Domain environment, Cannot access https login pages on internet on account with mandatory profile
Hello, I am in IT support for a school district, and we are implementing Windows 7 at a new school, and have run into a problem accessing certain webpages. I will do my best to describe the situation and environment involved, so it may be a long post and plenty of irrelevant information, so bear with me, but here goes: The symptom we are seeing is that when students try to login to a secure website, the login fails and they only receive a "Internet Explorer Cannot Display the Webpage" page, with a "Diagnose connection problems" button. The website we are seeing this most with is http://web.novanet.com/ Other websites are accessible, I can go to Bing, and perform searches, everything works there, but most sites that require logins are failing to the "Page cannot be displayed". We do have a content filter, but I have verified that we are not blocking any ports or addresses related to this website at this level. Turning the content filter completely off during off hours we were still able to reproduce the problem. We are running Windows 7 Professional 32-bit Service Pack 1 on the client machines. They have all current recommended updates, including Internet Explorer 9. The domain controller is Windows Server 2008 R2 Enterprise, as well as the file server which stores profiles and documents. We have created a mandatory profile that is used for all student accounts, and I think this is where the problem exists. All students are members of a security group, which has full read and execute permissions to the student profile share as well as the mandatory profile folder itself. We have had some partial success with this problem by unlocking the mandatory profile by changing ntuser.man back to ntuser.dat, and logging in as a student account temporarilly made local admin on the machine, and then logging into the novanet website, which works in these conditions. Upon logoff after the profile has been synched back to its location on the file server, we change it back to ntuser.man. Then clearing all old profiles from the machine, and logging back in as a student using the mandatory profile, we can now log into novanet on some machines and not others, in other words it is not consistent enough to call fixed. Another problem is that even if this method worked 100%, we would have to unlock the profile to "customize" it for every site a student could conceivably log onto, which is not very practical. Since this appears to be a larger issue, solving it at its root would be the most helpful. Another thing we tried was to make an individual student a local administrator on a machine, and then log onto the machine using the mandatory profile, which still fails. We have tried compatibility mode, enabling SSL and TLS protocols in internet options, also to no avail, the only thing that seems to allow it to work consistently is to leave the profile non-mandatory, which we would like to avoid. What other options am I missing here, any suggestions at all? Thank you for taing the time to read this!
October 21st, 2011 1:54pm

I use Firefox as my browser and your site rendered fast and clean Could be a system problem for IE users, try this page Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 9:10pm

Thank you for taking the time to look at my problem. Unfortunately, Firefox is not a supported browser for this website. It is an interactive online course for students, and requires IE8/9. I checked that link you posted for IE Problems, and I have done this fix before for machines troubled by windows updates, but I can't really see how it applies to this particular problem. We are only having problems for websites with an https login page, and that site has never been a problem on any of the Windows XP clients.
October 25th, 2011 1:41pm

Is there a more appropriate sub-forum this should have been posted in?
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2011 1:59pm

"RSD SageR" wrote in message news:0193cefe-ccb8-4048-a309-88924ed58756... Thank you for taking the time to look at my problem. Unfortunately, Firefox is not a supported browser for this website. It is an interactive online course for students, and requires IE8/9. I checked that link you posted for IE Problems, and I have done this fix before for machines troubled by windows updates, but I can't really see how it applies to this particular problem. We are only having problems for websites with an https login page, and that site has never been a problem on any of the Windows XP clients. Just as a FWIW using IE9, 32-bit (or 64-bit) on a Win 7 Home Premium 64-bit machine I accessed the login page fine I entered test as both username and password, and was as expected told to get lost :) I ended up on https://school.pearsoned.com/Pegasus/frmlogin.aspx?rumbaCode=error.authentication.credentials.bad.username&rumbaMessage=error.authentication.credentials.bad.username so as far as I can see, its working that far, at least. Repeating the experiment on a 32-bit Win 7 gave similar results. (Incidentally, theres a typo on the browser test page in the ActiveX disabled instructions <eg> and you need to give more detail there as well) Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
October 25th, 2011 4:25pm

Not to worry, there are plenty of genius types here that can help get things fixed Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2011 4:40pm

I am still having this issue and I think it is something to do with the way the mandatory profile was created somehow, but I don't see what, how or why. Please let me know if any further information is needed.
October 28th, 2011 12:12pm

can you post the profile settings? Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2011 2:59pm

