|
Home > Archive > IIS Server Security > March 2004 > IIS 5.0 Integrated Authentication always looks locally than to the domian it has joine
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 5.0 Integrated Authentication always looks locally than to the domian it has joine
|
|
|
| I've a Win2K machine joined to a domain. Setup the IIS to Integrated and the rest of authetication option are not set. Whenever I browse to any HTML page, authentication happens locally and not against the domain joined. Upon enabling basic authentication
alone (with the domain pointing to the joined domain), it works by authenticating against the said domain. But strangely with 'integrated authentication' alone, it always goes to local machine ratherthan joined domain. Is there a way to force authenticat
ion against domain explicitly?
| |
| Ken Schaefer 2004-03-29, 8:47 am |
| AFAIK, there is no way.
You need to enter Domain\Username or user@domain
Basic Authentication has the "Default Domain" option you can fill in, so as
to set a default domain to authenticate against. IWA does not have this
option.
Cheers
Ken
"Nachi" <anonymous@discussions.microsoft.com> wrote in message
news:0865F758-8801-4878-B1E6-EBCBB453117F@microsoft.com...
: I've a Win2K machine joined to a domain. Setup the IIS to Integrated and
the rest of authetication option are not set. Whenever I browse to any HTML
page, authentication happens locally and not against the domain joined. Upon
enabling basic authentication alone (with the domain pointing to the joined
domain), it works by authenticating against the said domain. But strangely
with 'integrated authentication' alone, it always goes to local machine
ratherthan joined domain. Is there a way to force authentication against
domain explicitly?
| |
| Tom Kaminski [MVP] 2004-03-29, 8:47 am |
| "Nachi" <anonymous@discussions.microsoft.com> wrote in message
news:0865F758-8801-4878-B1E6-EBCBB453117F@microsoft.com...
> I've a Win2K machine joined to a domain. Setup the IIS to Integrated and
the rest of authetication option are not set. Whenever I browse to any HTML
page, authentication happens locally and not against the domain joined. Upon
enabling basic authentication alone (with the domain pointing to the joined
domain), it works by authenticating against the said domain. But strangely
with 'integrated authentication' alone, it always goes to local machine
ratherthan joined domain. Is there a way to force authentication against
domain explicitly?
Specifically how are you testing this? IIS should use the domain.
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
| Ken Schaefer 2004-03-29, 9:49 am |
|
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c498sb$4rv15@kcweb01.netnews.att.com...
: "Nachi" <anonymous@discussions.microsoft.com> wrote in message
: news:0865F758-8801-4878-B1E6-EBCBB453117F@microsoft.com...
: > I've a Win2K machine joined to a domain. Setup the IIS to Integrated and
: the rest of authetication option are not set. Whenever I browse to any
HTML
: page, authentication happens locally and not against the domain joined.
Upon
: enabling basic authentication alone (with the domain pointing to the
joined
: domain), it works by authenticating against the said domain. But strangely
: with 'integrated authentication' alone, it always goes to local machine
: ratherthan joined domain. Is there a way to force authentication against
: domain explicitly?
:
:
: Specifically how are you testing this? IIS should use the domain.
Not in my experience...
IIS interprets Username as <LocalIISServer>\Username rather than
<Domain>\Username
Cheers
Ken
| |
| Tom Kaminski [MVP] 2004-03-29, 12:38 pm |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OD5ZLWZFEHA.3764@TK2MSFTNGP12.phx.gbl...
>
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> news:c498sb$4rv15@kcweb01.netnews.att.com...
> : "Nachi" <anonymous@discussions.microsoft.com> wrote in message
> : news:0865F758-8801-4878-B1E6-EBCBB453117F@microsoft.com...
> : > I've a Win2K machine joined to a domain. Setup the IIS to Integrated
and
> : the rest of authetication option are not set. Whenever I browse to any
> HTML
> : page, authentication happens locally and not against the domain joined.
> Upon
> : enabling basic authentication alone (with the domain pointing to the
> joined
> : domain), it works by authenticating against the said domain. But
strangely
> : with 'integrated authentication' alone, it always goes to local machine
> : ratherthan joined domain. Is there a way to force authentication against
> : domain explicitly?
> :
> :
> : Specifically how are you testing this? IIS should use the domain.
>
>
> Not in my experience...
>
> IIS interprets Username as <LocalIISServer>\Username rather than
> <Domain>\Username
I wonder why? It's always worked correctly in my environment - which is the
whole point of Windows Integrated authentication (to use the domain).
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
| Ken Schaefer 2004-03-29, 8:38 pm |
|
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c49jft$4s013@kcweb01.netnews.att.com...
