Users are prompted for username and password when attempting to open archived items
| Article:TECH137201 | | | Created: 2010-08-04 | | | Updated: 2012-04-10 | | | Article URL http://www.symantec.com/docs/TECH137201 |
Problem
Users are prompted for username and password when attempting to open archived items
Error
In some cases the error will appear as: "There was an error loading this item" In other scenarios the end user will see a login prompt similar to the one below:
Cause
Several scenarios exist that could cause this error:
Note: Prior to implementing the steps mentioned below, please check if the issue is only on Windows 7 clients, if yes upgrade Windows 7 Client to SP1(Refer Compatibility Chart link below)
Scenario 1: Site is not listed in the Intranet Zone
1. On the users desktop, when the prompt for the username and password is shown, note down the server above the text inputs, this is the server that is requesting authentication.
2. On the Enterprise Vault (EV) server, navigate to the properties of the Mailbox Policy (EV 2007 and earlier) or Desktop Policy (EV 8.0)
3. On the Advanced tab, select either "Outlook" or "Desktop" (dependent on the version of Enterprise Vault installed)
4. Choose "Add Server To Intranet Zone"
5. Enter all the Short Names and Fully Qualified Domain Names (FQDN) for the EV Servers, including the Server name noted from Step 1 and press "ok" Note: this is a Semi Colon delimited list
6. Navigate to the Exchange Mailbox Archiving Task and synchronize all mailboxes
7. After synchronization has taken place, close Outlook on the affected users Desktop and then re-open it and test again
Scenario 2: User has set to Always Prompt for Password
1. On the Users desktop, open Internet Explorer
2. Go to Tools -> Internet Options -> Security
3. Select "Local Intranet" and press the "Custom Level" button
4. Scroll down to the bottom to reach the "User Authentication: Login" section
5. Make sure that either "Automatic Logon only in intranet zone" or "Automatic Logon with current username and password" is checked
6. Press "OK" and attempt to download an item again
Scenario 3: EnterpriseVault virtual directory has Integrated Windows Authentication unchecked
1. On the Enterprise Vault server, open up Internet Information Services (IIS)
2. Navigate to Websites -> Default Website -> EnterpriseVault
3. Right click EnterpriseVault and select Properties
4. Click the "Directory Security" tab and under "Authentication and Access Control" click the Edit button
5. Verify that "Integrated Windows Authentication" and "Basic Authentication" are the only options selected
6. Press OK and then OK again, no restart of IIS is required.
Scenario 4: The WebApp directory has NTFS permissions removed for users to execute Active Server Pages (ASP)
1. On the EV server, open up IIS
2. Navigate to Websites -> Default Website -> EnterpriseVault
3. Right click EnterpriseVault and select Permissions
4. Make sure that "SYSTEM" and "Administrators" have "Full Control" permissions on the server
5. Test downloading items from Outlook, no reset of IIS is required
Scenario 5: Remote Procedure Call (RPC) over Hyper Text Transfer Protocol (HTTP) is being utilized
2. Navigate to Websites -> Default Website -> EnterpriseVault
3. Right click EnterpriseVault and select Permissions
4. Make sure that "SYSTEM" and "Administrators" have "Full Control" permissions on the server
5. Test downloading items from Outlook, no reset of IIS is required
Scenario 5: Remote Procedure Call (RPC) over Hyper Text Transfer Protocol (HTTP) is being utilized
1. On the users desktop, hold "Ctrl-Shift" and "right click" the Outlook icon in the bottom right hand corner next to the System Clock
2. Select the Connection Status option
3. Verify that the Connection is set to "TCP/IP", if it is set to "HTTP/S" then RPC over HTTP is being Utilized
4. This is expected behavior to be authenticated in an RPC over HTTP environment.
Scenario 6: A cached Username and Password is being used on the Desktop
1. On the users desktop, navigate to the Control Panel -> User Accounts
2. Select the Advanced Tab -> click the "Manage Passwords" button
3. From the list of sites in the following dialog, verify that the EV server is not listed, if it is listed, remove the user.
4. Close and re-open Outlook and attempt to download the item again
Scenario 7: DisableLoopBackCheck is not enabled on the server
Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.
1. On the EV server, open a registry editor
2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Control\LSA
3. Right-click LSA, select New -> DWORD
4. Type DisableLoopBackCheck and then press Enter
5. Right-click DisableLoopBackCheck and then click Modify
6. Give it a value of 1 and press "OK"
7. Quit Registry Editor, and then restart the server
8. After the server has been restarted, attempt to download the items again
Scenario 8: A proxy server is hard-coded in the Internet Options.
1. On the client, open Internet Explorer.
2. Click Tools > Internet Options > Connections > LAN settings.
3. In the Local Area Network Settings page, if "Use a proxy server for your LAN" is selected, uncheck it and select "Automatically detect settings" instead.
