5525 Authenticated User Access

Similar Messages

• Authenticated User not showing up in access log

  Hello all,
  I am trying to get authenticated users to show up in the access log of SunOne Web Server 6.1 SP4 and it doesn't work. It is a default paramter to show up in the access log but doesn't show in the log. In fact, when I set the log to only show the authenticated user in the log, the log is empty and only shows dashes. As you can in the part of the log file below, after the IP address the log should show the authenticated user but doesn't
  Any help? Do I need to modify something else in a configuration file?
  Thanks
  Richard
  10.64.8.62 - - [15/Jul/2007:00:42:28 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:43:43 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:44:58 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:46:14 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:47:29 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:48:44 +0200] "GET / HTTP/1.1" 200 202
  10.64.8.62 - - [15/Jul/2007:00:49:59 +0200] "GET / HTTP/1.1" 200 202
  10.65.1.63 - - [15/Jul/2007:00:51:14 +0200] "GET /Windchill/ HTTP/1.1" 200 402
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/wtcore/js/com/ptc/core/ca/web/misc/content.js HTTP/1.1" 200 4132
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/cut.gif HTTP/1.1" 200 104
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/newdoc.gif HTTP/1.1" 200 215
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/details.gif HTTP/1.1" 200 214
  10.65.1.63 - - [15/Jul/2007:00:51:14 +0200] "GET /Windchill HTTP/1.1" 302 0
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/javascript/util/calendar.js HTTP/1.1" 200 29580
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/contract_comp.gif HTTP/1.1" 200 79
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/newfoldertl.gif HTTP/1.1" 200 221
  10.65.1.63 - - [15/Jul/2007:00:51:15 +0200] "GET /Windchill/netmarkets/images/ptclogo.gif HTTP/1.1" 200 1284
  10.64.8.62 - - [15/Jul/2007:00:51:14 +0200] "GET / HTTP/1.1" 200 202

  You didn't say how the server is authenticating the user. Is it succesful? ACLs or Java?
  6.1sp4 is obsolete, update to the latest 6.1 service pack first. If you're using Java, I believe there was a bug years ago that was along the lines of your description. Update to the latest 6.1 service pack and if that doesn't solve the problem, provide more details on how the authentication is configured.

• Username not showing up in access log for authenticated users

  I'm using form-based authentication in a Java web application on Sun One Web Server v6.1 to restrict access to authenticated users. However, even after the users authenticate and access the application, the username field in the access log is showing them as anonymous.
  request.getRemoteUser() is reporting the correct username, so it just seems to be the access log that is in error. Right now it is set to the default but changing formats to custom doesn't seem to help in displaying the username.
  Here's an excerpt from the access log:
  // anonymous access attempt, redirects to login page...
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/index.jsp HTTP/1.1" 302 0
  10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/login.jsp HTTP/1.1" 200 3355
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "POST /profile/j_security_check HTTP/1.1" 302 0
  // at this point they are logged in and their username should be reflected in the access log, but is not:
  10.100.168.110 - - [01/May/2006:14:34:47 -0400] "GET /profile/index.jsp HTTP/1.1" 200 3532 And the relevant code from the web application's web.xml:
  <security-constraint>
      <web-resource-collection>
        <web-resource-name>AllFiles</web-resource-name>
        <description>
                   Restricts anonymous access.
                </description>
        <url-pattern>/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>
                 Authenticated Users
                </description>
        <role-name>user</role-name>
      </auth-constraint>
    </security-constraint>I've searched the forums and the manuals but can't see anything showing that the access log's username field doesn't work with form-based authentication. Can anyone shed some light on this?

  Some background:
  The Java Servlet container has its own authentication infrastructure (which is what you configure in web.xml) which is separate from the non-Java authentication infrastructure (ACLs, etc.). If you set up authentication via ACLs the resulting user identity can (though you may configure it not to) propagate to the Java Servlet container such that request.getRemoteUser() will return it, even though no web.xml-driven authentication occurred. The coverse is not true, however: if you authenticate via a Java Realm, based on web.xml configuration, that user identity is not available to non-Java code.
  (Your web.xml snippet doesn't show you using FORM auth - but it doesn't matter, the explanation above applies in any case.)
  That is why the log file (generated from non-Java code) doesn't have access to that user. It probably should, but there's no config option today for you to make that happen.
  If you're using BASIC auth you may consider moving the authentication configuration from web.xml to ACLs as a possible workaround. It will then show up in the access logs.
  If you prefer web.xml-based authentication, consider the <SECURITY audit="true"> option in server.xml. It won't be in the access log but you'll have an audit trail of authentications, which may help.

