for credentials.

- Users get repeating HTTP 401 error messages popping up.

- Users get repeating HTTP 12015 error messages popping up.

We regard this as a Microsoft (MS) IIS related problem using Windows Authentication against a web application that is accessed using the IP address instead of the server name.  A second similar MS issue may also lead to the repeating HTTP error messages popping up even in cases where the server IP address is not used.  For further information please see Users cannot access an IIS-hosted website after the computer password for the server is changed in Windows 7 or in Windows Server 2008 R2

Clarification:

This only happens when:

1. The 1IM web portal is accessed via the server's IP address instead of its name.

2. Internet Explorer (IE) is configured to use "Automatic logon with username and password" for the appropriate security zone for the IP address based URL.

3. The computer that IE is running on is in the same domain or in the same trusted environment (Forest, Domain Trusts) as the IIS server. In that case the Windows Authentication uses Kerberos, which seems to lead to that issue.

- Access the 1IM web portal using the server name instead of the IP address.

- If accessing the 1IM Web Portal using the IP address, e.g. in a multi VM scenario, do not use integrated Windows-Authentication.