Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Vault Cache asking for username/password

Created: 11 Nov 2010 | 9 comments
ZeRoC00L's picture

We are trying to use the EV Client 9.0.1 on Outlook 2010 and EV Client 8.0.4 on Outlook 2007 and both come with the same error. Vault Cache asks for a username/password for each synchronisation.

I disabled the proxy on the client, so I am sure it is not asking for proxy authentication. But the error remains.

When I browse to EValias.domain.com/enterprisevault it just connects without asking for username/password.

 

It should be possible to update the vault cache on the INTERNAL network without asking for extra credentials when the pc is in the domain ?

Discussion Filed Under:

Comments 9 CommentsJump to latest comment

Nick White's picture

You could check the IIS logs on the EV server when the prompt appears to confirm if it is definitely a prompt for authentication against IIS on that server. If there's nothing in the log then it's going to be something else that is getting in the way. If however an entry is appearing the log then the entry may give some clues as to the reason for the request (the 40x.x code)

ZeRoC00L's picture

Attached you can see my IIS log of a few minutes ago.

You can see that the user (ad-domain\test2) is in the log, even when i did not enter a username/password in the box.

 

The second attachement is a screenshot of the popup, you do not see a servername or fqdn in the box.

 

ev.jpg
AttachmentSize
ev.txt 4.66 KB

If this response answers your concern, please mark it as a "solution"

JesusWept3's picture

Just to add on to what nick said, first thing you should do is when the prompt comes up it will say something like "Connect to <servername>" like in this image

http://www.passcape.com/images/ie01.png

Make a note of that servername
So couple of questions

1. Is it populated with a username and password?
2. if you type in the password, does it work or does it continue to prompt?

If its populated with a username and password, then best thing to do is to go to Start -> Control Panel -> User Accounts -> Advanced (Tab) then press Manage Passwords

In there you may see the servername listed with the incorrect credentials, usually its best to remove it.

If its not populated but you type in the password once and the error goes away, then most likely the servername that its attempting to connect to isn't in your trusted sites list or your intranet sites list. A lot of times people will put the alias of the machine or a netbios name, but the password is asked for from a different name.

Check that the name of the server prompting is actually in that list, a lot of people over look this and assume it is, or see that its similar, but it maybe an FQDN instead of a netbios name thats being prompted

 

For instance you may list "EVSERVER1" in your intranet site list, but in fact its "EVSERVER1.MYDOMAIN.COM" thats prompting for the username and password, people see EVSERVER1 in the connecting to box and think well i have that listed so it's ok, so its always good to double check

Another thing it could be is the physical permissions on the Page its requesting, so you could give Integrated Windows Authentication to the site and all the files, but if the NTFS permissions only give say "Administrators" and Domain Admins permission to that file, it will cause it to prompt for a username and password.

However in this scenario, manually adding the username and password never works, it keeps prompting and then eventually will just give you an access denied in the background. Also be aware not only do Authenticated Users (or Domain Users) need Read and Execute permissions on the \webapp folder, they need it across the entire \Enterprise Vault folder as well.

The web app hooks in to several executables and DLL's that are launched through ASP impersonation, and if you don't have access to those folders then the process won't work
 

Last but not least, it could be that you're using Outlook Anywhere and its configured to go through RPC over HTTP and its hitting a different URL than when you're normally on the network.

So just to sum up

1. Check the IWA permissions on the files its trying to get to in IIS
2. Check the NTFS permissions on the files its trying to connect to
3. Ensure that the username and password field is blank when it is prompted
4. Ensure that typing the username and password actually works and isnt rejected
5. Make sure that the site prompting for the UN/PW is listed in the intranet zone (check your policy AND the users Internet Explorer to make sure that GPO is allowing it to be added)
6. Make sure you're using a direct connection and not Outlook Anywhere or RPC over HTTP (can be verified through a client trace)
 

ZeRoC00L's picture

Just to add on to what nick said, first thing you should do is when the prompt comes up it will say something like "Connect to <servername>" like in this image

http://www.passcape.com/images/ie01.png

Make a note of that servername
So couple of questions

1. Is it populated with a username and password?
2. if you type in the password, does it work or does it continue to prompt?
 

