Project Professional/PWA login failures

[C. Fistler]

Some of our users (not all) cannot seem to connect to either Project Web Access or through Project Professional.

In PWA, they get a DNS error (which actually shows up as a 401 error for lgnint.asp in IIS logs). I've pasted a couple of examples below, including a successful login. The differences are obvious, but I don't know why....

--------EXAMPLE 1(FAILED)--------
2004-06-10 14:03:06 <serverIP> GET /projectserver - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322) 301 0 0
2004-06-10 14:03:06 <serverIP> GET /projectserver/LGNINT.ASP
- 443 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322) 401 2 0
--------EXAMPLE 2 (FAILED)--------
2004-06-10 15:55:26 <serverIP> GET /projectserver - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Q312461;+.NET+CLR+1.0.3705) 301 0 0
2004-06-10 15:55:26 <serverIP> GET /projectserver/LGNINT.ASP - 443 -
<clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Q312461;+.NET+CLR+1.0.3705) 401 2 0
--------EXAMPLE 3 (SUCCESSFUL)----------
2004-06-09 19:03:39 <serverIP> GET /projectserver - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 301 0 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/LGNINT.ASP - 443 -
<clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 401 2 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/ - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 401 1 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/LGNINT.ASP - 443
CORP\<login> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+
NT+5.1;+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 302 0 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/SesStart.asp ref=lgnint.asp
443 CORP\<login> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;
+Windows+NT+5.1;+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 302 0 0
--------------------

In Project Professional, they get the following:

--------------------
Project cannot access the Project Server <our URL>.

Please check the Project Server URL in the Collaborate tab of the Options dialog box (Tools menu). Make sure the server is functioning correctly, and is a valid Project Server.
-------------------

I suspect this is something to do with their login credentials not being passed to Project Server (notice in the successful IIS log entry, the domain login was eventually passed), but am unable to isolate the error as others are working fine. Any help would be appreciated.

C. Fistler
(e-mail address removed)

 

[Cindy]

In case anyone is interested, here is what this problem was and how it
can be fixed:

IIS 6.0 was configured to use the following NTAuthenticationProviders
(a property in the metabase): Negotiate,NTLM. Some clients (all XP)
were trying to negotiate their authentication method using Windows
Integrated Authentication, and were attempting to get their
credentials confirmed using kerberos. The attempt to get a kerb ticket
was failing (don't know why, didn't investigate further). The client
was not defaulting back to NTLM after the kerb failure. Clients who
worked were using NTLM first, and were authenticating fine. (This all
showed up in a sniffer capture).

There were two fixes possible:

Server method, fixes for everybody - edit the IIS 6.0 metabase to set
the NTAuthenticationProviders parameter to NTLM (was Negotiate,NTLM).
This forces NTLM authenticate for Windows accounts, which everyone
could do. There were no ill effects to this, as far as I know.

Client method, fixes for that person only - In IE > Tools > Internet
Options > Advanced, UNcheck the property Enable Integrated Windows
Authentication, and close/reopen IE.

Hope this helps someone...

Cindy

 

[Gary L. Chefetz \(MVP\)]

Thanks for posting your solution Cindy. It will definitely help someone!

--

Gary L. Chefetz, MVP
"We wrote the book on Project Server
http://www.msprojectexperts

-

In case anyone is interested, here is what this problem was and how it
can be fixed:

IIS 6.0 was configured to use the following NTAuthenticationProviders
(a property in the metabase): Negotiate,NTLM. Some clients (all XP)
were trying to negotiate their authentication method using Windows
Integrated Authentication, and were attempting to get their
credentials confirmed using kerberos. The attempt to get a kerb ticket
was failing (don't know why, didn't investigate further). The client
was not defaulting back to NTLM after the kerb failure. Clients who
worked were using NTLM first, and were authenticating fine. (This all
showed up in a sniffer capture).

There were two fixes possible:

Server method, fixes for everybody - edit the IIS 6.0 metabase to set
the NTAuthenticationProviders parameter to NTLM (was Negotiate,NTLM).
This forces NTLM authenticate for Windows accounts, which everyone
could do. There were no ill effects to this, as far as I know.

Client method, fixes for that person only - In IE > Tools > Internet
Options > Advanced, UNcheck the property Enable Integrated Windows
Authentication, and close/reopen IE.

Hope this helps someone...

Cindy

"C. Fistler" <C. (e-mail address removed)> wrote in message

lgnint.asp in IIS logs). I've pasted a couple of examples below, including a
successful login. The differences are obvious, but I don't know why....

--------EXAMPLE 1(FAILED)--------
2004-06-10 14:03:06 <serverIP> GET /projectserver - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322) 301 0 0
2004-06-10 14:03:06 <serverIP> GET /projectserver/LGNINT.ASP
- 443 - <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+.NET+CLR+1.0.3705;+.NET+CLR+1.1.4322) 401 2 0
--------EXAMPLE 2 (FAILED)--------
2004-06-10 15:55:26 <serverIP> GET /projectserver - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Q312461;+.NET+CLR+1.0.3705) 301 0 0
2004-06-10 15:55:26 <serverIP> GET /projectserver/LGNINT.ASP - 443 -
<clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Q312461;+.NET+CLR+1.0.3705) 401 2 0
--------EXAMPLE 3 (SUCCESSFUL)----------
2004-06-09 19:03:39 <serverIP> GET /projectserver - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 301 0 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/LGNINT.ASP - 443 -
<clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 401 2 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/ - 443 - <clientIP>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;
+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 401 1 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/LGNINT.ASP - 443
CORP\<login> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+
NT+5.1;+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 302 0 0
2004-06-09 19:03:39 <serverIP> GET /projectserver/SesStart.asp ref=lgnint.asp
443 CORP\<login> <clientIP> Mozilla/4.0+(compatible;+MSIE+6.0;
+Windows+NT+5.1;+Hotbar+4.4.6.0;+.NET+CLR+1.0.3705) 302 0 0

Options dialog box (Tools menu). Make sure the server is functioning
correctly, and is a valid Project Server.passed to Project Server (notice in the successful IIS log entry, the domain
login was eventually passed), but am unable to isolate the error as others
are working fine. Any help would be appreciated.