NTLM - anyway to force credential prompt ?

Hi all,
I am using NTLM auth on a website and an applet that is used needs to connect back and retrieve images and issue commands at the users discretion.
I am finding that in some instances, when the applet initializes (and fetches the first images) it will prompt the user to enter the NT authentication credentials, but not in other instances. In the latter case, the applet always obtains and sends the current logged in credentials instead (and subsequently fails to retrieve the right images).
This same applet (since 1.4.2) has been working fine, always prompting the user, however within the last couple months it has stopped doing this reliably.
I think this happenned around the time of 1.5.11 update, however i cannot be sure since in many cases, the account i am testing with exists on all tmachines and the fact that the authentication credentials used were "wrong" is only visible by examining the server logs.
Is there anyway to force the applet to ALWAYS prompt the user for credentials - or failing that use the credentials used by the browser for that same site ?
Thanks in advance.

I don't have a ton experiencing using something like ARR, but we should do some testing.  The first thing I would try is to route around the ARR in the DMZ and connect directly to Exchange from externally.  This SHOULD let us know where the problem
lies.  If it succeeds (no auth prompts) then the issue is on the ARR and not Exchange.  If it fails, then the issue is with the ARR and that needs to be looked at a little more clearly.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

Similar Messages

  • Outlook Negotiate/NTLM authentication credential prompt

    Hello everyone,
    I have been digging quite a while now for a solution to this but apparently there is not a lot of systems out there utilizing this or having problems with it. Here it comes:
    We have a pure (no migration or coex) Exchange 2013 CU7 environment in production with 3 x CAS/MBX Servers (3 sites connected via WAN VPN). Inside our network our outlook clients (2013 SP1+) authenticate via Kerberos (ASA/SPN) to the Exchange Servers and
    connect via MAPI over HTTP. Everything working fine!
    External is a different Story: We have a Application Request Routing (ARR) machine in our perimeter network that forwards external users to the Exchange Servers and for a reason that I didn't manage to find yet I can't get it to work so that domain joined clients
    (notebooks) that are outside the company's LAN would use their cached credentials to try to authenticate outlook against the Exchange Servers. Outlook always prompts the user for her/his password on start up and then connects fine. No problems after that -
    PF, OoO, OAB - everything is working. If the user restarts the outlook -> password prompt once again and fine after that. Saving the credentials works but is obviously not the way NTLM/Negotiate is supposed to work.
    So here is my progress on this:
    I verified my virtual directory settings. Here is how the Mapi virtual directory looks like:
    IISAuthenticationMethods            : {Negotiate}
    InternalUrl                                    : https://mail.domain.com/mapi
    InternalAuthenticationMethods    : {Negotiate}
    ExternalUrl                                   : https://mail.domain.com/mapi
    ExternalAuthenticationMethods   : {Negotiate}
    I've set everything to Negotiate because we don't have legacy Exchange Servers nor legacy mail clients in our network. I tried setting it to NTLM only which made the problem shift. Test clients connect to exchange and are able to view/receive mails but got
    the infinite credential prompt and weren't able to access PF, OoO and OAB. Setting it to NTLM and Negotiate produces the same result as Negoiate alone.
    Browsing https://autodiscover.domain.com/Autodiscover/Autodiscover.xml with IE (autodiscover URL set in intranet settings) gave the expected error code 600 without prompting for credentials. Even Firefox (network.negotiate-auth.trusted-ris set to domain.com)
    is utilizing cached windows credentials and is able to log on to autodiscover and OWA with windows authentication enabled.
    When a client has a valid Kerberos ticket cached (cmd -> klist) Outlook uses that ticket successfully even from outside the network but as soon as the ticket is gone (sign out and sign back in) Outlook prompts for user credentials again.
    "Show connection status" in Outlook and the HttpMapi log on the CAS both show that Negotiate has been used for the connection. But why the password prompt then?
    I read up on IIS ARR and it seems that it just passes through the authentication information when set to "anonymous authentication" which it is.
    Now how I understand the auth method Negoiate in Exchange 2013 is that Outlook and the Server try to handshake on the strongest auth mechanism available in the following order: Kerberos -> NTLM -> Password Promt (Basic/NTLM) but in my case this doesn't
    apply.
    Now I would apprechiate it very much if someone could educate me in how this is supposed to work and if there is a mistake in my configuration or my understanding of the authentication process correct it.
    A great day to everyone!
    Vasko