• Authenticated user name not written to access log file

  Our users are authenticated with certificates to an LDAP directory server. The Access log file is using the Extended-2 format.
  The name of the authenticated user is now written in the Access log.
  10.4.57.44 - - [19/May/2004:14:07:21 -0400] "GET /somepage HTTP/1.1" 200 10382
  Anybody know why?

  I've got the same problem with Sun Java System Web Proxy Server 4.02 for Linux.
  When I installed it, authenticated users were visible in the access log. Then I tryied to change format and since that moment, this information is disappeared.
  Any news about this bug?
  Thanx.
  G.

• Reporting Services through ISA server for All Authenticated Users

  Hello colleagues.
  I have MS SQL 2012 server with Reporting Services and it work via link:
  https://reports2.domain.com/reports
  In LAN all work fine, but I want publish this resource via ISA for All Authenticated Users.
  When in publish rule I configure (in Condition) "All users" - all work fine, but when I configure "All Authenticated Users" - I have trouble on web form on
  https://reports2.domain.com/reports/Pages/Report.aspx?ItemPat...  - scripts not work, because it run how "anonymous" (I see on ISA logging) and ISA block scripts.
  I can't use "All Users", because it's not secure.
  Maybe somebody publish Reporting Services through ISA server for All Authenticated Users?
  OR maybe - how on Reporting Services configure Negotiate authenticated for scripts?

  Hi Alexander,
  All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. The AuthenticationType named RSWindowsNegotiate is supported
  by Reporting Services. To configure Windows Authentication on the Report Server, please see:
  http://msdn.microsoft.com/en-us/library/cc281253(v=sql.110).aspx
  Besides, we can publish report server via ISA server. Please note that you should use a new web port number with a new listener which shouldn’t be used by other web site for report server. Reference:
  http://social.technet.microsoft.com/Forums/forefront/en-US/1cc68996-1ce6-4d88-a30d-2bfd13fba06e/how-to-publish-ssrs-2008-through-isa-2006?forum=Forefrontedgegeneral
  Hope this helps.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support
  Katherine thanks for answer.
  Report Server service started as Domain account.
  I have in RSReportServer.config this:
  <Authentication>
  <AuthenticationTypes>
  <RSWindowsNegotiate />
  </AuthenticationTypes>
  <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>
  <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
  <EnableAuthPersistence>true</EnableAuthPersistence>
  </Authentication>
  In web.config I have this:
  <authentication mode="Windows" />
      <identity impersonate="true" />
  I can go (from Internet through ISA) to
  https://reports2.domain.com/reports  and LogOn Authentication is work, but scripts not work, because it run how "anonymous" (I see this on ISA logging) and ISA block scripts.
  Do you know where in Reporting Services configure run scripts with Negotiate authentication?

• Anonymous user access to GP Process iView

  Hi GP/Portal Gurus,
  I've created an iView for my GP process. The problem is only authenticated users can successfully access to this GP Process iView. Anonymous users will get an error in accessing GP process iView. I've given the Page and iView authentication scheme as anonymous. But still, it doesn't work.
  The error message is:
  "com.sap.tc.webdynpro.clientserver.session.SessionExpiredLongJumpException: Application session has expired: No application session with ID oJji4PrZdG5ox8ITkiHTpAsDdNOJtMyv78EPQ66xiLlA/pcd:portal_content/cafUAT/formBrole/sap.com/cafeugpuiinst/AInstantiation/base exists. Hint: A follow-up request was sent to Web Dynpro, but no corresponding session was found under the existing sessions. Reasons: a) Session has expired; b) Web Dynpro is called with incorrect session parameters; c) Application session has been destroyed due to proceeding exception. Please restart the application..."
  Appreciate any help.
  Rgds,
  Hapizorr

  Hi Hapizorr
  From what you have posted, please try to login again into portal and then proceed with the creation of iView.
  Please let us know the behaviour this time.
  Regards
  Navneet

• How can I stop authenticated users from getting other user's information?

