What are the effects of IE Security Zones
-
In particular, I want to understand the effect of changing a site from "trusted" to "internet." Everything I've been able to find talks about how to change this stuff but not that will do.
Background:
Our customer serves our app up over https. They're currently migrating to Windows 10 (INB4 idiots) and some users are having problems where they have to keep logging in when they navigate around. I guess someone there decided that changing the site to the internet zone may fix this and they're asking us if we have a problem with that.
-
basically all the internet zones do is change which group of settings apply to which websites:
that's the internet options from IE, if you go into custom level you can see all the various settings that will be applied to the currently selected zone.
so what exactly teh zones do depends on how the client has set them up and how paranoid their group policy settings are (because of course you can control all that via group policy)
-
Security settings like whether IE prompts before downloading potentially unsafe content, blocks unsigned ActiveX controls etc, and privacy settings around cookies.
The settings and which level applies to which zone can be customised by group policy, so the differences configured may well be specific to that customer.IIRC Internet is (by default) more restrictive than Trusted Sites which in turn is more restrictive than Intranet.
edit: The security defaults are here. By default Internet is Medium-High, Intranet is Medium-Low, Trusted is Medium.
-
@boomzilla
Yeah, usually, migrating from Internet to Trusted is what you would do to fix the "our users have to put in their AD credentials on the page, rather than just passing through their Windows session token"If the user is being prompted for credentials more than once in a single browser session (especially if there isn't a time lag between clicks), that usually indicates a problem with the application. Is this a load balanced application? Is the load balancer set up for session affinity (making sure that once Bob connects to Node #1, all future requests from Bob for time period X -- usually at least 60 minutes of inactivity, but should match your cookie lifetime -- go to Node #1)?
-
@izzion said in What are the effects of IE Security Zones:
If the user is being prompted for credentials more than once in a single browser session (especially if there isn't a time lag between clicks), that usually indicates a problem with the application.
Yeah, I have no idea why this is happening. It's only with IE11 on Windows 10. It's purely application level credentials. We don't integrate with AD or anything Windows / OS level at all.
@izzion said in What are the effects of IE Security Zones:
Is this a load balanced application?
No.
-
@boomzilla
Are users being prompted for credentials on every single page request, or is it intermittent? If it's intermittent, does it seem to correspond to a certain minimum inactivity length (1 minute, 5 minutes, 15 minutes)?Edit: I'm inferring from your previous post that the same user on the same machine using Chrome or Firefox doesn't have the problem, is that correct?
-
@izzion said in What are the effects of IE Security Zones:
Are users being prompted for credentials on every single page request, or is it intermittent? If it's intermittent, does it seem to correspond to a certain minimum inactivity length (1 minute, 5 minutes, 15 minutes)?
The reports say that they get it on every page request.
@izzion said in What are the effects of IE Security Zones:
Edit: I'm inferring from your previous post that the same user on the same machine using Chrome or Firefox doesn't have the problem, is that correct?
Correct.
-
I know Protected Mode fucks up Webdriver. I think it's trying to protect the browser from hijacking.
-
@boomzilla
Prompted on every single page request sounds like some sort of cookie problem. Which makes sense with the "works in Chrome, not in IE" thing - Chrome cribs some things from the IE Security Zone settings, but uses its own cookie store & policies and not IE's.I haven't done a lot of messing around with Windows 10 Group Policy Templates to be able to speak to whether there's some GPO option that might be messing up IE cookie policies on only the Windows 10 machines. I would naively expect that if it's a GPO thing it would be breaking Edge too, but that's a total asspull and not actually backed up by any experience or real facts...
-
@izzion said in What are the effects of IE Security Zones:
Prompted on every single page request sounds like some sort of cookie problem. Which makes sense with the "works in Chrome, not in IE" thing - Chrome cribs some things from the IE Security Zone settings, but uses its own cookie store & policies and not IE's.
Well, these users wouldn't be using Chrome. Some do use Firefox.
@izzion said in What are the effects of IE Security Zones:
I haven't done a lot of messing around with Windows 10 Group Policy Templates to be able to speak to whether there's some GPO option that might be messing up IE cookie policies on only the Windows 10 machines.
Yeah, our authentication layer sets its own cookies, separate from our app's session cookies, and the behavior sounds like that cookie is going away. But our session cookie obviously isn't or else they'd be redirected to the home / start page of the app.