    I don't have a ton experiencing using something like ARR, but we should do some testing.  The first thing I would try is to route around the ARR in the DMZ and connect directly to Exchange from externally.  This SHOULD let us know where the problem
    lies.  If it succeeds (no auth prompts) then the issue is on the ARR and not Exchange.  If it fails, then the issue is with the ARR and that needs to be looked at a little more clearly.
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

  • Crystal Report Viewer Credential Prompt for Report with Dynamic Parameters

    The .NET Crystal Report Viewer is prompting for database credentials when launching a report containing dynamic parameters. This only occurs for reports created with SAP Crystal Reports 2011 designer. Reports created with Crystal Reports XI designer (where dynamic parameters were first introduced) work correctly.
    The credential prompt window contains the following fields:
    - Server Name: <server name> (disabled)
    - Database Name: <database name> (disabled)
    - User Name: <empty> (enabled)
    - Password: <empty> (enabled)
    - Use Single Signon Key: false (disabled)
    The values in the prompt window which are disabled are the database connection values used during the design of the report in the SAP Crystal Reports 2011 designer.
    Expected Result:
    - No prompt for database credentials.
    - Values read from the database should be populated in a drop down for the dynamic parameters.
    Environment:
    - Visual Studio 2010 (C#)
    - Windows 7 Enterprise
    - SAP Crystal Reports runtime engine for .NET Framework 4
    - SAP Crystal Reports, version for Visual Studio 2010
    - SAP Crystal Reports 2011
    The database connection is being set to use a DSN. It must be a DSN as the calling application is only aware of the DSN/Username/Password values. These values are being passed to the Crystal Report Viewer contained in a Windows form.
    The database connection for the report is being set as follows:
    foreach (InternalConnectionInfo internalConnectionInfo in this.report.DataSourceConnections)
        // Must set the UseDSNProperties flag to True before setting the database connection otherwise the connection does not work
        if (internalConnectionInfo.LogonProperties.ContainsKey("UseDSNProperties"))
            internalConnectionInfo.LogonProperties.Set("UseDSNProperties", true);
        // Supposed to set the database connection for all objects in the report (ie. main report, tables, sub reports)
        internalConnectionInfo.SetConnection(this.DSN, string.Empty, this.LoginName, this.Password);
    The SetConnection method's signature is as follows:
       SetConnection(string server, string database, string name, string password)
    As you can see from the code snippet above I am setting the DSN name as the server parameter, blank for the database parameter (a database connection using DSN should only require DSN name/Username/Password) and the database username and password respectively.
    Is this a SAP bug?
    Is this the correct way of setting the database connection to use a DSN?
    Is there some other properties that need to be set somewhere else in the report through code?
    Any help would be greatly appreciated.

