|
Home > Archive > IIS Server Security > December 2004 > Cannot Default Domain?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Cannot Default Domain?
|
|
| Scott McCarthy 2004-12-01, 7:48 am |
| I have a web server (Windows 2003 IIS6) that is joined into our domain. I
have it setup with Windows Integrated Auth. and have also tried Digest and
Basic.
I cannot get the webserver to authenticate the accounts to theh domain.
Everytime you try to login to a web page with a domain username and password,
the dialog comes back with the IP Address\username and the user has to
manually type DOMAIN\username to authenticate.
Is there anyway to fix this issue or force the server to authenticate
against the domain it is joined into? I have tried Basic Auth with the
default domain set to the main domain with no luck - Same result.
Thanks in advance.
Scott McCarthy
smccarthy@radisson.com
| |
| David Wang [Msft] 2004-12-07, 7:47 am |
| What you describe should have worked for Basic authentication -- assuming
the client/server negotiated Basic instead of something else. Make sure you
have ONLY Basic auth enabled and try again -- it should work.
http://www.microsoft.com/resources/...etdeflogon.mspx
You should not see any authentication dialogs with Integrated Authentication
(IE will automatically negotiate the credentials depending on the security
zone your server is perceived by it). So, something else seems
misconfigured.
What sort of request URL are you using to access the web server.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Scott McCarthy" <Scott McCarthy@discussions.microsoft.com> wrote in message
news:F85BBCA9-1367-481F-9A2D-D8D4F11D7605@microsoft.com...
I have a web server (Windows 2003 IIS6) that is joined into our domain. I
have it setup with Windows Integrated Auth. and have also tried Digest and
Basic.
I cannot get the webserver to authenticate the accounts to theh domain.
Everytime you try to login to a web page with a domain username and
password,
the dialog comes back with the IP Address\username and the user has to
manually type DOMAIN\username to authenticate.
Is there anyway to fix this issue or force the server to authenticate
against the domain it is joined into? I have tried Basic Auth with the
default domain set to the main domain with no luck - Same result.
Thanks in advance.
Scott McCarthy
smccarthy@radisson.com
| |
| Scott McCarthy 2004-12-07, 5:52 pm |
| David, I did set it to basic and it finally did work. Is basic the only way
to default a domain? The http link is just an internal IP address accessed by
internal machines (IE. http://192.168.0.3/website)
Scott
"David Wang [Msft]" wrote:
> What you describe should have worked for Basic authentication -- assuming
> the client/server negotiated Basic instead of something else. Make sure you
> have ONLY Basic auth enabled and try again -- it should work.
>
> http://www.microsoft.com/resources/...etdeflogon.mspx
>
> You should not see any authentication dialogs with Integrated Authentication
> (IE will automatically negotiate the credentials depending on the security
> zone your server is perceived by it). So, something else seems
> misconfigured.
>
> What sort of request URL are you using to access the web server.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Scott McCarthy" <Scott McCarthy@discussions.microsoft.com> wrote in message
> news:F85BBCA9-1367-481F-9A2D-D8D4F11D7605@microsoft.com...
> I have a web server (Windows 2003 IIS6) that is joined into our domain. I
> have it setup with Windows Integrated Auth. and have also tried Digest and
> Basic.
>
> I cannot get the webserver to authenticate the accounts to theh domain.
> Everytime you try to login to a web page with a domain username and
> password,
> the dialog comes back with the IP Address\username and the user has to
> manually type DOMAIN\username to authenticate.
>
> Is there anyway to fix this issue or force the server to authenticate
> against the domain it is joined into? I have tried Basic Auth with the
> default domain set to the main domain with no luck - Same result.
>
> Thanks in advance.
>
> Scott McCarthy
> smccarthy@radisson.com
>
>
>
| |
| David Wang [Msft] 2004-12-07, 8:47 pm |
| The requirement of a domain (or equivalent information) is really a function
of the authentication protocol you use and is outside of IIS control. IIS
is simply a middleman.
