+ Post New Thread
Results 1 to 14 of 14
Windows 7 Thread, Cant log onto HTTPS websites while using a mandatory profile in Technical; Hello, I am in IT support for a school district, and we are implementing Windows 7 at a new school, ...
  1. #1

    Join Date
    Oct 2011
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Cant log onto HTTPS websites while using a mandatory profile

    Hello, I am in IT support for a school district, and we are implementing Windows 7 at a new school, and have run into a problem accessing certain webpages. I will do my best to describe the situation and environment involved, so it may be a long post and plenty of irrelevant information, so bear with me, but here goes:


    The symptom we are seeing is that when students try to login to a secure website, the login fails and they only receive a "Internet Explorer Cannot Display the Webpage" page, with a "Diagnose connection problems" button. The easiest way to check if the pages will work is just visit gmail.com, though several sites can exhibit the problem. Other websites are accessible, I can go to Bing, and perform searches, everything works there, but most sites that require logins are failing to the "Page cannot be displayed".

    We do have a content filter, but I have verified that we are not blocking any ports or addresses related to this website at this level. Turning the content filter completely off during off hours we were still able to reproduce the problem.

    We are running Windows 7 Professional 32-bit Service Pack 1 on the client machines. They have all current recommended updates, including Internet Explorer 9.

    The domain controller is Windows Server 2008 R2 Enterprise, as well as the file server which stores profiles and documents.

    We have created a mandatory profile that is used for all student accounts, and I think this is where the problem exists. All students are members of a security group, which has full read and execute permissions to the student profile share as well as the mandatory profile folder itself.

    We have had some partial success with this problem by unlocking the mandatory profile by changing ntuser.man back to ntuser.dat, and logging in as a student account temporarilly made local admin on the machine, and then logging into the novanet website, which works in these conditions. Upon logoff after the profile has been synched back to its location on the file server, we change it back to ntuser.man. Then clearing all old profiles from the machine, and logging back in as a student using the mandatory profile, we can now log into novanet on some machines and not others, in other words it is not consistent enough to call fixed.

    Another problem is that even if this method worked 100%, we would have to unlock the profile to "customize" it for every site a student could conceivably log onto, which is not very practical. Since this appears to be a larger issue, solving it at its root would be the most helpful.

    Another thing we tried was to make an individual student a local administrator on a machine, and then log onto the machine using the mandatory profile, which still fails.

    We have tried compatibility mode, enabling SSL and TLS protocols in internet options, also to no avail, the only thing that seems to allow it to work consistently is to leave the profile non-mandatory, which we would like to avoid.

    What other options am I missing here, any suggestions at all?

    Thank you for taing the time to read this!

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,272
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412
    Are you pushing out a proxy setting for http & https at all?

    Can you not give the students a roaming profile.

    Ben

  3. #3

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,644
    Thank Post
    1,775
    Thanked 2,158 Times in 1,596 Posts
    Rep Power
    768
    Quote Originally Posted by RSDSageR View Post
    We do have a content filter, but I have verified that we are not blocking any ports or addresses related to this website at this level. Turning the content filter completely off during off hours we were still able to reproduce the problem.
    What filter are you using? Maybe one of us has experience of it.

  4. #4

    Join Date
    Oct 2011
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Not intentionally setting any proxy settings, either manually in the profile, or via GPO.

    We have had very bad results anytime we give students roaming profiles instead of mandatory, too many people trying to configure things, easiest just to discard everything.

    We are using Lightspeed as our filter.

  5. #5

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,272
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412
    Have you created a new mandatory profile?

    Ben

  6. #6

    Join Date
    Oct 2011
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Yes, I recreated late last week following closely all of the steps in this KB:

    How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

    And not doing many of our routine customizations, trying to keep it as simple as possible to isolate problems, but the problem is still occuring. Did things like resetting owner/security permissions as well, I even tried giving "Everyone" Full Control of the directory (temporarilly for testing)

  7. #7

    Join Date
    Feb 2008
    Posts
    43
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I experienced the exact same problem when I moved our school to Windows 7.