    Thanks for the pointer to the database connection code generator. After taking a look at the output from the tool I was able to finally get the dynamic parameters to load and populate properly without prompting for credentials. I needed to tweak the outputted code a bit to match my requirements of using a DSN only connection.
    Instead of updating the database connection properties contained within the Report.Database.Tables collection from the CrystalReports.Engine namespace, I changed it to replace the database connection properties in the Report.ReportClientDocument.DatabaseController.Database.Tables collection from the CrystalDecisions.ReportAppServer.DataDefModel namespace. For one reason or another, using the RAS namespace solved the problem.
    Below is the updated code with the change made:
    using RAPTable = CrystalDecisions.ReportAppServer.DataDefModel.Table;
    foreach (InternalConnectionInfo internalConnectionInfo in this.report.DataSourceConnections)
        // Must set the UseDSNProperties flag to True before setting the database connection
        if (internalConnectionInfo.LogonProperties.ContainsKey("UseDSNProperties"))
            internalConnectionInfo.LogonProperties.Set("UseDSNProperties", true);
        // Sets the database connection for all objects in the report (ie. main report, tables, sub reports)
        internalConnectionInfo.SetConnection(this.DSN, string.Empty, this.LoginName, this.Password);
    // The attributes for the QE_LogonProperties which is part of the main property bag
    PropertyBag innerPropertyBag = new PropertyBag();
    innerPropertyBag.Add("DSN", this.DSN);
    innerPropertyBag.Add("UserID", this.LoginName);
    innerPropertyBag.Add("Password", this.Password);
    innerPropertyBag.Add("UseDSNProperties", "true");
    // The attributes collection of the tables ConnectionInfo object
    PropertyBag mainPropertyBag = new PropertyBag();
    mainPropertyBag.Add("Database DLL", "crdb_ado.dll");
    mainPropertyBag.Add("QE_DatabaseType", "OLE DB (ADO)");
    mainPropertyBag.Add("QE_LogonProperties", innerPropertyBag);
    // Pass the database properties to a connection info object
    ConnectionInfo connectionInfo = new ConnectionInfo();
    connectionInfo.Attributes = mainPropertyBag;
    connectionInfo.Kind = CrConnectionInfoKindEnum.crConnectionInfoKindCRQE;
    connectionInfo.UserName = this.LoginName;
    connectionInfo.Password = this.Password;
    // Replace the database connection properties of each table in the report
    foreach (RAPTable oldTable in this.report.ReportClientDocument.DatabaseController.Database.Tables)
        RAPTable table = new RAPTable();
        table.ConnectionInfo = connectionInfo;
        table.Name = oldTable.Name;
        table.QualifiedName = oldTable.QualifiedName;
        table.Alias = oldTable.Alias;
        this.report.ReportClientDocument.DatabaseController.SetTableLocation(oldTable, table);
    this.report.VerifyDatabase();
    Thanks again Ludek for the help.

  • Touch screen stopped working. Is there anyway to force a full backup of the iPhone without typing in my passcode lock or is there anyway to force it to connect to a WiFi network so the phone can backup to iCloud??

    Hello all, I could use some help with my iPhone 4, I hope this is the best place to ask!
    The Problem:
    I want to do a full backup of my iphone to either itunes or to icloud. Unfortunately the iphone got wet and isn’t working properly. The phone turns on and still works, but the touch screen no longer works. I have a passcode lock on the phone so iTunes will not allow me to backup it up until I type in the passcode (which I cannot physically do). WiFi had been turned off before it got wet so it won’t connect to any known WiFi networks either to backup automatically to iCloud.
    What happened:
    I had been travelling for 6 months and went tubing on a river with my iphone in a dry bag. Unfortunately the dry bag failed and filled with water ruining my iphone.
    What I’d like to do:
    It’s an old phone and I was planning on buying a new iPhone anyway. I would love to do a full backup to either iCloud or to my computer so when I get a new iPhone I don’t lose anything. I’ve already connected it to my PC and downloaded all the photos and videos off the phone so at least I haven’t lost that, but I would like to be able to recover all the text messages, WhatsApp messages and notes I had created during my 6 months of travel.
    The last time it was backed up to my pc or to icloud was in April, so there are 6 months worth of very meaningful data I would love to keep to remind me of my travels!
    Is there anyway to force a full backup of the iPhone without typing in my passcode lock or is there anyway to force it to connect to a WiFi network so the phone can backup to iCloud??
    iTunes recognizes the phone just now and I tried upgrading the phone to iOS7 in the hopes that it would first backup and then upgrade. Unfortunately all that happened is the phone upgraded to iOS7, but it didn’t backup to iTunes. Now the phone is stuck at the iOS7 welcome screen and I can’t do anything else with it.
    Any ideas or tips would be welcome!
    NOTE: This is NOT a jailbroken iPhone.