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:OD5ZLWZFEHA.3764@TK2MSFTNGP12.phx.gbl...
: >
: > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
: > news:c498sb$4rv15@kcweb01.netnews.att.com...
: > : "Nachi" <anonymous@discussions.microsoft.com> wrote in message
: > : news:0865F758-8801-4878-B1E6-EBCBB453117F@microsoft.com...
: > : > I've a Win2K machine joined to a domain. Setup the IIS to Integrated
: and
: > : the rest of authetication option are not set. Whenever I browse to any
: > HTML
: > : page, authentication happens locally and not against the domain
joined.
: > Upon
: > : enabling basic authentication alone (with the domain pointing to the
: > joined
: > : domain), it works by authenticating against the said domain. But
: strangely
: > : with 'integrated authentication' alone, it always goes to local
machine
: > : ratherthan joined domain. Is there a way to force authentication
against
: > : domain explicitly?
: > :
: > :
: > : Specifically how are you testing this? IIS should use the domain.
: >
: >
: > Not in my experience...
: >
: > IIS interprets Username as <LocalIISServer>\Username rather than
: > <Domain>\Username
:
: I wonder why? It's always worked correctly in my environment - which is
the
: whole point of Windows Integrated authentication (to use the domain).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
That's not "the whole point of IWA" at all. Where did you read that?
IWA is just as capable of using a local accounts database for authentication
as a Domain. Are you saying IWA doesn't work, or is somehow crippled, if the
IIS server is a member server in a workgroup?
Cheers
Ken
| |
| Roger Abell 2004-03-30, 1:34 am |
| "Tom Kaminski [MVP]" wrote
> "Ken Schaefer" wrote
[color=darkred]
domain.[color=darkred]
to[color=darkred]
>
> I wonder why? It's always worked correctly in my environment - which is
the
> whole point of Windows Integrated authentication (to use the domain).
>
I am waiting with baited breath, as my experience has always
been the same as Ken, local accounts only unless specified
otherwise. If you really have seen it otherwise Tom, then can
we compare what you have tweaked to get this behavior?
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
| |
| Bernard 2004-03-30, 4:34 am |
| If it's a DC, of coz it uses the domain,
if member server, you need domain\username syntax.
--
Regards,
Bernard Cheah
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c49jft$4s013@kcweb01.netnews.att.com...
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:OD5ZLWZFEHA.3764@TK2MSFTNGP12.phx.gbl...
> and
joined.[color=darkred]
> strangely
machine[color=darkred]
against[color=darkred]
>
> I wonder why? It's always worked correctly in my environment - which is
the
> whole point of Windows Integrated authentication (to use the domain).
>
> --
> Tom Kaminski IIS MVP
> http://www.iistoolshed.com/ - tools, scripts, and utilities for running
IIS
> http://mvp.support.microsoft.com/
> http://www.microsoft.com/windowsser...ty/centers/iis/
>
>
>
| |
| Paul Lynch 2004-03-30, 4:34 am |
| On Tue, 30 Mar 2004 11:24:22 +1000, "Ken Schaefer"
<kenREMOVE@THISadOpenStatic.com> wrote:
>: > Not in my experience...
>: >
>: > IIS interprets Username as <LocalIISServer>\Username rather than
>: > <Domain>\Username
>:
>: I wonder why? It's always worked correctly in my environment - which is
>the
>: whole point of Windows Integrated authentication (to use the domain).
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
>
>That's not "the whole point of IWA" at all. Where did you read that?
>
>IWA is just as capable of using a local accounts database for authentication
>as a Domain. Are you saying IWA doesn't work, or is somehow crippled, if the
>IIS server is a member server in a workgroup?
>
>Cheers
>Ken
>
Actually, I always thought that the point of Integrated Authentication
is that it is intended primarily for use in an Intranet environment
where IIS expects the user account to be already logged in to a domain
so that IIS doesn't have to authenticate the user itself.
The clearest explanation of its intended use that I've found is this :
"Windows Integrated Authentication
Windows Integrated authentication is more secure than basic
authentication, and it functions well in an intranet environment where
users have Windows domain accounts. In integrated Windows
authentication, the browser tries to use the current user's
credentials from a domain logon, and if this attempt is unsuccessful,
the user is prompted to enter a user name and password. If you use
integrated Windows authentication, the user's password is not
transmitted to the server. If the user has logged on to the local
computer as a domain user, the user does not have to authenticate
again when the user accesses a network computer in that domain. Note
that you must use Microsoft Internet Explorer 2.0 or later as your Web
browser if you are using Windows Integrated authentication."
http://support.microsoft.com/defaul...;en-us;324276#6
So, in effect, you could argue that it is the whole point of
Integrated Authentication, at least in terms of its intended
application. However, that isn't to say that it will not work in a
workgroup environment.