-
@boomzilla
On the KISS troubleshooting list: is the system clock on these computers correct, and in the correct time zone? (I guess I'm assuming these are domain joined, so they shouldn't work at all if the system clock is severely adrift, but sometimes restarting the router really does fix the Internet...)
-
(Though that looks like the IE11 problem they were having wasn't Windows version specific).
Otherwise I'm seeing references to older versions of IE not respecting Cookie: Max-Age so the normal recommendation for supporting IE was to set the Expires header of the cookie, but it gets a little finicky if you're not returning an ISO-formatted timestamp in GMT.
-
@izzion Hmm....but it's only happening on Win10. Win7 machines with IE11 aren't having any problems.
-
@boomzilla And they're definitely using IE11 and not accidentally using Edge or something?
Do they have the privacy settings within IE11 the same on the Windows 7 clients as the Windows 10 clients?
-
@loopback0 said in What are the effects of IE Security Zones:
And they're definitely using IE11 and not accidentally using Edge or something?
I believe so. We capture user agent strings for user sessions. Hmm...I haven't looked at the details and I don't know off the top of my head what IE11 vs Edge look like, but I thought MS specifically changed it pretty radically.
This how we're matching IE11 (in an Oracle
LIKE
condition):
'%Trident/7.0%rv:11.0%' then 'IE11'
Anything we don't recognize
@loopback0 said in What are the effects of IE Security Zones:Do they have the privacy settings within IE11 the same on the Windows 7 clients as the Windows 10 clients?
No clue. It's all set by group policy. Is it possible to have different settings based on OS version?
-
@boomzilla said in What are the effects of IE Security Zones:
Hmm....but it's only happening on Win10.
orly
:smug:
-
@boomzilla
Yes, it looks like Edge uses a different UA that won't match that:OMM - IE11:
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Edge:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586
-
@boomzilla said in What are the effects of IE Security Zones:
It's all set by group policy. Is it possible to have different settings based on OS version?
In theory, yes if they had Win 10 clients in different OUs or groups to Win 7 clients. They should be able to confirm that the configuration is the same for a Win 7 machine as for a Win 10 machine easily.
@boomzilla said in What are the effects of IE Security Zones:
but I thought MS specifically changed it pretty radically.
Yeah they did.
-
@boomzilla said in What are the effects of IE Security Zones:
Is it possible to have different settings based on OS version?
Sometimes indirectly it is, if a new setting is introduced with a later version of Windows. The GPO template files that include this will usually function as a No-Op if applied to older versions that don't support a change.
I found this list of "new group policy settings for IE 11", which includes several that are W10 specific, but none of its callouts seem pertinent to a cookie / authentication issue. https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11
-
@boomzilla said in What are the effects of IE Security Zones:
Yeah, our authentication layer sets its own cookies, separate from our app's session cookies, and the behavior sounds like that cookie is going away.
Could IE for some reason be thinking it's an advertiser's tracking cookie and dropping it?
-
Additional wrinkles I've just learned:
From within their network, there were two ways to access the site:
Same as from internet: https://foo.bar.org
Internal DNS: https://boomzillasappThey took the internal DNS site out of trusted and that seemed to solve the problem. Users still have the problem using the FQDN.
-
@boomzilla said in What are the effects of IE Security Zones:
They took the internal DNS site out of trusted and that seemed to solve the problem.
Tools -> Compatability Settings -> uncheck "Show Intranet Sites in the Fucking Useless Compatability Setting Bullshit Mode"
-
@boomzilla said in What are the effects of IE Security Zones:
They took the internal DNS site out of trusted and that seemed to solve the problem
Is the FQDN in Trusted or Internet?
-
@loopback0 said in What are the effects of IE Security Zones:
Is the FQDN in Trusted or Internet?
It's currently Trusted.
-
@boomzilla Now I'm on a Windows 10 machine, it seems the Privacy tab in IE11 is different on 10 than on 7. 7 ties it to the same levels as the Security but 10 doesn't seem to. They've not added anything via Group Policy to the Sites or Advanced sections, have they?
The Security levels aren't that different (by default) between Trusted and Intranet and I can't see anything obvious which could cause that behaviour that applies to Trusted.
Is the app actually accessed via the Internet or is accessing the app via the FQDN on their network a request that stays within their network?
-
-
@loopback0 said in What are the effects of IE Security Zones:
They've not added anything via Group Policy to the Sites or Advanced sections, have they?
I have no clue.
@loopback0 said in What are the effects of IE Security Zones:
Is the app actually accessed via the Internet or is accessing the app via the FQDN on their network a request that stays within their network?
Uh...not sure.