Integrated Windows Authentication fails after resetting Internet Explorer RRS feed

  • Question

  • Copied from http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/7614fa75-f2a5-4175-a42e-874773cd4ec7/

    The solution I was looking for ended up being disabling the EAP for Windows 7.  Official documentation has not been released as of last week, but the fix is to set these Registry changes on the Windows 7 workstation:

    HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection (Create DWORD value of “1”) (Add this property if it doesn’t exist)

    HKEY_Local_Machine\System\CurrentControlSet\Control\LSA\LmCompatibilityLevel (Default DWORD value of “3”)

    Will this work for Windows XP?  I don't know if this is the fix, but I have had a couple of users lately who have not been able to connect to intranet sites after resetting Internet Explorer.  On one the user previously had a malware that had been removed by Malwarebytes.

    After resetting Internet Explorer, we normally run gpupdate /force to update the users Zone settings, but that hasn't resolved the issue.  I have checked Trusted Sites and none of the intranet sites appear to be missing.

    I checked:

    1. Internet Options, Advanced, Enable IWA (checked)
    2. Internet Options, Security, Trusted Sites (the server I want to send credentials to through IWA is local to my LAN and is in this list)
    3. Internet Options, Security, Local Intranet, Advanced, "Enable logon in intranet zone only" (checked)

    Everything appears to be in order.

    On our last user she was in IE 7, so I thought maybe doing Windows Updates and upgrading her to IE 8 would refresh something and resolve the issue, but it did not.

    Again, would the above registry keys be something to try for Windows XP?  If not, does anyone have any suggestions when all settings appear to be correct, and IWA used to work, but does not after an IE reset?


    I don't know if this matters, but on the other user we were resetting IE because we found for some reason this resolves an issue where people are unable to login to Salesforce Chatter.




    Friday, February 11, 2011 6:50 PM


  • Hi,


    Please open the IIS settings, change the setting for Extended Protection to “off” or “allow”. You can do this in the GUI in advanced settings for Windows Authentication in IIS 7.5. The setting will be off by default on earlier of IIS but if it has been enabled you can disable it refer to following http://support.microsoft.com/kb/973917. You can also, disable EPA system wide using the registry keys mentioned in http://support.microsoft.com/kb/968389, however this is not the recommended approach. After changing the settings, reboot the computer to check if it works.   




    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by Miya Yao Monday, February 21, 2011 9:27 AM
    • Marked as answer by Robinson Zhang Friday, February 25, 2011 7:03 AM
    Thursday, February 17, 2011 9:40 AM