    I resolved this issue by creating a new profile through a sysprep with /generalize. On reboot join the sysprep client to your domain, create a default.v2 in your profile share, copy the default user profile to your Default.v2 with the Everyone in the user field. Go back to the profile server share and go to security settings and add Authenticated Users with read permissions.

    Change your ntuser.dat to ntuser.man

    You should have a working profile with https.

    Good luck and contact me for any advice.

  8. #8

    Join Date
    Oct 2011
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Do I need to do anything to the client machines to support this profile? (sysprep on clients) They are just standard off-the-disc installations (it's a small school) with SP1 and updates applied.

    I understand what you described above, which sounds like that I tried (from the Microsoft KB article) but I tried with your permission settings, and it still works the first time, then if I log off and reboot, then log back on, it fails every time after that.

  9. #9

    Join Date
    Feb 2008
    Posts
    43
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yes I remember the problem being intermittent for me.

    You just need to sysprep one machine and add your new profile to your server profile share.

    You don't need to do anything else to your clients.

  10. #10

    Join Date
    Oct 2011
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Well, its comforting to know that you had the same issue as me and eventually fixed it, but today doesn't seem to be the day. Tomorrow: more coffee, and another attempt to fix it, thanks for the help though!

  11. #11

    Join Date
    Oct 2011
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Is anyone familliar with how IE9 "virtualizes" sessions or pages (aka "sandbox" mode)

    Doing some more digging here and this seems to be popping up with file access issues within the "hugepath\temporaryinternetfiles\virtualized\c " area. Is it possible to turn this off and see if it is related to my problem?

  12. #12

    Join Date
    Oct 2011
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I finally found resolution to this issue!



    The problem was deeply rooted in the mandatory profile, because of how I created it (following closely Microsoft's knowledge base article on the subject How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2)



    Turns out that article is incomplete.



    Here is what to do in a nutshell:



    1. Log onto the machine you will be creating the mandatory profile from, using the account which will be specified in the sysprep command.

    2. Configure Internet Explorer on the local account BEFORE running sysprep

    3. Execute the sysprep command

    4. Execute the step to export the default profile, specify "Everyone" in the permissions

    5. Put that exported profile on the server, and create a user account that will use that profile

    6. Log on using that account, continue to customize the profile, including running Internet Explorer

    7. Change the profile from NTUSER.DAT to NTUSER.MAN



    As it was explained to me, there are customizations to the ntuser.dat hive that must be done at the "default profile" level, BEFORE actually configuring it for the "user profile", so like Xzibit says, "Yo dawg, I heard you like setting up IE, so we have to set up your IE before you set up IE" or something....



    Anyways, I recreated my mandatory profile from scratch by doing this, and I am now able to log onto all https websites using mandatory user profiles, which were not working before. I hope this helps, and I hope Microsoft will update their instructions for creating mandatory user profiles. Good luck!

  13. Thanks to RSDSageR from:

    plexer (24th January 2012)

  14. #13

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,272
    Thank Post
    614
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412
    Thank you for posting your solution.

    Ben

  15. #14

    Join Date
    Apr 2012
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Exactly what settings did you configured in Internet Explorer to make it work?

    Fernandez

SHARE:
+ Post New Thread

Similar Threads

  1. How to find out which machine a student logged onto, & when
    By indiegirl in forum How do you do....it?
    Replies: 32
    Last Post: 16th March 2012, 01:17 PM
  2. Replies: 11
    Last Post: 1st November 2007, 08:02 PM
  3. Wiping a drive while using ImageX
    By eejit in forum Windows
    Replies: 6
    Last Post: 15th March 2007, 04:14 PM
  4. Checking who logged onto a computer on a given day?
    By alexknight in forum Wireless Networks
    Replies: 7
    Last Post: 15th November 2006, 01:12 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •