|
Posted by DaveMo on February 21, 2007, 9:04 am
Please log in for more thread options >
>
> > Thanks again Roger, I posted to the SP groups before coming here. No one
> > is
> > replying, or suggesting, guess I'm on my own with this one.
>
> > Thank again, personnally, I think it's a bug in the x64 interaction with
> > Sharepoint ir IIS.
>
> I don't know about that, at long distance lacking full specifics of the
> SP config. However, it really does not make sense that the server
> will have such radical behavior change based only on version of
> the client OS.
> You are welcome, for what it was . . .
> Roger
>
>
>
> > "Roger Abell [MVP]" wrote:
>
> >> I would suggest that you post to one of the Sharepoint newsgroups
> >> as the granting of access to all sites on the Sharepoint server at the
> >> site admin level must be due to some misconfig of the Sharepoint
> >> roles. Just how that plays out with an account getting that level of
> >> access when authentication is behind the scene with integrated
> >> authentication, but is not the access level obtained when credentials
> >> must be explicitly provided upon prompt is, frankly, rather hard to
> >> fathom, at least assuming the same account is what ends up being
> >> authenticated in both cases.
>
> >> In the meantime you might consider using the IE adm template
> >> settings via GPO to force the Internet options config on systems.
>
> >> Roger
> >> > Roger,
>
> >> > Sorry I didn't answer your other points,
>
> >> >> So, if a machine local account logs into an x64 XP it gets prompted
> >> >> when attempting access to any of those Sharepoint webs, but if ANY
> >> >> domain account logs in then it can access ANY of the Sharepoint webs
> >> >> even though some of them are restricted so they should not allow that
> >> >> domain account. Correct summary?
>
> >> >>> Yes this is correct, however without changing the settings that I
> >> >>> discribed in my first reply, they don't get prompted, they have full
> >> >>> access and that is not a good thing at all. All they have to do is be
> >> >>> a
> >> >>> member of the Domain within where the Sharepoint sites reside and
> >> >>> they
> >> >>> get access, period, to both Top level portals and sub sites they are
> >> >>> not
> >> >>> setup in.<<
>
> >> > To prevent those who will never have a need to access these site I have
> >> > gone
> >> > one step further, I have placed the Sharepoint URLS within a Restricted
> >> > Zone,
> >> > and have set the User Authenication/Logon to "Anonymous logon". This
> >> > thoughs
> >> > then into a You are not authorized page since the SS portals deny this
> >> > type
> >> > of logon.
>
> >> > "Roger Abell [MVP]" wrote:
>
> >> >> >I have a mixed environment with x86 and x64 XP systems. All have the
> >> >> >updates
> >> >> > required and most access Sharepoint 2003 portals. Anonymous Access
> >> >> > is
> >> >> > not
> >> >> > allowed, Windows Authentication is required, however have found that
> >> >> > none
> >> >> > of
> >> >> > the x64 clients are prompted for user credentials (DOMAIN\username
> >> >> > and
> >> >> > password) while all x86 clients are. All are required to login to
> >> >> > the
> >> >> > domain
> >> >> > to gain access, but after that the x64 clients do not need to
> >> >> > re-validate
> >> >> > to
> >> >> > gain access to the Sharepoint sites, even if they are not setup as
> >> >> > vaild
> >> >> > users to those sites.
>
> >> >> > Any and all ideas as to how to prevent this would be very very much
> >> >> > appreciated.
>
> >> >> Well, I thought I had a likely cause, until I got to your statement
> >> >> > even if they are not setup as vaild users to those sites
> >> >> I was thinking to explain this by differences in the Internet options
> >> >> security settings and/or zone recognition differences between the
> >> >> machines, specifically as those impact whether Windows authentication
> >> >> is allowed in the IE settings.
>
> >> >> So, if a machine local account logs into an x64 XP it gets prompted
> >> >> when attempting access to any of those Sharepoint webs, but if ANY
> >> >> domain account logs in then it can access ANY of the Sharepoint webs
> >> >> even though some of them are restricted so they should not allow that
> >> >> domain account. Correct summary?
>
> >> >> If only specific domain accounts show this, while logged in as one,
> >> >> have you checked for cached network credentials ? in the properties
> >> >> of the account in control panel ?
>
> >> >> Roger- Hide quoted text -
>
> - Show quoted text -
Hello Stan,
Even though you have configured the client side to create the right
behavior, I would suspect that there is still something very seriously
wrong with your SP configuration. From what you describe, it sounds
like anonymous logons are still getting on to your site even though
you think they shouldn't be. It would be worth your while to
experiment on the server side by looking at your security event log
and see what account is reported as logging on when the x64 client
(with the "bad" configuration) hits your site. If the account is an
anonymous logon then there's something wrong with the SP/IIS
configuration that you need to fix.
Once authentication starts the x64 client will do exactly the same
thing as the 32bit client. Either its going to try and do the
authentication dance using the credentials of the current logged on
user or it will try to do an anonymous logon.
The credentials of the current user on the x64 box don't happen to
match the credentials of a local account on the SP box, do they?
HTH.
Dave
| 
XML Sitemap