The ability to "default domain" actually means that IIS (or anyone else) can
perform man-in-the-middle security attacks against the protocol -- not
exactly peace of mind, I'd say.
For example, with Basic authentication:
1. user sends their username and password to IIS
2. IIS can add in a "default domain" if the user didn't send any
3. IIS calls LogonUser using domain\username:password to get a user token
and continue processing the request
With Integrated Authentication (NTLM, Kerberos)
1. user sends hashed data blob to IIS. The user must use
domain\username:password to create the hashed data blob
2. IIS obviously cannot add in a "default domain" -- it doesn't know what
the data blob is.
3. IIS calls security API calls which understand the blob and does its thing
4. IIS either gets a "OK" from the security API to then call another
security API to fetch a user token, or it gets a blob to send back to the
client to continue authentication
So, your problem is not that IIS cannot default domain -- your problem is
that your server is configured in such a way that security API is not using
the server's domain in its operations. This is not really an IIS issue at
this point...
I'm suspecting that use of IP instead of sername is a part of the issue.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Scott McCarthy" <ScottMcCarthy@discussions.microsoft.com> wrote in message
news:074DAEAE-7C68-4249-8C97-CE3F6C070963@microsoft.com...
David, I did set it to basic and it finally did work. Is basic the only way
to default a domain? The http link is just an internal IP address accessed
by
internal machines (IE. http://192.168.0.3/website)
Scott
"David Wang [Msft]" wrote:
> What you describe should have worked for Basic authentication -- assuming
> the client/server negotiated Basic instead of something else. Make sure
you
> have ONLY Basic auth enabled and try again -- it should work.
>
>
http://www.microsoft.com/resources/...etdeflogon.mspx
>
> You should not see any authentication dialogs with Integrated
Authentication
> (IE will automatically negotiate the credentials depending on the security
> zone your server is perceived by it). So, something else seems
> misconfigured.
>
> What sort of request URL are you using to access the web server.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Scott McCarthy" <Scott McCarthy@discussions.microsoft.com> wrote in
message
> news:F85BBCA9-1367-481F-9A2D-D8D4F11D7605@microsoft.com...
> I have a web server (Windows 2003 IIS6) that is joined into our domain. I
> have it setup with Windows Integrated Auth. and have also tried Digest and
> Basic.
>
> I cannot get the webserver to authenticate the accounts to theh domain.
> Everytime you try to login to a web page with a domain username and
> password,
> the dialog comes back with the IP Address\username and the user has to
> manually type DOMAIN\username to authenticate.
>
> Is there anyway to fix this issue or force the server to authenticate
> against the domain it is joined into? I have tried Basic Auth with the
> default domain set to the main domain with no luck - Same result.
>
> Thanks in advance.
>
> Scott McCarthy
> smccarthy@radisson.com
>
>
>
| |
| Bernard 2004-12-08, 2:47 am |
| "your problem is that your server is configured in such a way that security
API is not using the server's domain in its operations. "
where and why it is not using the server's domain ?
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:#L67YnM3EHA.524@TK2MSFTNGP09.phx.gbl...
> The requirement of a domain (or equivalent information) is really a
function
> of the authentication protocol you use and is outside of IIS control. IIS
> is simply a middleman.
>
> The ability to "default domain" actually means that IIS (or anyone else)
can
> perform man-in-the-middle security attacks against the protocol -- not
> exactly peace of mind, I'd say.
>
> For example, with Basic authentication:
> 1. user sends their username and password to IIS
> 2. IIS can add in a "default domain" if the user didn't send any
> 3. IIS calls LogonUser using domain\username:password to get a user token
> and continue processing the request
>
> With Integrated Authentication (NTLM, Kerberos)
> 1. user sends hashed data blob to IIS. The user must use
> domain\username:password to create the hashed data blob
> 2. IIS obviously cannot add in a "default domain" -- it doesn't know what
> the data blob is.
