Using Integrated Windows Authentication on a WIN/2000 Server running IIS that is acting as an Intranet server. Trying to find a way to eliminate the login prompt that IE generates following an authenticated user’s attempt to access a web page in a subdirectory that has been protected by limiting rights (ACL) to selective user groups. IIS generates 401.3 and IE reacts by displaying a login prompt.
Details
Our Intranet site has pages that are both public and some that are restricted by user group. It is my understanding that when an attempt to access a page from within a directory that specifies IWA, IIS does not initially prompt the user for a user name and password.
The current Windows user information on the client computer is used for authentication. The user’s browser proves its knowledge of the password through a cryptographic exchange with the Web server.
However, if this authentication exchange fails to identify the user (such as when a user is not logged into the network), the browser will prompt the user for a Windows user name & password. In our case the user is logged onto the network and the authentication is successful, but the identified user just doesn’t have access rights (via ACL) to the file.
When our users attempt to access such a restricted page IIS generates a 401.3 & as a result IE issues a login prompt. It is IE making the decision to issue the prompt, giving the user an opportunity to enter alternate credentials that might have access rights. However, we want to just deny access to that page because our users have no other id.
We see no need for this prompt, it’s an invitation to try and hack the system. Displaying either the 401.3 or 401.1 error page (which is what gets displayed after canceling out of the login prompt) would be fine.
Do you know how to influence IE’s behavior so that is does not issue the logon prompt?
Rudie