Users are prompted for username and password when attempting to open Enterprise Vault archived items

Article:TECH56220  |  Created: 2007-01-17  |  Updated: 2014-11-17  |  Article URL http://www.symantec.com/docs/TECH56220
Article Type
Technical Solution


Issue



In some instances users are prompted for a username and password when accessing information in Enterprise Vault (EV).  This issue can occur for many reasons including a result of incomplete or incorrect configuration settings.

This article provides a list of solutions designed to eliminate the issue of being prompted for a username and password when attempting to open archived items.


Error



The following error is displayed in a banner across the top when the archived item is opened:

There was an error loading this item


Solution



The table below diagrams the standard configurations required to prevent the username and password prompt; check each scenario description to locate the best suitable solution.
 

Solution Scenario Description
Solution 1 Site is not listed in the Intranet Zone
 
Solution 2 User has set to Always Prompt for Password
 
Solution 3 EnterpriseVault virtual directory has Integrated Windows Authentication unchecked
 
Solution 4 WebApp directory NT File System (NTFS) permissions removed for users to execute Active Server Pages (ASP)
Solution 5 Remote Procedure Call (RPC) over Hyper Text Transfer Protocol (HTTP) is being utilized 
Solution 6 A cached Username and Password is being used on the Desktop
 
Solution 7 DisableLoopBackCheck is not enabled on the server
 
Solution 8 A proxy server is hard-coded in the Internet Options
 
Solution 9 Internet Information Services (IIS) was installed after applying Service Pack 1 or Service Pack 2 for Windows 2003
Solution 10 Mozilla Firefox is set as the default browser
 
Solution 11 Windows Intranet Zone policy applied overrides EV desktop policy
 
Solution 12 IIS Windows Authentication Providers Order
 

 





Solution 1: 


Site is not listed in the Intranet Zone 

  1. On the users desktop, when the prompt for the username and password is shown, note the server above the text inputs, this is the server that is requesting authentication.
  2. On the EV server, navigate to the properties of the Mailbox Policy (EV 2007 and earlier) or Desktop Policy (EV 8.0 and higher).
  3. On the Advanced tab, select either Outlook or Desktop (dependent on the version of EV installed).
  4. Choose Add Server To Intranet Zone.
  5. Enter all the Short Names and Fully Qualified Domain Names (FQDN) for the EV Servers, including the Server name noted from Step 1 and press OK.   Note: this is a Semi Colon delimited list.
  6. Navigate to the Exchange Mailbox Archiving Task and synchronize all mailboxes from the Synchronization tab.
  7. After synchronization has taken place, close Outlook on the affected users Desktop and then re-open it and test again.

 




Solution 2:


User has set to Always Prompt for Password
 
  1. On the Users desktop, open Internet Explorer.
  2. Go to Tools > Internet Options > Security.
  3. Select Local Intranet and click Custom Level.
  4. Scroll down to the bottom to reach the User Authentication: Login section.
  5. Make sure that either Automatic Logon only in intranet zone or Automatic Logon with current username and password is checked.
  6. Press OK and attempt to download an item again.

    Note: If Automatic Logon only in intranet zone is set you may try changing it to Automatic Logon with current username and password. 
     




Solution 3: 


EnterpriseVault virtual directory has Integrated Windows Authentication unchecked
 
  1. On the EV server, open Internet Information Services (IIS).
  2. Navigate to Websites > Default Website > EnterpriseVault.
  3. Right-click EnterpriseVault and select Properties.
  4. Click the Directory Security tab and under Authentication and Access Control click Edit.
  5. Verify that Integrated Windows Authentication and Basic Authentication are the only options selected.
  6. Click OK and then OK again, no restart of IIS is required.
     




Solution 4:


The WebApp directory has NT File System (NTFS) permissions removed for users to execute Active Server Pages (ASP)
 
  1. On the EV server, open up Internet Information Services (IIS).
  2. Navigate to Websites > Default Website > EnterpriseVault.
  3. Right-click EnterpriseVault and select Permissions.
  4. Make sure that SYSTEM and Administrators have Full Control permissions on the server.
  5. Test downloading items from Outlook, no reset of IIS is required. 
     




Solution 5:


Remote Procedure Call (RPC) over Hyper Text Transfer Protocol (HTTP) is being utilized 
 
  1. On the users desktop, hold Ctrl+Shift and right-click the Outlook icon in the system tray.
  2. Select the Connection Status option.
  3. Verify that the Connection is set to TCP/IP, if it is set to HTTP/S then RPC over HTTP is being Utilized.
  4. This is expected behavior to be authenticated in an RPC over HTTP environment.

 





Solution 6: 


 A cached Username and Password is being used on the Desktop
 

This issue is caused by the server name being placed into an entry in the Password Management utility within the User Accounts application in the workstation control panel.  To resolve this issue, follow these steps:

  1. Open the User Accounts application by navigating to Start | Control Panel and double-clicking on the User Accounts icon.
  2. Click the Advanced tab and click Manage Passwords
  3. The entries listed in the Stored User Names and Passwords pane provide details for the logon information for the server listed. 
  4. The listing for the EV server is causing the user to be prompted for their credentials.  Select the entry with the EV server name, then click the Remove button to delete the entry.
  5. Retrieving, restoring, or manually archiving an item in the user's mailbox will not cause the credentials prompt to display again.  There is no need to restart Outlook for this correction to take place.





Solution 7:


DisableLoopBackCheck is not enabled on the server
 

Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.

  1. On the EV Server, go to Start | Run type regedit and click OK.
  2. In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Control\LSA

  3. Right-click LSA and select New > DWORD.
  4. Type DisableLoopBackCheck and then click Enter.
  5. Right-click DisableLoopBackCheck and click Modify.
  6. Give it a value of 1 and click OK.
  7. Quit Registry Editor and restart the server for the setting to take affect.
  8. After the server has been restarted, attempt to download the items again.

 





Solution 8:


A proxy server is hard-coded in the Internet Options
 
  1. On the client, open Internet Explorer.
  2. Click Tools > Internet Options > Connections > LAN settings.
  3. In the Local Area Network Settings page, if Use a proxy server for your LAN is selected, uncheck it and select Automatically detect settings.
  4. Attempt to download the items again.

 





Solution 9:


Internet Information Services (IIS) was installed after applying Service Pack 1 or Service Pack 2 for Windows 2003

  1. On the EV Server, open Windows Explorer and browse to C:\WINDOWS\System32\inetsrv.
  2. Verify that asp.dll is the Windows 2003 RTM version 6.0.3790.0.
  3. Reapply the latest Windows service pack to update files to the correct version.
  4. Restart the EV server.

 



 


Solution 10:


Mozilla Firefox is set as the default browser
 
Note: At this time Mozilla Firefox is not supported for 8.0 and earlier. It is currently Pending certification for versions 9.0 and higher. For more information refer to the Compatibility Charts.

Solution:
  1. Set Internet Explorer as the default browser.
Workaround:
  1. Download the IE Tab add-in for Firefox.
  2. Click on Tools > IE Tab Options.
  3. Click Sites Filter and add the EV server (Fully Qualified Domain Name and Short Name).

     



Solution 11:


Windows Intranet Zone policy applied overrides EV desktop policy


If there are Windows policies applied for Internet Explorer security verify which policy is applying to that specific user:

  1. Open an MMC console
  2. Add the Resultant Set of policies add-in
  3. Specify the user and computer that you want to verify
  4. Check which policy is applying for Internet Explorer settings

    Solution 1: Disable the entire policy and verify that the issue has solved.


                                              


    Solution 2:
    Set the default values without any block restriction.

     


    Solution 3: Add the correct Site to Zone Assignment List for the EV server.

    Enter all the Short Names and Fully Qualified Domain Names (FQDN) for the EV Servers, including the Server name noted from the prompted Window.

                                            

    Also check the logon option set to "Automatically logon with current user name and password" as picture below.

                                             

 





Solution 12:


IIS Windows Authentication Providers Order 

In some cases, it was found that having Negotiate in the top of the order was causing the issue. This is the default setting in IIS 7.

Changing the order so that NTLM is at the top of the order resolved the issue. 

  1. Open IIS Manager | Sites | Default Web Site | Highlight EnterpriseVault
  2. In the right pane, double-click Authentication
  3. Highlight Windows Authentication in the right pane and click on Providers on the right most pane
  4. Change the order as appropriate
     

Internet Information Services (IIS) was installed after applying Service Pack 1 or Service Pack 2 for Windows 2003

 




Legacy ID



295039


Article URL http://www.symantec.com/docs/TECH56220


Terms of use for this information are found in Legal Notices