Access server using PP and domain account

[SizzleMaster]

Can this be done? Or do you need to use a project server account? If the
latter, how do you reconcile these accounts so that one set of data is
associated with both. I can't merge them in PS. I seem to need the domain
accounts in order to log into PWA and the SharePoint sites. If I turn off
Windows Auth and just use basic with SSL, I can't log into PWA.

This is driving me nuts. Any help would be GREATLY appreicated.

 

[Earl Lewis]

I connect to a project server in a domain that my workstation is not a part of using all of the settings I mentioned in my reply to your earlier post. Please check that and see if it helps.

Also, posting the same problem 4 or 5 times in the same day doesn't get any more attention than 1 well-written post. In fact some NG readers tend to ignore posts like that. I know this is frustrating and you want an answer but sometimes it just takes time. Remember, this is voluntary for everyone here.

Earl
Can this be done? Or do you need to use a project server account? If the
latter, how do you reconcile these accounts so that one set of data is
associated with both. I can't merge them in PS. I seem to need the domain
accounts in order to log into PWA and the SharePoint sites. If I turn off
Windows Auth and just use basic with SSL, I can't log into PWA.

This is driving me nuts. Any help would be GREATLY appreicated.

 

[SizzleMaster]

Well you learn something new everyday. Thanks for replying. I didn't know
you could associate a domain\username account from outisde the domain in XP
using control panel. Unfortunately, this disn't solve the problem. I
associated my domain\user account on XP for the https://FQDN/, made sure
that it's a trusted site with automatically log in using windows account
set. When I go to PWA, I no problem logging in on XP with this account.
I'm not even prompted for UNW now. But, still get that authenticate error
trying from PP. I can login using PP when I'm in logged into the domain.
The other post was somewhat different highlighting the fact this is all
going through ISA. And it doesn't work using the netbios name either. Some
of the other postings duplicated in the last couple of days were accidents.
I kept trying to post one as new and it kept posting back to the old thread
and then all of a sudden several duplicates showed up as new threads. Yes I
know thse forums are voluntary and certain ettiquette should be followed.
Sorry for that and thanks again. I'm still trying.

 

[SizzleMaster]

p.s.

How do you associate another UNW from Win2003 Server for users logged in
locally? I have some of my people using Win2003 server, some are members of
the domain that PS is in, some are standalones and not members of the domain
PS is in. I can let them RD in or setup a VPN if that's necessary but it
seems ridiculous and it looks like you've figured out how to get this to
work from XP not logged into the domain. Did you use a project server
account as opposed to a domain account to do this?

thanks again.

 

[Earl Lewis]

Larry,

The error message your getting is clearly indicating that IIS is having trouble processing your credentials through. If it were SQL server causing the problem you'd probably be getting a different error - which I have intimate experience with (network blocks on port 1433/1434 traffic- this is probably NOT your problem given your error message).

Did you check/add the DNS suffix search settings for name resolution? Regardless of the fact that you're specifying a FQDN in the URL in the project professional connection setting - M$Project somewhere along the way still tries to do WINS resolution. Call it Micro$oft hubris - M$ expecting you to be on a M$ network. I have no M$ network available to me in my building yet I'm successfully connecting to a project server on another network in another building on our campus.

I've also added an entry in the hosts file of my workstation but this is essentially redundant if you do the prior step. If you're interested the file is in C:\WINDOWS\system32\drivers\etc and the entries look like this:

# target IP shortname FQDN
999.000.999.999 server1 server1.my.domain.com

Have you had anyone watch the incoming traffic to your project server while you try making a connection? Your network guys can do this with a sniffer. Tell them the problem you're having and the machine you're trying to connect to and then ask them to set aside 5-10 minutes to watch for you. You may need to have a hole punched in the firewall for your IP address to get through. Even if you're using DHCP your IP address can be made to "stick" to your machines MAC address - in effect giving you a static address.

Also, since you're using SSL have you got your certificates all legitimate? Are you or have you ever been prompted to review/accept the site certificate?

Earl
Well you learn something new everyday. Thanks for replying. I didn't know
you could associate a domain\username account from outisde the domain in XP
using control panel. Unfortunately, this disn't solve the problem. I
associated my domain\user account on XP for the https://FQDN/, made sure
that it's a trusted site with automatically log in using windows account
set. When I go to PWA, I no problem logging in on XP with this account.
I'm not even prompted for UNW now. But, still get that authenticate error
trying from PP. I can login using PP when I'm in logged into the domain.
The other post was somewhat different highlighting the fact this is all
going through ISA. And it doesn't work using the netbios name either. Some
of the other postings duplicated in the last couple of days were accidents.
I kept trying to post one as new and it kept posting back to the old thread
and then all of a sudden several duplicates showed up as new threads. Yes I
know thse forums are voluntary and certain ettiquette should be followed.
Sorry for that and thanks again. I'm still trying.