    If there is no other way around this, is there anyway to completely wipe the phone then??
    The Apple store agreed to give me a new iPhone 4 as a warranty replacement for $150 (I travel a lot and I have a factory unlocked phone, so this is still worth it for me).  But before I trade it in, I would like to make sure all my data is backed up on the device first.
    When I try and restore the phone now on iTunes, it says I have to turn off Find My iPhone on the phone first before I can restore it.  Now since I can't use the screen I can't really do that.
    So how do I completely wipe the iPhone???
    Thanks!

  • Linked mailbox credential prompt.

    We have setup a link mailbox between to different domain all is ok..
    just want to clarify if it is normal that every time i open the outlook client of the linked mailbox it will prompt for its credetials? even if the domain account login is the link mailbox account also?
    if it is not please let me know what authentication method i should change ot this is normal for a link mailbox??
    thanks in advance!!

    Hi,
    To understand more about the issue, I’d like to confirm the following information:
    1. Check the authentication method in the tab named Exchange proxy settings.
    2. Is there firewall between the two domans?
    3. Does the credential accept password of keep prompting?
    4. Cancel the credential prompt and then run "Test Email AutoConfiguration" to see if there is any error return.
    5. Does the credential appear if you run Outlook with online mode?
    If you have any question, please feel free to let me know.
    Thanks,
    Angela Shi
    TechNet Community Support

  • Constant Credential Prompts

    Hi all,
    I've got a Windows 7 Pro SP1 64Bit machine, connected to a SBS2008 domain, which is exhibiting a strange issue.
    In the last month or so, one user has complained about being prompted for credentials when opening documents from a mapped drive. Even if he enters the correct credentials, it keeps on prompting, almost like the incorrect credentials have been entered.
    The strange thing is, this only happens when Outlook 2010 is open. With Outlook closed, the user can open the documents without any issues, and no credential prompts.
    The user can log in to the machine, browse the shares and open documents, providing Outlook is not open.
    I've recreated his Windows profile, and the issue appeared to have gone away, but now, two weeks later the issues has reoccurred.
    I've tried opening a Word document, and am being prompted for credentials. If I cancel the request, I get a pop-up error saying - "The Internet address 'http://servername/share/docname' is not valid."
    As mentioned, I've recreated the user profile, Outlook profile, opened Outlook in safe mode, and disabled all the add-ins, but still have this issue when Outlook is open.
    Any help would be greatly appreciated.
    CheersJéan

    It sounds like the user is changing passwords after having had Windows store them for him. Windows will keep trying to connect with the old password, then fail and prompt for the new one. Try clearing out the stored passwords:
    In Control Panel click Credential Manager, find the appropriate credentials (Outlook, Windows, possibly others), click the dropdown arrow and then click Remove from Vault.
    Good luck!

  • Anyway to force FTPS only for FTP

    Is their anyway to force my users to use FTPS vs FTP. I do not see this
    as an option in the restrict.txt. This server is behind a firewall but
    I do not see how I could restrict this via the firewall. Anyone have
    any idea if this is possible.