  We recently discovered that it is possible for authenticated users, via KMu2019s details view, to view details about the other users that have access to the same resource as you.  Our portal (7.0 sp15) is used for an external facing web site.  We have secured it against anonymous users but the problem still remains for authenticated users.  Here is an example:
  The KM folder documents\Public Documents has been assigned read permissions for the group Everyone.  An authenticated user can open the URL https://<host>/irj/go/km/navigation/documents/Public%20Documents and a list of folders are shown.  The user can then select the Details from the menu for one of the folders and the Details iview is displayed.  They then select the menu item Settings > Permissions and the users/groups/roles assigned to this folder are shown.  The user can then select a user and view that users name and email address or the user could select a group and view for each member of the group the user id, name, and email address which could then be used to help attack the site.
  So I thought it would be easy enough to disable the details view for all users but content managers or administrators but I seem to running into difficulty. 
  I tried disabling the Details KM command with limited success.  Even with it disabled, if you know the URL for the details component you can still access it.  So it seems the better option is to take away access to the details component.  It seems that the users are getting access to the Details iView from the standard eu_role.  If I remove the iView from this role then all user have no access to the Details in KM.  I tried to add the iView to another role that content managers would have but when logged in with a user that had that other role I still was not able to access the Details iView. 
  This SAP Help document [http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm |http://help.sap.com/saphelp_nw70/helpdata/en/47/f0f7415e639c39e10000000a155106/frameset.htm ]discusses the eu_role(Standard User role) and it states that
  By default, the Everyone group is assigned to the Standard User role. If you choose to use the other every user roles instead, you need to remove these assignments from the Standard User role and apply them to the Every User Core and Control Center User roles.
    But, when I look at what groups the role is assigned to or what roles are assigned to the Everyone group they donu2019t appear to be linked contrary to what the documentation says.  So, what Iu2019m thinking here is that I can create a copy of this role and remove the Details iView from the original and then assign the copy to the content managers and administrators.  Doing this causes all users to lose access, even the content managers.
  I thought Iu2019d give the Security Zones a try to see if this could help me but when I take away rights from here it still allows access.
  Iu2019m stumped.  Iu2019m sure there is some key piece that eludes me.  What can I do to allow users read only access to some KM folders and files while preventing them from viewing the permission/user details?

  The only 3d party apps are Hazel...
  And that's your problem!
  From the Hazel site's description:
  Hazel watches whatever folders you tell it to, automatically organizing your files according to the rules you create.
  Hazel, is a prefPane so you must have some rule (or it supplied the rule as a default) to put pictures (jpg's) from your Desktop (folder) into your Pictures folder.
  Open your System Preferences and Hazel in there and either turn off Hazel or change or delete the appropriate rule covering this situation.

• How to setup for multiple users accessing same share?

  Hi!
  Recently picked up Mac Mini Server and have some configuration questions related to sharing files & information over the internet. Whenever possible, prefer to use the built-in features & tools, not 3rd party tools.
  My setup & needs are this:
  - Have folders & sub-folders with files to share.
  - Wish to give individuals access to the shared folders, each with their own account (and access logging).
  - Shared folder and files should be visible via web to authenticated users only (so no special client or setup is needed).
  Right now, have added a Website via Server.app that points to the folder with files to share, and that works somewhat, but doesn't support individual user accounts separately?
  Thought maybe to setup VPN but that seems like massive overkill for this (and is a pain in the butt for non-technical users to setup).
  Editing httpd.conf for user support is a possibility, but seems /etc/apache2/httpd.conf only applies to the default web server (on port 80) not the one i set up in Server.app?
  Can anyone recommend the best approach, given the above needs?

  I have a related question. i created 2 websites/domains then i went to users and created 2 seperate "network" users then i went to ftp and selected each website and added only user A to site A and user B to site B. what's weird is that when i try to ftp using either of the users it seems to land on the same site. i looked at shared security for the folders and it only shows user a on site a folder and user b on site b folders. am i doing somehitng wrong or is this how it works in mountain lion server? i just want to give the domain owner ftp access so they can manage their files and only thier files. i also had to turn on open directory so that it would not create a local user but a network user. do i need to turn that off and just deal with having a bunch of local users as ftp user? i want to host multiple websites on the server and NO users remote on to server besides ftp.
  edit 1: i only have 1 IP running on the server which i don't think it has any affect on this but thought i mention it :-)
  edit 2: i just noticed one more thing that may help. i used filezilla to remote in using both users, one at a time. it seems to allow both users in but then it shows same directories. i then created a file using the one that was not supposed to have acces and it never sows up. but if i remote desktop to server i can see the new file in the correct folder. so it may have something to d o with the directory listing.

• Project Online External User Access

  Hello,
  I'm testing the Project Online Preview and I would like to share the deliverables list on a project site with an external user (a client for example); so I configured the site collection with Project Web App to the "Allow
  external users who accept sharing invitations and sign in as authenticated users" option. Then I tried to share the list with an external e-mail with a Microsoft account, but the invitation email was not sent.
  External Sharing on SharePoint admin Center is configured on "Allow both external users who accept sharing invitations and anonymous guest links"
  and my PWA site works in S"harePoint Permission Mode".
  The same procedure on a classic SharePoint site collection work perfectly.
  Any suggestions, please?
  Matteo

  Hello,
  I got some of the external users to work.  I am still trying to sort it out, but thought I will give you what I found.
  The external user that I got work was another user in another domain, but the account was separate domain in a Office365.  I have not been successful so far with an external account, that was not part of the Office
  365.
  Here is what I did to get it to work.
  1) Login into an Office 365 account.  Let's call it OFFICE999.
  2) Then paste the link from my PWA site into browser.
  3) Access was denied, but page provide me a link to Request Access
  4) Then jump to my Office 365 account with PWA. Went to the PWA site and click on Settings icon and then site settings.
  5) click on "Access request and Invitation"
  6) under the Pending request, approved user and put the user as "Project Web APp Visitor"
  7) Jump back to the Office999 and read my email, click on the link.
  8) I got access denied again
  9) When back to Office 365 PWA Admin account and added user to PWA users
  10) went back to Office999 account, refreshed the screen and get access to PWA site,
  11) BUT it says account doesn't have a LICENSE.  So I am at that point trying to find out how to give an external user a license.
  Cheers!
  Michael Wharton, MVP, MBA, PMP, MCT, MCTS, MCSD, MCSE+I, MCDBA
  Website http://www.WhartonComputer.com
  Blog http://MyProjectExpert.com contains my field notes and SQL queries

• Cannot prevent authenticated users from creating a blog on "My Page"

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.
  Message was edited by: dstrollo.il

  Ran into this same issue.... Talked with a field engineer who confirmed the behavior. The question now is this a defect or "feature that does not work as as the audience desires". As I far can tell, the security setting for blogs in server admin does nothing at all. This has the potential to cause a few issues as you cannot limit who can have a blog.
  Message was edited by: jlindler

• 10.6.1 Server - cannot prevent authenticated users from creating a blog

  I have a brand new Snow Leopard (10.6.1) 2.26 Ghz quad core Xserve with 12Gb RAM that will be used for web collaboration services. I've currently set up Wiki and Blog services with a group membership to allow creating wikis/blogs. The reason for this is for staff development purposes with the plan to add people into the group as they are trained. The process to set it all up was very simple, however, I'm having an issue preventing authenticated users from creating a personal blog. Although I can prevent the creation of wiki's to members of a group easily, any authenticated user on the server can log into "My Page" and will be able to create a blog. I've gone to server admin>choose the server>choose the "access" icon and set the column "for selected services below" (blog) to "allow only users and groups below" (the group) and it still doesn't prevent them from making a blog page. In WGM for the group on the "Basic" tab, the "enable the following services for this group" has only the choice of "none" and therefore since the site isn't showing as a choice, the Wiki, Blog, Calendar and Mailing List is grayed out. I've seen another thread that states in 10.6 that option for setting the service acl in the group settings of WGM is unavailable. Does anyone know a fix for my problem of security access for a "My Page" blog or is it a possible bug in Snow Leopard? Right now my only workaround is to remove the users access and enable it as they are trained. This isn't an ideal fix, however, because we have some users who want to limit their wiki or blog to authenticated users only, not public access. Any help will be greatly appreciated.

  Thanks for the suggestion, but that would prevent all users from creating personal blogs. I was hoping to be able to have a group of users that can create a personal blog outside of the blog attached to a wiki.

• Authenticated Users & Users missing from Root

  Hello,
  Environment: MDT 2013, 2008 R2, Windows 7 x86.  MDT is located on Windows 7 x86 and is not integrated with SCCM or WDS.
  Process: Separate build, capture, and deployment task sequences.
  Problem:  After deployment the Authenticated Users and local Users are missing from the root (e.g., c:).  The only security permissions assigned to the root are SYSTEM, domain account, Local Administrator.
  This causes problems once joined to a domain due to the fact Authenticated Users have no permissions forcing a given user to have a temporary account.  So far, only a partial workaround is identified and is undesirable in the long-run.  The workaround
  is to manually add Authenticated Users as well as the Local Users to the root and delete the domain account but the system will only allow partial inheritance through the file structure.  Delete all entries for a particular user in the registry (e.g.,
  PolicyGUID, ProfileGUID, ProfileList).  Afterwards, log in to the machine with an account within the domain administrator group.
  Additional information shows the registry Profilelist entries for a user maintains partial access with a value of 204; this includes the user and a domain account within the administrator group.  The domain account present after deployment has a value
  of 0.  Two accounts have the expected value of 256 and they are the local and domain administrator account.
  Also, if the same image is deployed using the PE environment the accounts are as they should be.  The groups added are: Authenticated Users, Localmachine\Users, SYSTEM, Localmachine\Administrators.
  The questions are: why would the Authenticated Users and Local Users accounts be missing?  Why is the account used to deploy added?
  Help is very appreciated, and thank you.

  Hello, Nicholas the sysprep and capture is completed by a default template from MDT LTI sequence.  The answer file used is the default provided by MDT.  No attempt is made to capture from winpe because this simply negates the point of the MDT process. 
  However, applying the same image from winpe there are no permission issues and all the appropriate groups are assigned to the root.
  With returning to the office this fine morning, I ran icacls on a machine:
  C:\Users\Administrator>icacls c:\
  c:\ No mapping between account names and security IDs was done.
  (I)(OI)(CI)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
  Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
  Successfully processed 1 files; Failed processing 0 files
  Thank you for the continued effort, Nicholas.  With the additional icacls information I will delve into the general error provided.

• Authenticated Users

  I am reading that the Everyone group includes the group Authenticated Users, plus the Guest account, plus the reserved accounts SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc.   Is this still the case in Windows 8.1?
  To be clear, would Authenticated Users only include:
  1) Users who login interactively, including users in Guests group (NOT the Guest account!)
  2) Users who login through Terminal Services or Remote Desktop
  3) Users who access resources on the computer through Microsoft Networking.
  Does this imply that any file system resource that needs to be accessed by system services will have the "Everyone" group with a minimum of read access on the target folder or files?
  Is there any documentation listing all file system resources that either Windows 8 or Windows 2012 system services need to have access to?   I'm trying to harden my NTFS permissions and I don't want to break critical system services.
  Will

  Sorry for my dilatory reply. According to your description, I doubt there is no way to achieve your goal. As far as I know, there is no app of microsoft can manage a progress file access. What we can do is
  limit User Account execute the program, such as using AppLocker, we can specific special
  user execute the program.
  I am not requiring a program from Microsoft to virtualize or secure anything.  It would be nice to have that but it was not the question.  My question is do we have documentation about what specific security settings and user rights a new user
  group needs to have to be able to execute applications while logged in?   
  I don't want them in Users group because that group has write access to a large part of the file system.  I want to create a new NTFS group with very limited file system access, which then forces me to add that new user group into the various security
  settings and user settings required to execute programs.
  Such documentation has to exist somewhere....
  Will

• Authenticated Users Group Question

  I have a quick question regarding the Authenticated Users "group". I used to be a systems administrator, but I'm a bit rusty since I've been a software developer for the last 10 years. A conflict with data center operations (DCO) group
  at work lead me to get another opinion.
  The question is this... is the authenticated users group a domain-level group or is there a local authenticated users group that would allow only users authenticated locally? We have a share that permits the authenticated users group access.
  My opinion is that all domain users who have authenticated successfully have access to this share. The DCO group is telling me that this is the local (to the server containing the share of course) authenticated users group only.
  Is there such a thing as a local-only authenticated users group? To me this doesn't even make sense, but I could very well be wrong.
  Nathon Dalton
  Sr. Software Engineer
  Blog: http://nathondalton.wordpress.com

  I apologize. I don't think I explained myself correctly. Let's consider the following...
  SERVER: SERVER1
  DOMAIN: DOMAIN1
  SHARE: \\SERVER1\SHARE1
  SHARE PERMISSIONS: Authenticated Users - Full Control
  Given the above information, is it possible that the Authenticated Users group will allow ONLY users that are defined on SERVER1 to access \\SERVER1\SHARE1?
  My understanding is that's not possible. There's one defined Authenticated Users group and that represents ALL users that are authenticated against DOMAIN1, whether added to local groups, shares, etc.
  What I'm being told however is that SHARE1 having Authenticated Users assigned is okay since only those user accounts defined on SERVER1 will be able to access it. All the users in the domain will NOT be able to access it. I think this is bogus. Am I wrong?
  Nathon Dalton
  Sr. Lead Developer
  Blog: http://www.nathondalton.com

• Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

  I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
  to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
  Users group to negotiate the site with NO password challenge at all.
  tconners

  This generally means that your SPN is not set up correctly.  Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance.  You should set an SPN similar to setspn -s http/lance.contoso.com
  corp\lance.  In your browser, you should now be able to access the SSP without prompts.  However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com.  Since you are entering
  an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication.  By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
  Kerberos.
  I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.