|
Home > Archive > IIS Server Security > October 2004 > Authenticate against all trusted domains... in IIS 6?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Authenticate against all trusted domains... in IIS 6?
|
|
| tec-jon 2004-10-15, 9:25 pm |
| I have a parent/child domain that I would like to have a basic authentication
website on. They are both 2003 native domains. We would like our users to not
have to use UPN or domain\user login formats. We have done a bit of research
and came across the following article:
http://support.microsoft.com/defaul...kb;en-us;168908
This would work great!... except that it makes no mention of IIS 6, and
attempting the same procedure as IIS 5 doesn't seem to work in 6. Has
Microsoft taken this extremely useful functionality away? Or have they just
not written anything down on how to do it with 6 yet?
| |
| Ken Schaefer 2004-10-15, 9:25 pm |
| You can call Microsoft for the hotfix mentioned in:
http://support.microsoft.com/kb/827991
This functionality was removed because it caused problems in some cases
where there were user accounts in multiple domains that had the same
username (ie domain1\user and domain2\user). Because IIS doesn't know which
domain the account is from, it needs to rely on the messages coming back
from the various DCs, and sometimes you'd get an access denied because the
credentials weren't valid in one domain, but might have been valid in
another, however the DC from the first domain replied first (I think that's
what the problem was...)
Cheers
Ken
"tec-jon" <tec-jon@discussions.microsoft.com> wrote in message
news:3846FB6E-5026-437C-B8F5-61130472785C@microsoft.com...
>I have a parent/child domain that I would like to have a basic
>authentication
> website on. They are both 2003 native domains. We would like our users to
> not
> have to use UPN or domain\user login formats. We have done a bit of
> research
> and came across the following article:
> http://support.microsoft.com/defaul...kb;en-us;168908
> This would work great!... except that it makes no mention of IIS 6, and
> attempting the same procedure as IIS 5 doesn't seem to work in 6. Has
> Microsoft taken this extremely useful functionality away? Or have they
> just
> not written anything down on how to do it with 6 yet?
| |
| tec-jon 2004-10-15, 9:25 pm |
| Seems like they could attempt to authenticate against all domains regardless
of identical usernames. They would have to recieve a failure from all domains
before the request would be failed. That way, if you had to users with the
name "tom", one in each domain, it would try tom in the first domain and
fail, but still try the second.
Anyway, thanks for the link. I got the hotfix and it seems to work great.
"Ken Schaefer" wrote:
> You can call Microsoft for the hotfix mentioned in:
> http://support.microsoft.com/kb/827991
>
> This functionality was removed because it caused problems in some cases
> where there were user accounts in multiple domains that had the same
> username (ie domain1\user and domain2\user). Because IIS doesn't know which
> domain the account is from, it needs to rely on the messages coming back
> from the various DCs, and sometimes you'd get an access denied because the
> credentials weren't valid in one domain, but might have been valid in
> another, however the DC from the first domain replied first (I think that's
> what the problem was...)
>
> Cheers
> Ken
>
> "tec-jon" <tec-jon@discussions.microsoft.com> wrote in message
> news:3846FB6E-5026-437C-B8F5-61130472785C@microsoft.com...
>
>
>
| |
| Ken Schaefer 2004-10-15, 9:25 pm |
| That's not a particularly good way of doing it - what if you have lots of
domains? Or it takes a long time for 1 domain to reply?
The better solution is for users to authentication using user@domain or
domain\user (because that's what their credentials really are).
Cheers
Ken
"tec-jon" <tecjon@discussions.microsoft.com> wrote in message
news:0A0C2838-B840-4A90-AC6D-1775141DFAE2@microsoft.com...[vbcol=seagreen]
> Seems like they could attempt to authenticate against all domains
> regardless
> of identical usernames. They would have to recieve a failure from all
> domains
> before the request would be failed. That way, if you had to users with the
> name "tom", one in each domain, it would try tom in the first domain and
> fail, but still try the second.
>
> Anyway, thanks for the link. I got the hotfix and it seems to work great.
>
> "Ken Schaefer" wrote:
>
| |
| tec-jon 2004-10-15, 9:25 pm |
| I agree, but unfortunately my users (and I'm guessing lots of other people's
users) have a tough time figuring out UPN or domain\user.
Oh well.
Thanks again.
"Ken Schaefer" wrote:
> That's not a particularly good way of doing it - what if you have lots of
> domains? Or it takes a long time for 1 domain to reply?
>
> The better solution is for users to authentication using user@domain or
> domain\user (because that's what their credentials really are).
>
> Cheers
> Ken
>
> "tec-jon" <tecjon@discussions.microsoft.com> wrote in message
> news:0A0C2838-B840-4A90-AC6D-1775141DFAE2@microsoft.com...
>
>
>
| |
| Ken Schaefer 2004-10-15, 9:25 pm |
| Some options?
You could create your own shortened upn suffix (eg yourCompanyName). Then
tell everyone that they need to use username@yourCompanyName to logon?
Or, you can make their upn the same as their email. That tends to help as
well...
Cheers
Ken
"tec-jon" <tecjon@discussions.microsoft.com> wrote in message
news:1DEA63A6-F0CD-4A1E-9A83-53891EB6BD86@microsoft.com...[vbcol=seagreen]
>I agree, but unfortunately my users (and I'm guessing lots of other
>people's
> users) have a tough time figuring out UPN or domain\user.
>
> Oh well.
>
> Thanks again.
>
> "Ken Schaefer" wrote:
>
|
|
|
|
|