-----------------

I'll start with these questions. I do not see a servername in the prompt. (will add a screenshot later).

1. No, there is no username and/or password populated

2. Yes, if I type in the password it does work, untill I close outlook and start outlook again, it asks again for username/password.

-----------

Check that the name of the server prompting is actually in that list, a lot of people over look this and assume it is, or see that its similar, but it maybe an FQDN instead of a netbios name thats being prompted

------

I have 4 different names in the list, the alias, alias fqdn, servername and servername fqdn. 

Attached you can see the popup box, there is no domain in the box ?!?!?

ev.jpg

If this response answers your concern, please mark it as a "solution"

ZeRoC00L's picture

Still not resolved, so hopefully someone can help:

I will answer the questions of JesusWept2

1. Check the IWA permissions on the files its trying to get to in IIS
2. Check the NTFS permissions on the files its trying to connect to
3. Ensure that the username and password field is blank when it is prompted
4. Ensure that typing the username and password actually works and isnt rejected
5. Make sure that the site prompting for the UN/PW is listed in the intranet zone (check your policy AND the users Internet Explorer to make sure that GPO is allowing it to be added)
6. Make sure you're using a direct connection and not Outlook Anywhere or RPC over HTTP (can be verified through a client trace)
 

1. The permissions seems to be correct.

2. NTFS permissions seems to be correct, on the complete Enterprise Vault folder the localserver\users (which includes authenticated users) group has permissions.

3. Yes, fields are blank

4. it works after entering the username/password. But the next time outlook is launched the credentials are asked again.

5. Site is in the intranet zone, double-checked it.

6. Yes, I am using a direct connection, outlook anywhere / RPC is disabled.

If this response answers your concern, please mark it as a "solution"

fleagle's picture

As JW2 mentions, your Local Intranet sites and Bypass Proxy list should include the FQDN and non-FQDN of the server, server alias and site alias. For example:

vaultserver1
vaultserver1.domain.local
evserver
evserver.domain.local
evsite
evsite.domain.local

You say that manually browsing to EValias.domain.com/enterprisevault works without prompting. What happens if you open Search or Archive Explorer using the Outlook buttons or menu options (assuming they're made available to clients)?

You can enable Virtual Vault client logging using a check-box on the clients Enterprise Vault Diagnostic options (hold down left-shift and left-CTRL on the Outlook client and left-click one of the vault buttons). See below

Uncheck afterwards and set logging level back to Information.

Finally, is IE the default Internet Browser on the clients?

ZeRoC00L's picture

Hi Fleagle,

I already doublecheck that the servername, servername.fqdn, sitealias, sitealias.fqdn are in my local intranet zone.

Searching EV in outlook (with the search button) works fine, without prompt.

Attached the log you requested.

AttachmentSize
evlog.txt 799.44 KB

If this response answers your concern, please mark it as a "solution"

BravoZulu's picture

Not sure if this is your issue but may be worth checking the WORKAROUND section in this Microsoft KB article;

http://support.microsoft.com/default.aspx?scid=kb;EN-US;871179

Thanks,

BZ

"Life is chaotic. Success means coping with it. Complaining too much about it is the path to failure." Ross Anderson

speedye1's picture

Had a similar issue, upgraded last weekend from EV8.0.3 to EV9.0 and after this all new users trying to sync for the first time with Outlook 2007 got the request for credentials. I added both my server name and alias for the server to the intranet sites and it is working now. I added both FQDN and short name for both. Previously I did not have to have these using the 8.0.3 client hitting the 8.0.3 server, but now the 8.0.3 client needs it to work with the 9.0 server. As well archive explorer now asks for credentials which 8.0.3 did not require. After adding the sites to intranet, no credentials are asked for.