共用方式為

Why am I getting prompted for Credentials?

  • 發行項

I just wrapped up a case for an issue I see every once and a while.  The scenario is the following:

  1. Browse to site

    SNAGHTML268bf26

  2. Get Prompted for credentials and enter username and password

    SNAGHTML2684ad1

  3. Web site will come up normally

I’ve seen where some people go into Kerberos troubleshooting mode, but that in itself is not a Kerberos issue.  The pattern for a normal Kerberos issue would be the following:

  1. Browse to Site
  2. Get Prompted for credentials and enter username and password
  3. Repeat step 2 two more times
  4. Get a 401.1 error from the web server

So, for this particular issue, the answer lies in the URL.  More specifically in the Host of the URL.

 

SNAGHTML26982b2

If Internet Explorer detects periods within the Host Name, it will automatically force you into the Internet Zone.

SNAGHTML26b527f

If we were to just browse to the Netbios name as opposed to the Fully Qualified Domain Name (FQDN), we would see a different zone.  Usually Local Intranet.  The problem with the Internet Zone is that it will not automatically log you into the web site:

SNAGHTML26d7df2

The fact that a Netbios will put you into the Intranet Zone allows for the automatic login to work.  I thought we actually had this documented in the Reporting Services Books Online documentation, but looking for it, I was not able to find it.

Litmus Test

So, if you are getting prompted for Credentials, as yourself if you getting to the web site or not.  If you do get through to the web site, chances are you may be hitting this issue, although that could happen for different reasons.  The main thing is that it is probably not a Kerberos issue, which is how this issue was presented to me.

Now What?

So, we have identified that you have periods in your host name for the URL.  How do we get rid of the prompts?  You have a couple of options. Each with their pro’s and con’s.

  1. Add the URL to the Intranet Zone to prevent it from being forced to the Internet Zone
  • The downside of this, is that you would either have to do this per machine, or push it out from a Policy perspective to your environment.
  • Use the Netbios name instead of the FQDN
  • This may not be doable for different reasons.  Those may need to be discussed with your Network/Domain Team for your Company.  In this customer’s case, ping wouldn’t even resolve the Netbios name.  That would definitely need to be fixed if we had any hope of the URL working in Internet Explorer.  I don’t know if their network allowed for WINS emulation through Active Directory.
  • You could always use your HOST or LMHOST file to locally allow a Netbios name to resolve.  However, this would be machine specific and not really doable from a scale perspective.
  • In some cases, you may be using your IP address as the Host name.  You would either need to do option 1, create a name instead of the IP in your HOST file, or work with your DNS team to get a host entry added there is nothing is available currently.
  • I was asked if Allowing Anonymous Users would be an option.  Unfortunately, starting with 2008 and later, Anonymous isn’t supported with Reporting Services.

There are probably other options as well, but these are probably the most obvious from my perspective.  Hopefully this will help some people who hit this issue.

 

Adam W. Saxton | Microsoft SQL Server Escalation Services
https://twitter.com/awsaxton