> 3. IIS calls security API calls which understand the blob and does its
thing
> 4. IIS either gets a "OK" from the security API to then call another
> security API to fetch a user token, or it gets a blob to send back to the
> client to continue authentication
>
>
> So, your problem is not that IIS cannot default domain -- your problem is
> that your server is configured in such a way that security API is not
using
> the server's domain in its operations. This is not really an IIS issue at
> this point...
>
> I'm suspecting that use of IP instead of sername is a part of the issue.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Scott McCarthy" <ScottMcCarthy@discussions.microsoft.com> wrote in
message
> news:074DAEAE-7C68-4249-8C97-CE3F6C070963@microsoft.com...
> David, I did set it to basic and it finally did work. Is basic the only
way
> to default a domain? The http link is just an internal IP address accessed
> by
> internal machines (IE. http://192.168.0.3/website)
>
> Scott
>
>
> "David Wang [Msft]" wrote:
>
assuming[vbcol=seagreen]
> you
>
http://www.microsoft.com/resources/...etdeflogon.mspx
> Authentication
security[vbcol=seagreen]
> rights.
> message
I[vbcol=seagreen]
and[vbcol=seagreen]
>
>
| |
| Scott McCarthy 2004-12-08, 5:53 pm |
| David, thanks for the information. I agree. Your explanation is excellent. I
will try to connect to the server with the DNS rather than the IP.
Scott
"David Wang [Msft]" wrote:
> The requirement of a domain (or equivalent information) is really a function
> of the authentication protocol you use and is outside of IIS control. IIS
> is simply a middleman.
>
> The ability to "default domain" actually means that IIS (or anyone else) can
> perform man-in-the-middle security attacks against the protocol -- not
> exactly peace of mind, I'd say.
>
> For example, with Basic authentication:
> 1. user sends their username and password to IIS
> 2. IIS can add in a "default domain" if the user didn't send any
> 3. IIS calls LogonUser using domain\username:password to get a user token
> and continue processing the request
>
> With Integrated Authentication (NTLM, Kerberos)
> 1. user sends hashed data blob to IIS. The user must use
> domain\username:password to create the hashed data blob
> 2. IIS obviously cannot add in a "default domain" -- it doesn't know what
> the data blob is.
> 3. IIS calls security API calls which understand the blob and does its thing
> 4. IIS either gets a "OK" from the security API to then call another
> security API to fetch a user token, or it gets a blob to send back to the
> client to continue authentication
>
>
> So, your problem is not that IIS cannot default domain -- your problem is
> that your server is configured in such a way that security API is not using
> the server's domain in its operations. This is not really an IIS issue at
> this point...
>
> I'm suspecting that use of IP instead of sername is a part of the issue.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Scott McCarthy" <ScottMcCarthy@discussions.microsoft.com> wrote in message
> news:074DAEAE-7C68-4249-8C97-CE3F6C070963@microsoft.com...
> David, I did set it to basic and it finally did work. Is basic the only way
> to default a domain? The http link is just an internal IP address accessed
> by
> internal machines (IE. http://192.168.0.3/website)
>
> Scott
>
>
> "David Wang [Msft]" wrote:
>
> you
> http://www.microsoft.com/resources/...etdeflogon.mspx
> Authentication
> rights.
> message
>
>
>
| |
| Bernard 2004-12-09, 2:54 am |
| ooh ! I'm drunk 
thanks for the update.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Scott McCarthy" <ScottMcCarthy@discussions.microsoft.com> wrote in message
news:B6C1CF2E-401E-4836-AB6E-3D72440B3206@microsoft.com...[vbcol=seagreen]
> David, thanks for the information. I agree. Your explanation is excellent.
> I
> will try to connect to the server with the DNS rather than the IP.
>
> Scott
>
>
> "David Wang [Msft]" wrote:
>
|
|
|
|
|