I'm not sure quite what you are referring to by "profile settings" File Security Settings? Modifications/Customizations? The NTuser hive?
October 28th, 2011 4:32pm

After some more testing, it looks like if I clear all existing mandatory profiles, and log on with a clean copy of the mandatory profile, it will work the first time, but if I log off and log back on as any other user using the same mandatory profile, they are not able to access the website. Does this make any sense to anyone else, please I am getting desperate here!
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 4:28pm

It is suggestive that something in the profile is at issue. Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
November 1st, 2011 5:00pm

I just recreated the mandatory profile from scratch following this microsoft KB: http://support.microsoft.com/kb/973289/en-us I skipped most of our normal customizations trying to isolate this problem, but it still exists. I agree it sounds like a profile problem, but I dont know what needs to be changed?
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 5:09pm

Also, when logged on as the mandatory profile, I can launch IE, and it will fail logging into the website, but if I right click the IE icon and "Run as Administrator" and input my personal credentials, the website will load properly.
November 1st, 2011 5:18pm

Looks like a permissions problem Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 5:28pm

I've fully reset the permissions on the server copy of the profile, went so far as to try giving "Everyone" Full Control so see if that would help. Cleaned locally cached profiles from the machine, and logged back on. First time it works, log off and log back on and now it stops working.
November 1st, 2011 6:15pm

what is the web site made with? Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 6:23pm

It's not the website. It's not even our website. Anyone on an XP machine can use it, anyone on a non mandatory profile and Windows 7 can use it. This is a problem with HTTPS websites, there are many of them on the internet, and everyone I find fails when loaded on this mandatory profile and Windows and the conditions I have described.
November 1st, 2011 6:26pm

then I would have to look deeper at the profile Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 6:28pm

Do you have any specific suggestions? I've been staring at this profile for 2+ hours a day for over a week and obviously not coming up with anything.....
November 1st, 2011 6:28pm

can you post the profile Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 6:29pm

Actually, I dont think I can, this forum doesnt appear to support attachments. I could email it or post to a 3rd party file hosting site, but that might be on the fringe of the safety standards in place here...
November 1st, 2011 6:31pm

can you post the profile Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews http://www.sendspace.com/file/yvoc3p This might work, never used this file hosting site before, but it was easy to do!
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 6:39pm

that file seems to be only a bunch of shortcuts with a live account, SkyDrive is available put stuff in a public folder and then post the link here Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
November 1st, 2011 6:45pm

the files are probably all hidden, I didnt modify anything, just zipped the entire profile directory from within my profile share. there isnt really a lot there, this is just about as stock of a profile as you can make I think, but it doesnt work. I'll try skydrive, hang on.
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 6:47pm

how about this one: https://skydrive.live.com/redir.aspx?cid=96a3b2f9fbbbe511&resid=96A3B2F9FBBBE511!102
November 1st, 2011 6:57pm

there is nothing in there Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 7:31pm

If you dont know how to view hidden files, why would you think you are qualified to provide technical support?
November 1st, 2011 7:33pm

my box is configure to show all files Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 7:38pm

The zip file I uploaded was 8.3MB, I just unzipped it on my machine, and I have everything Ntuser.man, etc, and they are hidden, just how they are when created by Microsoft following their method of creating mandatory profiles.
November 1st, 2011 7:41pm

the pol file is nothing but GUID files, can you make a screen shot from the server? Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 7:41pm

Hello RSD SageR, I too have your problem at one site but not at other sites with a similar configuration as detailed below and am just posting here to show that you are not alone. Details of the system in question are: Windows 7 Pro x86 SP1 clients with IE 9. 2008 R2 Std. Ed. Server Mandatory profile. Domain Admin/local admin or any account without a mandatory profile on these client machines can access https websites. Any other https website fails, e.g. http://www.google.co.uk/gmail which automatically changes to https://... gives the error: "Internet Explorer Cannot Display the Webpage". Did you have any luck with the sanboxing idea you proposed at: http://www.edugeek.net/forums/windows-7/84908-cant-log-onto-https-websites-while-using-mandatory-profile.html
November 4th, 2011 12:38pm

there is nothing in there Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews This is what I see: Oh, and the nesting of mandatory.v2 is a result of unzipping the file again. The AD settings for the accounts point to profile share on the server and the profile is loading normally from what I can tell in the Event Log.
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2011 12:09pm