 

[Earl Lewis]

Not sure if you can do that same thing with Win2003 server. I'd be very surprised if you COULD.

And yes, I'm using a domain account with windows authentication for my configuration. Make sure to use the fully qualified username, i.e. server1\username and then enter the password for the domain account.

Earl
p.s.

How do you associate another UNW from Win2003 Server for users logged in
locally? I have some of my people using Win2003 server, some are members of
the domain that PS is in, some are standalones and not members of the domain
PS is in. I can let them RD in or setup a VPN if that's necessary but it
seems ridiculous and it looks like you've figured out how to get this to
work from XP not logged into the domain. Did you use a project server
account as opposed to a domain account to do this?

thanks again.

 

[SizzleMaster]

Thanks for all the info Earl. I'm kind of tied up right now and won't be
able to test this until maybe later on tonight. Thanks though very much for
your assistance and I will post back.

Larry,

The error message your getting is clearly indicating that IIS is having

trouble processing your credentials through. If it were SQL server causing
the problem you'd probably be getting a different error - which I have
intimate experience with (network blocks on port 1433/1434 traffic- this is
probably NOT your problem given your error message).

Did you check/add the DNS suffix search settings for name resolution?

Regardless of the fact that you're specifying a FQDN in the URL in the
project professional connection setting - M$Project somewhere along the way
still tries to do WINS resolution. Call it Micro$oft hubris - M$ expecting
you to be on a M$ network. I have no M$ network available to me in my
building yet I'm successfully connecting to a project server on another
network in another building on our campus.

I've also added an entry in the hosts file of my workstation but this is

essentially redundant if you do the prior step. If you're interested the
file is in C:\WINDOWS\system32\drivers\etc and the entries look like this:

# target IP shortname FQDN
999.000.999.999 server1 server1.my.domain.com

Have you had anyone watch the incoming traffic to your project server

while you try making a connection? Your network guys can do this with a
sniffer. Tell them the problem you're having and the machine you're trying
to connect to and then ask them to set aside 5-10 minutes to watch for you.
You may need to have a hole punched in the firewall for your IP address to
get through. Even if you're using DHCP your IP address can be made to
"stick" to your machines MAC address - in effect giving you a static
address.

Also, since you're using SSL have you got your certificates all

legitimate? Are you or have you ever been prompted to review/accept the site
certificate?

 

[SizzleMaster]

Thanks for all the info Earl. I'm kind of tied up right now and won't be
able to test this until maybe later on tonight. Thanks though very much for
your assistance and I will post back.

Not sure if you can do that same thing with Win2003 server. I'd be very surprised if you COULD.

And yes, I'm using a domain account with windows authentication for my

configuration. Make sure to use the fully qualified username, i.e.
server1\username and then enter the password for the domain account.

 

[Enomagic]

Earl,
the originater of this posting responded to me on .project.server group
saying I was wrong and that you said you were able to do what he originally
asked i.e. connect to Project Professional (PP) with a domain account when
the client is not in the same domain as the server.

I would be really interested in knowing how you have got around the hard
coding of the Project Professional client that gives you 2 options to log
onto the Project Server - 1) using the "Use Windows user account" option
which only lets you use the account which you logged into the client machine
with, or 2) use a project server account (which isn't a domain account).

His comment was that I was wrong and the Earl said you could do it. Is this
true, if so, this is of great benefit to us so could you please advise on
how you managed to achieve this.

Thanks in advance.
Enomagic

I connect to a project server in a domain that my workstation is not a

part of using all of the settings I mentioned in my reply to your earlier
post. Please check that and see if it helps.

Also, posting the same problem 4 or 5 times in the same day doesn't get

any more attention than 1 well-written post. In fact some NG readers tend to
ignore posts like that. I know this is frustrating and you want an answer
but sometimes it just takes time. Remember, this is voluntary for everyone
here.

 

[Earl Lewis]

Enomagic (interesting moniker),

To clarify, I am using windows authentication for project professional against a project server that resides in a domain that my workstation does not belong to and I do not login to for any other purpose. In other words I use a local workstation login on startup and am able to successfully connect to and run project pro and project web access from my workstation.

