Microsoft KB Archive/310757

= Valid users cannot connect to the Web =

Article ID: 310757

Article Last Modified on 3/16/2007

-

APPLIES TO


 * Microsoft FrontPage 2000 Standard Edition

-



This article was previously published under Q310757



SYMPTOMS
When you attempt to connect to a FrontPage Web with a valid user account that has been given author or administrator rights, you may be prompted for user credentials three times. You receive an error message similar to the following:

You are not authorized to perform the current operation.

With the same user account, you can connect to the resources through the Network Neighborhood or through Universal Naming Convention (UNC) paths. You can also access those shares across the network that you have been given permission to access.



CAUSE
This behavior occurs when the valid user account is from a trusted domain. When trying to authenticate to an intranet Web server from a different domain with Windows Challenge/Response enabled, the browser attempts to authenticate the user using the security token created at the logon process in their home domain. Although NTLM is a much more secure means of authenticating users, this behavior causes problems with authenticating to a resource on another domain. This issue is commonly referred to as &quot;double-hop&quot; authentication.

The problem with double-hop authentication is that NTLM does not allow a user's rights to be delegated beyond the server they initially log on to. When you log on to your domain, and then attempt to log on to the FrontPage Web on the other domain, the server is unable to pass the credentials to the Web server.



RESOLUTION
To resolve the issue, use either of the following methods.

Method 1: Basic Authentication

 * 1) Enable Basic Authentication on the Web server.
 * 2) Give the user or user group the &quot;log on locally&quot; rights to the Web server, as required for Basic Authentication.

Note Basic Authentication sends user names and passwords over the network in Base 64 encoding (Clear text). Microsoft recommends that any site that uses Basic Authentication should secure the authentication requests by using SSL.

Method 2: Digest Authentication
For additional security over Basic Authentication without using SSL, set up Digest Authentication.

For additional information about Digest Authentication, click the article numbers below to view the articles in the Microsoft Knowledge Base:

291373 FP: Repeated Prompts for User Name and Password

222028 Setting Up Digest Authentication for Use with IIS 5.0



MORE INFORMATION
For more information about authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:

264921 How IIS Authenticates Browser Clients

230169 Unable to Open or Create Web Folder for Restricted FrontPage Web

For more information about how to generate a certificate request file by using the Certificate Wizard in IIS, click the following article number to view the article in the Microsoft Knowledge Base:

228821 Generating a certificate request file using the Certificate Wizard in IIS 5.0

For more information about how to install a new certificate with Certificate Wizard for use in SSL/TLS, click the following article number to view the article in the Microsoft Knowledge Base:

228836 Installing a new certificate with Certificate Wizard for use in SSL/TLS

For more information about how to set up SSL by using IIS 5.0 and Certificate Server 2.0, click the following article number to view the article in the Microsoft Knowledge Base:

299525 How to set up SSL by using IIS 5.0 and Certificate Server 2.0

Additional query words: front page

Keywords: kbprb KB310757

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.