Hello RSD SageR, I too have your problem and am just posting here to show that yo are not alone. Details of the system in question are: Windows 7 Pro x86 SP1 clients with IE 9. 2008 R2 Std. Ed. Server Mandatory profile. Domain Admin/local admin or any account without a mandatory profile on these client machines can access https websites. Any other https website fails, e.g. http://www.google.co.uk/gmail which automatically changes to https://... gives the error: "Internet Explorer Cannot Display the Webpage". Did you have any luck with the sanboxing idea you proposed at: http://www.edugeek.net/forums/windows-7/84908-cant-log-onto-https-websites-while-using-mandatory-profile.html
November 7th, 2011 5:25am

I wasn't able to make any progress with my sandbox theory, Im still very new at the Sysinternals suite, so I dont know how much of what I was able to gather with procmon was useful, but it looked promising for awhile. I have since taken the steps to call/pay Microsoft for some support information, and I think we are making progress, if by nothing else than eliminating things that AREN'T causing this problem. Currently my ticket is resting with the Internet Explorer team, and they are apparently looking into how certificates are managed on mandatory profiles. If I come across anything, I'll post a solution here. Glad I'm not alone though.....
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2011 4:18pm

In case anyone was wondering, this is still broken, and so far Microsoft paid support has not been able to fix it or provide any workarounds. Any advice?
December 9th, 2011 5:23pm

Just figured i'd pass along i'm seeing the same problem. Windows 7 pro x64, IE9 fully updated, domain controller is Windows 2008 Standard (R1) HTTPS does not work for users that are using a mandatory roaming profile, resetting IE settings, clearing SSL state, reregistering DLLs, etc. does not work HTTPS works fine in other browsers on the problematic system.
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2011 12:20pm

My Microsoft Support case has been escalated to the IE team. At this point, all diagnostics that I have run with Microsoft appear to point to an issue with certificates loading from the local computer store into the IE cached store somehow. Sorry to hear your troubles mnri, but also glad to hear I'm not the only one. This does not seem like it should be a complicated issue, mandatory profiles are standard operating procedure, and yet to not have this working made me think I was doing something horribly wrong. I really hope we can get to the bottom of this issue soon.....
December 16th, 2011 12:26pm

I think that your problem is very likely to be in the fact that website is try to save cockies and your users are restricted from having ability to save their session cockie. Few things to try Add that website to your Trusted sites for your mandatory profile. Under Privacy - Advanced - Enable coockies - Override automatic coockie handeling Empty all your temporary internet files and coockies and save the changes to the mandatory profile.
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2011 2:22pm

I am eager to hear a resolution to this problem. I am having the same issue. Cannot access any https sites through IE. Because of this problem, even my Window Updates fail or any other MS software product that uses the same protocols to go out to the web. I have tried many of the certificate upgrades KB packages but to no avail. Reset all security settings; disabled my firewall etc... nothing. The next thing I might try is to get rid of IE9 and go back to a previous version if that's possible. Merry Christmas to everyone.
December 26th, 2011 6:51pm

I recommend that if certificates and IE are broken, backup and install Windows clean Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
December 26th, 2011 6:59pm

I finally found resolution to this issue! The problem was deeply rooted in the mandatory profile, because of how I created it (following closely Microsoft's knowledge base article on the subject http://support.microsoft.com/kb/973289/en-us) Turns out that article is incomplete. Here is what to do in a nutshell: 1. Log onto the machine you will be creating the mandatory profile from, using the account which will be specified in the sysprep command. 2. Configure Internet Explorer on the local account BEFORE running sysprep 3. Execute the sysprep command 4. Execute the step to export the default profile, specify "Everyone" in the permissions 5. Put that exported profile on the server, and create a user account that will use that profile 6. Log on using that account, continue to customize the profile, including running Internet Explorer 7. Change the profile from NTUSER.DAT to NTUSER.MAN As it was explained to me, there are customizations to the ntuser.dat hive that must be done at the "default profile" level, BEFORE actually configuring it for the "user profile", so like Xzibit says, "Yo dawg, I heard you like setting up IE, so we have to set up your IE before you set up IE" or something.... Anyways, I recreated my mandatory profile from scratch by doing this, and I am now able to log onto all https websites using mandatory user profiles, which were not working before. I hope this helps, and I hope Microsoft will update their instructions for creating mandatory user profiles. Good luck!
March 3rd, 2012 1:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics