none
Web application not working in IE under user profiles, works fine under administrator profile RRS feed

  • Question

  • I am an I.S. technician for a credit union. We have several web applications that require us to run Internet Explorer 9 on Windows 7 SP1.

    Our users' Windows profiles are set up as Power Users and cannot have administrator privileges. The built-in Windows administrator profile is enabled and restricted for technician use only. 

    We have three models of workstations: Dell Vostro 270s, Dell Optiplex 780, and some brand new Dell Inspiron One 2020 All-in-One workstations.

    All three workstation models are running Windows 7 SP1, with IE9, with all the same software, settings and policies. 

    We have one IE-only web application in question which works perfectly fine in our limited user profiles on the Vostro and Optiplex workstations, however, only on the new All-in-One workstations, there is one single page element within this web application that simply will not work when logged into a limited user profile. Most of the web application loads and works fine, except for one necessary "Payment" tab, as highlighted in red in this screenshot:

    https://www.dropbox.com/sh/2ac47qwzsp10hvq/zxePAUiFpD/02_IE_Error_UserProfile.jpg

    Strangely enough, this same portion of the application works perfectly fine when logged in to the administrator profile on the same workstation, so it seems that it cannot be a hardware/workstation issue. The IE settings and policies are identical under both profiles, and also match the settings and policies on the other workstation models. While troubleshooting, I tried executing Internet Explorer with "Run as Administrator" while logged in as the limited user, and the web application still did not work. Just for the sake of troubleshooting, I also tried adding the users to the workstation's Administrator group, but the site still did not work for the user. 

    https://www.dropbox.com/sh/2ac47qwzsp10hvq/pxSQ9SggcR/01_IE_Error_UserProfile_RunAsAdministrator.jpg

    Then I instead executed Internet Explorer using the "Run as a different user" command while holding down Shift and right-clicking on the IE icon. I then used the exact same administrator credentials. 

    https://www.dropbox.com/s/klz8g3glu30fz48/03_IE_Error_UserProfile_RunAsAdministrator.JPG

    When launching IE this way, the same portion of the web application works fine, just as it does when logged in to the Administrator profile, as shown below: 

    https://www.dropbox.com/sh/2ac47qwzsp10hvq/tPldMfeQ3U/04_IE_NoError_UseProfile_RunAsAnotherUser.jpg

    From what I understand, using "Run as a different user → Administrator" versus "Run as Administrator" actually loads IE using the Administrator registry hive, rather than just granting the same privileges to the current user? What could this indicate? This isn't a solution itself as we cannot give our users the administrator password. What else can I do to try to solve this problem so that the our users can run IE normally within their own limited profiles and use this site as they should be able. 

    For now, I have used the third-party "runasspc" as a temporary work-around so employees can run this application as the administrator user when needed without knowing the password, however, this is an ugly hack because the IE favorites, downloads, etc, all default to the C:\Users\Administrator directory, rendering the users' session downloads inaccessible from elsewhere in their Windows profile, and not allowing them to access their own IE favorites while running IE as the administrator user. 

    Thank you very much for your time and help.

    Monday, March 24, 2014 11:03 PM

All replies

  • Hi,

    File>Properties

    or

    Right click on the page and select Properties from the context menu...

    Which IE Security zone does the misbehaving page map to?

    IE has a security zone setting to prevent navigation into a zone of lower integrity.

    from your screen shots it looks like you are trying to navigate from a internet domain to a intranet domain.

    compare your security zone domain lists between user accounts.

    use the * notation for wildcard entries eg... *.swb.com

    ensure that the user Security zone settings are selecting the defaults....Internet Options>Security tab, click "Reset all zones to default".

    Regards.


    Rob^_^

    Tuesday, March 25, 2014 1:36 AM
  • Thanks for your reply and direction. This is an external trusted site, and the site *.swbc.com is already added as a trusted site under both profiles as applied by the same group policy.

    When I checked the Properties of the various parts of the web page, most elements show that they are in the Trusted Zone and that the address is ...swbc.com, however, when I checked the Properties of the lower frame that will not load correctly, it says that it is instead in the Internet zone and the address shows as: res://ieframe.dll/dnserrordiagoff.htm#https://www.swbc.com/LMAkcelerant/hub.aspx 

    When I checked the page properties of the same lower frame when it loads correctly when run as the administrator user, however, it then says that the address is: https://ecm.swbc.com/ecm/akcelerant/akciframe.aspx?aid=#### and that it is in the Trusted zone.

    I am now searching the internet for "res://ieframe.dll/dnserrordiagoff.htm" solutions, but haven't had any luck so far. 

    Tuesday, March 25, 2014 4:34 PM
  • From what I understand, using "Run as a different user → Administrator" versus "Run as Administrator" actually loads IE using the Administrator registry hive, rather than just granting the same privileges to the current user? What could this indicate?

    Probably the most significant difference for your purposes is that both elevating the task and using a Trusted Sites zone means that Protected Mode is Off.  That is something else which you could notice using the File, Properties command (e.g. Alt-F r) that Rob pointed you to.



    Robert Aldwinckle
    ---

    Tuesday, March 25, 2014 4:57 PM
    Answerer
  • Protected Mode is off in all cases, for Internet, Intranet & Trusted Sites, under both profiles. 
    Tuesday, March 25, 2014 6:53 PM
  • I am now searching the internet for "res://ieframe.dll/dnserrordiagoff.htm" solutions, but haven't had any luck so far. 

    Instead of doing that I think your most effective tack would be to try to understand what that message means.  Can you try using Developer Tools, Network capture to supplement it, for example?



    Robert Aldwinckle
    ---

    Tuesday, March 25, 2014 8:22 PM
    Answerer
  • Developer Mode, Console 

    SEC7111: HTTPS security is compromised by res://ieframe.dll/dnserrordiagoff.htm 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/ErrorPageTemplate.css 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/errorPageStrings.js 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/httpErrorPagesScripts.js 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/noConnect.png 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/bullet.png 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/bullet.png 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/bullet.png 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/down.png 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/favcenter.png 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/favcenter.png 
    SEC7111: HTTPS security is compromised by res://ieframe.dll/background_gradient.jpg 


    Network Capture, Summary:

    URL	Method	Result	Type	Received	Taken	Initiator	Wait‎‎	Start‎‎	Request‎‎	Response‎‎	Cache read‎‎	Gap‎‎
    /Elements/Payment/PaymentService.mvc/Index/######	GET	200	text/html	3.02 KB	0.82 s	frame navigate	12761	31	780	15	0	14789
    /Resources/WebResources/Js/IncludeFile.ashx?version=1.0&file=default	GET	304	text/javascript	194 B	< 1 ms	<script>	13587	0	0	0	0	14789
    /Resources/WebResources/Ajax/Api.ashx?version=1.0	GET	304	text/javascript	188 B	< 1 ms	<script>	13587	0	0	0	0	14789
    /Resources/WebResources/Js/IncludeFile.ashx?version=1.0&file=Resources/Js/Elements.js	GET	304	text/javascript	187 B	< 1 ms	<script>	13587	0	0	0	0	14789
    /Styles/Main.css	GET	304	text/css	170 B	< 1 ms	<link rel="stylesheet">	13587	0	0	0	0	14789
    /Resources/WebResources/Css/Global.css	GET	304	text/css	169 B	< 1 ms	<link rel="stylesheet">	13587	0	0	0	0	14789
    /Resources/WebResources/Ext/resources/css/ext-all.css	GET	304	text/css	171 B	< 1 ms	<link rel="stylesheet">	13587	0	0	0	0	14789
    /Resources/Css/Main.css	GET	304	text/css	167 B	< 1 ms	<link rel="stylesheet">	13587	0	0	0	0	14789
    https://www.swbc.com/LMAkcelerant/hub.aspx		(Aborted)		0 B	< 1 ms	click	13728	0	0	0	0	14648
    /Forms/Desktop.aspx/UnLockUsedClientRecs	POST	200	application/json	224 B	0.57 s	JS Library XMLHttpRequest	27799	16	0	561	0	0

    The full detailed XML is 13,647 lines long just from the one click to load the page with the Payment frame. 


    • Edited by MarkWSFCU Tuesday, March 25, 2014 9:15 PM format
    Tuesday, March 25, 2014 9:11 PM
  • https://www.swbc.com/LMAkcelerant/hub.aspx (Aborted) 0 B < 1 ms click 13728 0 0 0 0 14648


    Long Wait and Gap? Looks like a timing thing?   So, if that's milleseconds perhaps you have a timeout set too low... But why are so many items given the same timings or greater?  Not all of them were Aborted.

    This would look better in a table but it looks as if that was the longest Wait.  Not that much bigger though? 

    Just in case, check your ReceiveTimeout value.  E.g. sometimes "Network optimizers" get carried away...

    http://support.microsoft.com/kb/181050/en-us

    If that's not it I would try using NetMon to find out what is happening at the packet level and ProcMon to find out what is happening at the file and process and thread level.



    Robert Aldwinckle
    ---

    Wednesday, March 26, 2014 12:55 PM
    Answerer
  • Thanks for your reply and direction. This is an external trusted site, and the site *.swbc.com is already added as a trusted site under both profiles as applied by the same group policy.

    When I checked the Properties of the various parts of the web page, most elements show that they are in the Trusted Zone and that the address is ...swbc.com, however, when I checked the Properties of the lower frame that will not load correctly, it says that it is instead in the Internet zone and the address shows as: res://ieframe.dll/dnserrordiagoff.htm#https://www.swbc.com/LMAkcelerant/hub.aspx 

    When I checked the page properties of the same lower frame when it loads correctly when run as the administrator user, however, it then says that the address is: https://ecm.swbc.com/ecm/akcelerant/akciframe.aspx?aid=#### and that it is in the Trusted zone.

    I am now searching the internet for "res://ieframe.dll/dnserrordiagoff.htm" solutions, but haven't had any luck so far. 

    see http://centralops.net/co/DomainDossier.aspx?addr_lkup=1&dom_whois=1&net_whois=1&dom_dns=1&traceroute=1&svc_scan=1&addr=http://swbc.com

    Start>Run>cmd>ping http://75.32.90.155

    Unable to resolve the uri... theres something wrong with their dns records.


    Rob^_^

    Friday, March 28, 2014 3:47 AM
  • Start>Run>cmd>ping http://75.32.90.155

    Does that work with the HTTP protocol prefix?   <eg>

    Non-authoritative answer:
    Name:    www.swbc.com
    Address:  75.32.90.155

    C:\>tracert 75.32.90.155

    Tracing route to 75-32-90-155.swbc.com [75.32.90.155]

    @ Rob

    Any comment on the timing idea?



    Robert Aldwinckle
    ---

    Friday, March 28, 2014 1:18 PM
    Answerer
  • Thanks for your help and direction on this persistent problem. We had initially contacted the vendor to ensure all our settings were set to their specifications, but then we figured this must be a Windows or IE problem. I have since escalated the problem with their support. I've pretty much exhausted all my troubleshooting and search skills (as well as way too much time) on this problem. 

    Again, it's specific only to any user Windows profile, but only on our new workstations.

    It works fine under the Administrator Windows profile on the same workstation, and also works fine under the user profiles on our older workstations. All profiles on all workstations are configured with the same group policy, the same software, same installers, same versions, same network and settings, etc. Everything seems to indicate that it is a problem with this new workstation hardware, except that it works fine under the Administrator profile. This then seems to indicate that it is somehow a UAC or permissions issue on this image, but my troubleshooting has ruled both of those possibilities out. 

    I will be sure to follow up here if we figure out what the issue is with our vendor. Any other ideas would still be appreciated. 

    Tuesday, April 1, 2014 10:30 PM
  • Just in case, check your ReceiveTimeout value.  E.g. sometimes "Network optimizers" get carried away...


    I set the ReceiveTimeout value to 8 minutes with no different result. I haven't had a chance to check with ProcMon yet.
    Tuesday, April 1, 2014 10:34 PM
  • Again, it's specific only to any user Windows profile, but only on our new workstations.

    Any other ideas would still be appreciated. 

    ProcMon may be your best option for seeing the differences there and any underlying timings.

    I just noticed that your other server has a different IP address.  I wonder if we are focusing on the right part of your trace? 



    Robert Aldwinckle
    ---

    Wednesday, April 2, 2014 12:03 AM
    Answerer