    Originally Posted by knoke
    Andrew Knoke wrote:
    > Is their anyway to force my users to use FTPS vs FTP. I do not see this
    > as an option in the restrict.txt. This server is behind a firewall but
    > I do not see how I could restrict this via the firewall. Anyone have
    > any idea if this is possible.
    I think I have figured out this question. Although I now have another
    question. I can force secure connections via the ftpserv.cfg file.
    My new question is I would like force all of my users to connect using
    FTPS except a few accounts which are mainly scanners that AFAIK will not
    do FTPS. Is it possible to make exceptions like this based on account
    or IP or do I actually need to setup another FTP server.
    Thanks
    Andy
    Sorry, there is not a way to tell NWFTPD that some users must use FTPS and other users can use regular FTP. It's an all-or-nothing kind of setting.
    Gathagan suggested SFTP/SSH, which is a good option, but I suppose your scanners might not do that, either. But you could set NWFTPD to only allow your scanner users (regardless of which protocol it is) and let NWFTPD support regular FTP, and tell all your other users to use SFTP (part of SSH) instead. You'd essentially get your desired end results, though you have to administer 2 services to get it done.

  • Anyway to force capture?

    Hi Folks
    today, I am converting some 8mm to dvd. I have a projector aimed into a telecline machine, then my camera on the other side to record the image.
    Since its all close to my computer, I thought I could simply tell FCP to capture what it sees, thereby bypassing recording to tape, and re-downloading from the tape you know?
    but FCP sits there saying, "waiting for timecode" Is there anyway to force it to capture directly?
    I tried pulling the tape out but its still wants to "wait for timecode"
    thanks for your help.

    ok never mind, I changed it to "uncontrollable deceive and was able to tell it to capture without "waiting for timecode" Im marking this answered. thank you "self".

  • E71: Anyway to force the internet to UMTS or HSDPA...

    Hi all, is there anyway to force the phone to use UMTS or HSDPA only instead of auto switch between GPRS/EDGE/UMTS/HSDPA? I noticed in certain area when the 2G/2.5G signal is stronger than 3G/HSDPA, the phone will switch to 2G/2.5G. I have a 3G/HSDPA datacard which i can force it to use UMTS/HSDPA only. At the same location, my datacard got UMTS/HSDPA but my E71 got only 2G

    hi, thanks for the tip. Managed to do that on E71. Sure E71 will land India soon. I saw alot of ppl using E61i (my previous phone) when i was in Bangalore 5 months ago

  • APEXUTIL.Get_file... need to force a prompt to save, open or cancel

    I'm a newbie to APEX and am using APEX_UTIL.Get_File to open static files (PDF documents).  The requirement specifies that the user must be prompted whether to save or open the file.  We have created a "popup" page with dynamic PS/SQL:
    DECLARE
        l_file_id NUMBER;
    BEGIN
            SELECT id INTO l_file_id FROM APEX_APPLICATION_FILES
    WHERE filename = 'LDSNav.pdf';
            APEX_UTIL.GET_FILE(
                  p_file_id   => l_file_id,
                  p_inline    => 'NO'); 
    END;
    For some reason, the file is loaded into the new page (as if we had coded p_inline => 'YES')  rather than prompting the user to save or download when testing using IE and Chrome.   When testing in FireFox, it does not recognize the mime type and loads the file as it it were a text document.
    Any ideas on how we can fix this?
    Thanks.

    In SQL Workshop, run this:
    SELECT id, filename, mime_type
    FROM APEX_APPLICATION_FILES
    WHERE filename = 'LDSNav.pdf';
    If mime_type is not 'application/pdf' (or something similar), that could cause problems.
    Make sure you don't have any Branches per Documentation:
    APEX_UTIL.GET_FILE()
    MK

  • Anyway to force a Digital Input sample rate?

    I've tried three different A/D converters and all fail on the Mac Pro, but work with other equipment. All of the A/D converters have a fixed 48k output sample rate. I can set a 48k sample rate on the Mac and the sound's great.  Unfortunately, it only holds this setting for a few seconds, then snaps back to a 44.1k sample rate and says 'locked'. The audio is then slow and distorted.. like playing a 45 rrmp record at 33 1/3 rpm.  My question is, is there any way I can stop OSX from falling back to 44.1k; i.e. force it to hold the 48k sample rate?

    Got an updated Core Audio driver from Digidesign - that fixed it.

  • Anyway to force a user to logout?