4. Attempt to download the items again.
Scenario 9: IIS was installed after applying Service Pack 1 or Service Pack 2 for Windows 2003
1. On the EV server, open Windows Explorer and browse to C:\WINDOWS\System32\inetsrv
2. Verify that asp.dll is the Windows 2003 RTM version 6.0.3790.0
3. Reapply the latest Windows service pack to update files to the correct version.
4. Restart the EV server.
Scenario 10: Mozilla Firefox is set as the default browser.
Note: At this time Mozilla Firefox is not supported for versions prior to 8.0 and is currently Pending certification for versions 8.0 and higher. For more information refer to the Compatibility Charts.
Solution:
1. Set Internet Explorer as the default browser.
Workaround:
1. Download the IE Tab add-in for Firefox.
2. Click on Tools, IE Tab Options, click Sites Filter and add the EV server (Fully Qualified Domain Name and Short Name).
Scenario 11: Windows Intranet Zone policy applied overrides EV desktop policy.
If there are Windows policies applied for Internet Explorer security verify which policy is applying to that specific user:
a. Open an MMC console
b. Add the Resultant Set of policies add-in
c. Specify the user and computer that you want to verify
d. Check which policy is applying for Internet Explorer settings
Solution 1: Disable the entire policy and verify that the issue has solved.
Solution 2: Set the default values without any block restriction.
Solution 3: Add the correct Site to Zone Assignment List for the EV server.
4. Restart the EV server.
Scenario 10: Mozilla Firefox is set as the default browser.
Note: At this time Mozilla Firefox is not supported for versions prior to 8.0 and is currently Pending certification for versions 8.0 and higher. For more information refer to the Compatibility Charts.
Solution:
1. Set Internet Explorer as the default browser.
Workaround:
1. Download the IE Tab add-in for Firefox.
2. Click on Tools, IE Tab Options, click Sites Filter and add the EV server (Fully Qualified Domain Name and Short Name).
Scenario 11: Windows Intranet Zone policy applied overrides EV desktop policy.
If there are Windows policies applied for Internet Explorer security verify which policy is applying to that specific user:
a. Open an MMC console
b. Add the Resultant Set of policies add-in
c. Specify the user and computer that you want to verify
d. Check which policy is applying for Internet Explorer settings
Solution 1: Disable the entire policy and verify that the issue has solved.
Solution 2: Set the default values without any block restriction.
Solution 3: Add the correct Site to Zone Assignment List for the EV server.
Enter all the Short Names and Fully Qualified Domain Names (FQDN) for the EV Servers, including the Server name noted from the prompted Window.
Solution
The steps below help identify the true owner of the item to allow the administrator to modify permissions or access to the item as needed.
1. Open Microsoft Outlook and select the archived item.
2. Press CTRL + SHIFT and left-click any one of the EV toolbar buttons to open the EV Diagnostic window.
3. Click the Vault Information button.
4. In the section titled Selected Item Properties, scroll down to the Saveset ID. A character string should be displayed similar to:
140400000000000~200812042231320000~0~EE3C5E02AA0946E49F3362BDE9986C5
5. Identify the Transaction ID of the Saveset. This is the last component of the Saveset Identity.
Ex. 140400000000000~200812042231320000~0~EE3C5E02AA0946E49F3362BDE9986C5
In this example, the IdTransaction is "EE3C5E02AA0946E49F3362BDE9986C5"
6. Convert the Transaction ID into the IdTransaction value.
This is performed by placing "-" after the first 8 characters, then after the next 4 (three times). With a trailing ' 0 ' (zero) to make a 32-bit value.
Ex. Transaction ID : "EE3C5E02AA0946E49F3362BDE9986C5"
IdTransaction : "EE3C5E02-AA09-46E4-9F33-62BDE9986C50"
Run the following SQL query to locate the archive name and archiveID from the IDTransaction. Replace VaultStoreDatabase and the @IDTransaction values to the relevant system values:
declare @IDTransaction varchar(36)
Set @IDTransaction = 'EE3C5E02-AA09-46E4-9F33-62BDE9986C50'
Select Arch1.archivename, IDTransaction, ArchivepointID
from enterprisevaultdirectory.dbo.archive Arch1
join enterprisevaultdirectory.dbo.root r1 on Arch1.rootidentity = r1.rootidentity
join archivepoint on r1.vaultentryid = archivepoint.archivepointid
join saveset on archivepoint.archivepointidentity = saveset.archivepointidentity
where idtransaction = @IDtransaction
This will give the details if the saveset that is being opened, belongs to the correct user or not.
|
|
Related Articles
Article URL http://www.symantec.com/docs/TECH137201
Terms of use for this information are found in Legal Notices
Thank you.