See my post dated 8/17/2004 11:19:29 AM in reply to "SizzleMaster's WWW-Authenticate header error" post.

Earl
Earl,
the originater of this posting responded to me on .project.server group
saying I was wrong and that you said you were able to do what he originally
asked i.e. connect to Project Professional (PP) with a domain account when
the client is not in the same domain as the server.

I would be really interested in knowing how you have got around the hard
coding of the Project Professional client that gives you 2 options to log
onto the Project Server - 1) using the "Use Windows user account" option
which only lets you use the account which you logged into the client machine
with, or 2) use a project server account (which isn't a domain account).

His comment was that I was wrong and the Earl said you could do it. Is this
true, if so, this is of great benefit to us so could you please advise on
how you managed to achieve this.

Thanks in advance.
Enomagic

I connect to a project server in a domain that my workstation is not a

part of using all of the settings I mentioned in my reply to your earlier
post. Please check that and see if it helps.

Also, posting the same problem 4 or 5 times in the same day doesn't get

any more attention than 1 well-written post. In fact some NG readers tend to
ignore posts like that. I know this is frustrating and you want an answer
but sometimes it just takes time. Remember, this is voluntary for everyone
here.

 

[Enomagic]

Earl,
I read that reply and having problems seeing the magic that gets this
scenario to work.
PWA is easy. No probs there.

My conceptual issue is the fact that when you configure an account to
connect to ProjServer with, you only have the choice of proj auth (not the
question here) and select "Use Windows user account" which is not
configurable and uses the credentials that you logged onto the workstation
with - how do you get by this? What part of your setup gets around this?

Thanks
Enomagic

Enomagic (interesting moniker),

To clarify, I am using windows authentication for project professional

against a project server that resides in a domain that my workstation does
not belong to and I do not login to for any other purpose. In other words I
use a local workstation login on startup and am able to successfully connect
to and run project pro and project web access from my workstation.

See my post dated 8/17/2004 11:19:29 AM in reply to "SizzleMaster's

WWW-Authenticate header error" post.

 

[Earl Lewis]

Enomagic,

I suffered from the same (false) assumption about the workstation credentials. With Windows XP using the windows authentication isn't strictly the credentials you use to login to the workstation. Read on...

Let's try a checklist approach. And remember, this is what's working for me - your mileage may vary.

This configuration assumes Windows XP Professional on workstation - which is my case
- user account is setup on domain (in Active Directory) in which project server resides
- user account is created and setup on project server
- user account on project server is set to use windows authentication
- user ID in project server is entered in [domain]\username format
- project server URL is added to list of trusted sites in IE
- project server FQDN is added to list of network account passwords to store
(this is found in control panel>>user accounts>>[select desired account]>>manage network passwords
- make sure account information entered for this entry is the same as the AD credentials
- you may need to add a DNS search suffix to your IP configuration to resolve the hostname to the FQDN

Have you had a network guy on the far side watch for your incoming traffic to see if it's making it into the target domain? They can do this with a sniffer program. Try to coordinate it with your tech support people if there is such a thing.

Hope that helps some.

Earl


Earl,
I read that reply and having problems seeing the magic that gets this
scenario to work.
PWA is easy. No probs there.

My conceptual issue is the fact that when you configure an account to
connect to ProjServer with, you only have the choice of proj auth (not the
question here) and select "Use Windows user account" which is not
configurable and uses the credentials that you logged onto the workstation
with - how do you get by this? What part of your setup gets around this?

Thanks
Enomagic

Enomagic (interesting moniker),

To clarify, I am using windows authentication for project professional

against a project server that resides in a domain that my workstation does
not belong to and I do not login to for any other purpose. In other words I
use a local workstation login on startup and am able to successfully connect
to and run project pro and project web access from my workstation.

See my post dated 8/17/2004 11:19:29 AM in reply to "SizzleMaster's

WWW-Authenticate header error" post.

 

[Enomagic]

You're a champion - this is gold.
MS had told me this wasn't possible. Glad I surf these groups......

Enomagic

Enomagic,

I suffered from the same (false) assumption about the workstation

credentials. With Windows XP using the windows authentication isn't strictly
the credentials you use to login to the workstation. Read on...

Let's try a checklist approach. And remember, this is what's working for me - your mileage may vary.

This configuration assumes Windows XP Professional on workstation - which is my case
- user account is setup on domain (in Active Directory) in which project server resides
- user account is created and setup on project server
- user account on project server is set to use windows authentication
- user ID in project server is entered in [domain]\username format
- project server URL is added to list of trusted sites in IE
- project server FQDN is added to list of network account passwords to store
(this is found in control panel>>user accounts>>[select desired

account]>>manage network passwords

- make sure account information entered for this entry is the same as the AD credentials
- you may need to add a DNS search suffix to your IP configuration to

resolve the hostname to the FQDN

Have you had a network guy on the far side watch for your incoming traffic

to see if it's making it into the target domain? They can do this with a
sniffer program. Try to coordinate it with your tech support people if there
is such a thing.

 

[Enomagic]

By the way, UPN seems to work as well.

Cheers
Ben

You're a champion - this is gold.
MS had told me this wasn't possible. Glad I surf these groups......

Enomagic

Enomagic,

I suffered from the same (false) assumption about the workstation

credentials. With Windows XP using the windows authentication isn't strictly
the credentials you use to login to the workstation. Read on...

Let's try a checklist approach. And remember, this is what's working for me - your mileage may vary.

This configuration assumes Windows XP Professional on workstation -

which
is my case

These are server configuration steps<<

- user account is setup on domain (in Active Directory) in which project server resides
- user account is created and setup on project server
- user account on project server is set to use windows authentication
- user ID in project server is entered in [domain]\username format

These are workstation configuration steps<<

- project server URL is added to list of trusted sites in IE
- project server FQDN is added to list of network account passwords to store
(this is found in control panel>>user accounts>>[select desired

account]>>manage network passwords

- make sure account information entered for this entry is the same as

the
AD credentials

- you may need to add a DNS search suffix to your IP configuration to

resolve the hostname to the FQDN

Have you had a network guy on the far side watch for your incoming

traffic
to see if it's making it into the target domain? They can do this with a
sniffer program. Try to coordinate it with your tech support people if there
is such a thing.

Hope that helps some.

Earl



Earl,
I read that reply and having problems seeing the magic that gets this
scenario to work.
PWA is easy. No probs there.

My conceptual issue is the fact that when you configure an account to
connect to ProjServer with, you only have the choice of proj auth (not the
question here) and select "Use Windows user account" which is not
configurable and uses the credentials that you logged onto the workstation
with - how do you get by this? What part of your setup gets around this?

Thanks
Enomagic



against a project server that resides in a domain that my workstation does
not belong to and I do not login to for any other purpose. In other

words

I
use a local workstation login on startup and am able to successfully connect
to and run project pro and project web access from my workstation.
WWW-Authenticate header error" post. Is
this tend If
the turn
off

 

[Earl Lewis]

UPN?? Not familiar with that acronym.

Earl
By the way, UPN seems to work as well.

Cheers
Ben

You're a champion - this is gold.
MS had told me this wasn't possible. Glad I surf these groups......

Enomagic

Enomagic,

I suffered from the same (false) assumption about the workstation

credentials. With Windows XP using the windows authentication isn't strictly
the credentials you use to login to the workstation. Read on...

Let's try a checklist approach. And remember, this is what's working for me - your mileage may vary.

This configuration assumes Windows XP Professional on workstation -

which
is my case

These are server configuration steps<<

- user account is setup on domain (in Active Directory) in which project server resides
- user account is created and setup on project server
- user account on project server is set to use windows authentication
- user ID in project server is entered in [domain]\username format

These are workstation configuration steps<<

- project server URL is added to list of trusted sites in IE
- project server FQDN is added to list of network account passwords to store
(this is found in control panel>>user accounts>>[select desired

account]>>manage network passwords

- make sure account information entered for this entry is the same as

the
AD credentials

- you may need to add a DNS search suffix to your IP configuration to

resolve the hostname to the FQDN

Have you had a network guy on the far side watch for your incoming

traffic
to see if it's making it into the target domain? They can do this with a
sniffer program. Try to coordinate it with your tech support people if there
is such a thing.

Hope that helps some.

Earl



Earl,
I read that reply and having problems seeing the magic that gets this
scenario to work.
PWA is easy. No probs there.

My conceptual issue is the fact that when you configure an account to
connect to ProjServer with, you only have the choice of proj auth (not the
question here) and select "Use Windows user account" which is not
configurable and uses the credentials that you logged onto the workstation
with - how do you get by this? What part of your setup gets around this?

Thanks
Enomagic



against a project server that resides in a domain that my workstation does
not belong to and I do not login to for any other purpose. In other

words

I
use a local workstation login on startup and am able to successfully connect
to and run project pro and project web access from my workstation.
WWW-Authenticate header error" post. Is
this tend If
the turn
off