    Hi,
    I wonder whether there is a way for root to force a user out of the system, if the user is currently in it.
    I get two reasons to do it:
    1) sometime after a remote telnet PC crash, I find the user is reported to be still in the host from "who". I guess this may results from the telnet's unexpected crash. so I want to get ride of their pending sessions in the host.
    2) if I suspect a certain user, and find he is in the system from a telnet, I want to force him out of the system immediately (reset his passwd will not affect the current connections).
    Any idea of it?
    Thanks a lot.

    Don't forget who -uH to find out the PID of the user you want to kill
    Hi,
    I wonder whether there is a way for root to force
    rce a user out of the system, if the user is currently
    in it.
    I get two reasons to do it:
    1) sometime after a remote telnet PC crash, I find
    ind the user is reported to be still in the host from
    "who". I guess this may results from the telnet's
    unexpected crash. so I want to get ride of their
    pending sessions in the host.
    2) if I suspect a certain user, and find he is in
    in the system from a telnet, I want to force him out
    of the system immediately (reset his passwd will not
    affect the current connections).
    Any idea of it?
    Thanks a lot.

  • Numbers as in Local 1 to Local 2000. Sort Alpebeticaly puts them Local 1 Local 100 Local 2 etc. Is there anyway to force it to sort Local 1 Local 2 ect.

    I have bookmarks that have numbers in them. For example, Local 1 to Local 2000. I have tags to sort them by state if need be but usually i want them sorted by number. Unfortunately the only way i see in Firefox to sort is alphabetically. When it does that it sorts them as Local 1 Local 10 Local 103 Local 104 Local 110 Local 2 Local 20 etc. Is the any way I can force it to sort Local 1 Local 2 Local 3. so I can switch back and forth between the state sort and number sort. I don't want to have to manually sort all of them each time i need to view them by number.
    Thank You

    You could put zeros in front of the smaller numbers, such as 0002.

  • Netscape Browser Forcing Download Prompt with .jsp

    My apologies in advance if this topic has already been covered. Here is the behavior I've come across and can't resolve:
    When a user with an IE browser visits my site (i.e. http://www.mysite.com), the default page is loaded - no problems. With Netscape, the user is prompted to download. However, if the Netscape user types the full path to the default file (i.e. http://www.mysite.com/index_new.jsp) there is no problem.
    This would lead me to think there is a problem with my deployment - but I can't solve it.
    I'm using Tomcat 3.2.1 with the isapi filter. In the server.xml, I've set up a context to my server's root:
    <Context path="/"
    docBase="d:\root"
    crossContext="true"
    debug="0"
    reloadable="true"
    trusted="false" >
    </Context>
    In my web.xml file in d:\root\web-inf I've defined a <welcome-file>. Under IIS I also have a default page for the web root.
    Does anyone have any ideas?
    Thanks - David

    Sorry, to clarify the default file is index_new.jsp - the underscore was lost when it was underlined.
    David

  • Outlook (2010) & credential prompts

    In my place of work I often see users complain that Outlook has 'randomly' forgotten their credentials, resulting in a pop-up dialog box with their username entered and a 'password'. This password is not their actual password: some users easily identify this as the character length is very different; some... don't.
    The fix is usually asking them to enter the full AD name + re-enter their password manually, which reconnects them to Exchange.
    My question(s): where is Outlook pulling this 'password' from and what causes it?
    Configuration settings are that the authentication is done over RPC - with https used if network is slow (high-latency). Outlook password prompt is unchecked.
    I've probably not included very much detail; if not sorry. If you do see this, i'd appreciate how you've fixed it?
    This topic first appeared in the Spiceworks Community

    Hi,
    Thanks for posting in Windows Server Forum.
    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply
    this post directly so we will be notified to follow it up. 
    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. 
    Thanks for your Support & understanding.
    Regards.
    Dharmesh Solanki
    TechNet Community Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Maybe you are looking for