Safari and Companyweb
ByI’ve been assisting a client of mine in California with getting a number of Macs connected to a new SBS 2003 server for one of his installations. We have been able to get most of the issues resolved, but he hit me with one recently that I couldn’t nail down immediately. One of the newer Macs could not load http://companyweb from Safari.
At the time of his request, I was off site, and as a quick check, I made a VPN connection to another client site from my PowerBook and attempted to load companyweb from that site in Safari. I couldn’t make an immediate connection, which I wrote off as DNS. However, I did try to connect using the SSL interface to companyweb: https://servername:444/ which connected immediately. I was prompted for a username and password (understandable since the Mac does not have Windows authorization credentials cached) and got in to browse through all of the pieces of companyweb.
I reported this back to my client, but wanted to do a full examination in my test network. Here’s what I found…
Sure enough, with a Mac running OS 10.4.3, I could not get Safari to load the companyweb interface. In my test lab, I fired up Safari, entered http://companyweb in the address bar, and was immediately prompted for credentials. I entered a valid username and password, and Safari looked like it was trying to load the page, but it never went anywhere. I let it sit for several minutes at one point and never got any sort of an error.
I brought up Firefox, which I use extensively to get around the self-signed certificate issues with Safari, and it loaded companyweb immediately after I entered valid authentication credentials. Now that I knew that the companyweb backend was working correctly, I went back to Safari.
Same behavior.
Just to make sure that something wasn’t broken with Safari, I loaded companyweb through the SSL interface, https://sbs:444/. I was prompted for a username and password, and I got right in.
Now my curiosity was piqued. Since it didn’t look like Safari was even making a connection through standard HTTP protocols, I fired up netmon on the server and captured a trace of the connection attempt from Safari to companyweb. The first thing I noticed was that once I was prompted for a username and password to get in to companyweb, the traffic between the server and the Mac went through the roof. This was definitely not what I expected to see.
I did a quick peek at the netmon results and saw that Safari was making a connection request and IIS was sending back a connection response. The connection response I saw was a 401, however, a “you are not authorized to view this page” response. Then I quickly jumped into the IIS logs for companyweb, and sure enough, there were thousands of 401 errors in the logs from the Safari connection attempts.
So, somehow, even though Safari was prompted for user authentication and I entered a valid username and password, the authentication credentials were not getting sent back to the server correctly, so the server was rejecting the request based on bad authentication.
Two items strike me as really odd about this behavior.
1. Everything works as expected when going through the SSL interface to companyweb. Does that mean Safari handles Windows authentication differently over HTTP connections than it does over HTTPS connections?
2. Safari keeps resending page requests even though it keeps getting 401 errors back from the server.
On a whim, I went in and modified the authentication settings for the Companyweb site in IIS. The only way I could get Safari to work correctly when attempting to access companyweb through HTTP was to set authentication to Basic Authentication and remove Integrated Windows Authentication altogether. The problem with this, however, is that any Windows machines that try to access companyweb through IE will get prompted for a username and password.
This is not the first time I’ve heard of Safari having trouble with sites and services requiring Integrated Windows Authentication. As such, I’ll be digging a little further into the issue through my Mac channels. In the meantime, I recommend one of the two solutions below to allow access to companyweb from Macs on the internal network.
1. To use Safari as the default web browser, set a bookmark to https://servername:444/ as the interface to companyweb. It works.
2. Use a different browser, such as Firefox, to access companyweb as you would normally.
3 Comments
March 16th, 2006 at 12:29 pm
This post saved me a bunch of time.
Thanks!
May 19th, 2006 at 2:02 pm
Have you had any more luck with this problem? We are having a similar experience after deploying ISA 2004 on our domain. Macs are no longer able to connect to intranet sites without using the fqdn. http://ourserver would never resolve, but http://ourserver.leusd.k12.ca.us works fine. I’m not looking forward to changing every bookmark out there.
May 27th, 2006 at 2:38 pm
Jeff -
I just checked the latest version of Safari (2.0.3, build417.9.2) against my new SBS box and got the Companyweb interface on the first try. It has been a few updates of Companyweb since I’ve tested this, so it may have been addressed in an earlier release, but at least in this very quick, single machine test, it seems to work, at least internally.
As to the FQDN issue, you probably need to add the leusd.k12.ca.us to the Search Domains field of the Network settings on the Mac. If you can’t get there with the single name, the Mac doesn’t know what domain to search in for that address. Give that a try and let me know.