Windows Authentication login fails in Microsoft Forecaster Web Access

Si applica a: Microsoft Forecaster 7.0

Symptoms


You receive the following error message when trying to log into Microsoft Forecaster 7.0 Web Access using Windows Authentication:

Microsoft Forecaster Web Access could not log you on. Make sure your User Name and password are correct. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.

Cause



Cause 1

The Windows user who is trying to log on to Web Access does not exist as a Forecaster user. See Resolution 1

Cause 2

The Web Access Database Registration Tool does not have a connection that is configured correctly or may need a fully qualified domain name (FQDN) for the Server value.  See Resolution 2

Cause 3

Active Server Pages or ASP.NET v2.0.xxxxx or v4.0.xxxxx is not enabled in IIS. See Resolution 3

Cause 4

The Microsoft Forecaster 7.0 Web Client was not installed on the client workstation because of a lack of security permissions. User Account Control (UAC) can prevent this installation also. See Resolution 4

Cause 5

The required SQL Native Client drivers are not installed on the Server that is running IIS where Web Access is installed.  See Resolution 5

Cause 6

Basic Authentication is the only supported authentication method when IIS and the Forecaster SQL database are on different computers. See Resolution 6

Cause 7

Windows Authentication is the only supported authentication method when IIS and the Forecaster SQL database are on the same computer. See Resolution 7

Cause 8

This is a known issue when you use a SQL Application Role and a 2-Tier (IIS and Forecaster SQL Server separate computers) Forecaster Web Access environment. See Resolution 8

Cause 9

The Windows User does not have the required SQL permissions. See Resolution 9

Cause 10

Using the fully qualified domain name or a custom host header to browse a local Web site can cause Windows Authentication to fail. See Resolution 10


Resolution


Resolution 1

Confirm the Windows user who is trying to log on to Web Access exists as a Forecaster user.  

1. Open the Forecaster full client and log on.

2. Click Setup and then select Security. Verify the Windows User ('domain\user' format) exists.


Resolution 2


Confirm the Web Access Database Registration Tool connection tests successfully.

1. Log on to the server running IIS where Web Access is installed as a Windows user who exists as a user in Forecaster.

2. Click Start, click Microsoft Forecaster 7.0, and then select Microsoft Forecaster Database Registration Tool.

3. Select the Display Name that matches the connection that the logon failure occurred on.

4. Check Test using the current Windows login and then click Test. If this does not test successfully, try using the fully qualified domain name for the server value. If this still fails, See Resolution 9.


Resolution 3


Log on to the server running IIS where Web Access is installed and open IIS Manager.


For IIS 6:

1. Expand the server name at the top and then click the Web Service Extensions folder.
2. Select ASP.NET v2.0.xxxxx and then click Allow. Repeat this step for ASP.NET v4.0.xxxxx.

For IIS 7:

1. Click the server name at the top and then double-click ISAPI and CGI Restrictions under the IIS category.
2. Right-click ASP.NET v2.0.xxxxx and then select Allow. Repeat this step for ASP.NET v4.0.xxxxx.

Note You may have to restart the Microsoft Forecaster 7.0 application pool and website after you make these changes.

Resolution 4


User Account Control (UAC) or lack of installation privileges can prevent the Microsoft Forecaster 7.0 Web Client from installing correctly on a user's workstation. You can resolve this by granting them local administrator privileges on the workstation and running Internet Explorer as an administrator.

The recommended method is to run Internet Explorer as an administrator:

1. On the user workstation, click Start and then right-click Internet Explorer and then select Run as administrator.

2. Open the Forecaster Web Access website and you are prompted to install the Forecaster Web Access Client.

Note If you are not prompted to install the client components, you will have to copy the MicrosoftForecasterWebClient.msi and msxml6.msi to the local workstation and run them both with administrative credentials. These files are located on the Server Running IIS under the WebAccess\Cabs\Files folder where Microsoft Forecaster 7.0 Web Access is installed.



Resolution 5


Microsoft Forecaster 7.0 Web Access requires that the SQL Native Client (version 9.xx.xxxx) driver be installed on the Server running IIS. Certain environments may only have the SQL Native Client 10.0 driver installed and therefore you would experience this logon error.


1. Download the Microsoft SQL Server Native Client from the following link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7768393B-71FA-4281-83EB-CAB08BE4FB76&displaylang=e&displaylang=en

2. Install the Microsoft SQL Server Native Client on the Server running IIS.


Resolution 6


If the IIS server and SQL server where the Forecaster database resides are on separate computers, Basic Authentication is the only authentication method supported.

Log on to the server running IIS where Web Access is installed and open IIS Manager.

For IIS 6:

1. Expand the website that Forecaster exists under.
2. Right-click on the Forecaster 7.0 virtual directory and then select Properties.
3. Click the Directory Security tab.
4. Click Edit.
5. In this window, clear all boxes except Basic authenticationNote We highly recommend HTTS (or SSL) be used with Basic authentication for security.
6. Click OK.

For IIS 7.0:

1. Expand the website that Forecaster exists under.
2. Click the Forecaster 7.0 virtual directory.
3. Double-click Authentication in the Features View.
4. Disable all authentication methods that are listed except Basic Authentication.
Note You may need to restart the Microsoft Forecaster 7.0 application pool and website after you make these changes.



Resolution 7

If the server running IIS and SQL server where the Forecaster database resides are on the same computer, Windows Authentication is the only authentication method supported.

Log on to the server running IIS where Web Access is installed and then open IIS Manager.

For IIS 6:

1. Expand the website that Forecaster exists under.
2. Right-click on the Forecaster 7.0 virtual directory and select Properties.
3. Click the Directory Security tab.
4. Click Edit.
5. In this window, clear all boxes except Integrated Windows authentication.
Note We highly recommend HTTS (or SSL) be used with Basic authentication for security purposes.
6. Click OK.

For IIS 7.0:

1. Expand the website that Forecaster exists under.
2. Click the Forecaster 7.0 virtual directory.
3. Double-click Authentication in the Features View.
4. Disable all authentication methods listed except Windows Authentication.

Note You may need to restart the Microsoft Forecaster 7.0 application pool and website after you make these changes.




Resolution 8


Non-Administrator Forecaster users will be unable to log on to Web Access when SQL Server Application Roles are being used.  

Note This resolution only applies to Forecaster databases that are configured specifically to use a SQL Application Role. An Application Role is a special security configuration and is not set like this in a default Forecaster database installation.

1. Log on to the server running IIS as an administrator user.

2. Browse to the folder where Forecaster Web Access is installed. The default folder is as follows: C:\Program Files\Microsoft Forecaster 7.0\WebAccess.

3. Under the WebAccess folder, make a backup of the jscripts.ASP file.

4. Open the jscripts.ASP file in Notepad.

5. Locate the following line:

{//fill in the login control and validate the login


6. Insert this script in the line directly after the line found in Step #5:

document.cookie="CA=" + escape(parent.frames.bodyfrm.document.forms.loginform.app.value);



It should now look like:

{//fill in the login control and validate the login
document.cookie="CA=" + escape(parent.frames.bodyfrm.document.forms.loginform.app.value);

7. Save the changes to jscripts.ASP.

Note You may have to restart the Microsoft Forecaster 7.0 application pool and website after you make these changes.



Resolution 9


Please use the following KB article to confirm that SQL permissions have been configured correctly:

https://mbs.microsoft.com/knowledgebase/KBDisplay.aspx?scid=kb;EN-US;951225


Resolution 10:


Please use the following KB article to troubleshoot this issue:

http://support.microsoft.com/kb/896861