Although I'm willing to accept that I could be wrong ;-)
Regards,
Paul Lynch
MCSE
| |
| Ken Schaefer 2004-03-30, 7:34 am |
|
"Paul Lynch" <paul.lynch@nospam.com> wrote in message
news:4vei60hvo1n6vbm05llsntluktdi5k9s2s@
4ax.com...
: On Tue, 30 Mar 2004 11:24:22 +1000, "Ken Schaefer"
: <kenREMOVE@THISadOpenStatic.com> wrote:
:
:
: >: > Not in my experience...
: >: >
: >: > IIS interprets Username as <LocalIISServer>\Username rather than
: >: > <Domain>\Username
: >:
: >: I wonder why? It's always worked correctly in my environment - which
is
: >the
: >: whole point of Windows Integrated authentication (to use the domain).
: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
: >
: >That's not "the whole point of IWA" at all. Where did you read that?
: >
: >IWA is just as capable of using a local accounts database for
authentication
: >as a Domain. Are you saying IWA doesn't work, or is somehow crippled, if
the
: >IIS server is a member server in a workgroup?
: >
: >Cheers
: >Ken
: >
:
: Actually, I always thought that the point of Integrated Authentication
: is that it is intended primarily for use in an Intranet environment
: where _IIS_expects_the_user_account_to_be_alre
ady_logged in to a domain
: so that IIS doesn't have to authenticate the user itself.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
Well, you see, that's not what IIS expects...
Integrated Windows Authentication assumes the user to be logged into
*Windows*, not into a Domain per se.
Additionally, the statement about IIS not having to authenticate the user is
kinda irrelevant: IIS doesn't authenticate the user using other methods (eg
Digest/Advanced Digest) either.
It (IWA) is intended to be used primarily in an Intranet environment because
the technical requirements for implementing NTLM, or Kerberos (the two
authentication systems that IWA covers) aren't widely met on the wider
internet. NTLM doesn't work through most proxy servers and Kerberos requires
the client machine to have access to the KDC (which is a DC in the Windows
Domain environment).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
: The clearest explanation of its intended use that I've found is this :
:
: "Windows Integrated Authentication
: Windows Integrated authentication is more secure than basic
: authentication, and it functions well in an intranet environment where
: users have Windows domain accounts. In integrated Windows
: authentication, the browser tries to use the current user's
: credentials from a domain logon,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
*and this includes the Domain name*
And if your credentials don't work, and you need to manually type them in,
you need to supply the domain name (either as Domain\Username, or as a User
Principal Name; user@domain). Otherwise IIS assumes you are attempting to
authenticate to the local machine, not the Domain.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
: and if this attempt is unsuccessful,
: the user is prompted to enter a user name and password. If you use
: integrated Windows authentication, the user's password is not
: transmitted to the server. If the user has logged on to the local
: computer as a domain user, the user does not have to authenticate
: again when the user accesses a network computer in that domain. Note
: that you must use Microsoft Internet Explorer 2.0 or later as your Web
: browser if you are using Windows Integrated authentication."
:
: http://support.microsoft.com/defaul...;en-us;324276#6
:
: So, in effect, you could argue that it is the whole point of
: Integrated Authentication, at least in terms of its intended
: application. However, that isn't to say that it will not work in a
: workgroup environment.
:
: Although I'm willing to accept that I could be wrong ;-)
:
:
: Regards,
:
: Paul Lynch
: MCSE
| |
| Tom Kaminski [MVP] 2004-03-30, 8:43 am |
| "Paul Lynch" <paul.lynch@nospam.com> wrote in message
news:4vei60hvo1n6vbm05llsntluktdi5k9s2s@
4ax.com...
> On Tue, 30 Mar 2004 11:24:22 +1000, "Ken Schaefer"
> <kenREMOVE@THISadOpenStatic.com> wrote:
>
>
is[color=darkred]
authentication[color=darkred]
the[color=darkred]
>
> Actually, I always thought that the point of Integrated Authentication
> is that it is intended primarily for use in an Intranet environment
> where IIS expects the user account to be already logged in to a domain
> so that IIS doesn't have to authenticate the user itself.
>
> The clearest explanation of its intended use that I've found is this :
>
> "Windows Integrated Authentication
> Windows Integrated authentication is more secure than basic
> authentication, and it functions well in an intranet environment where
> users have Windows domain accounts. In integrated Windows
> authentication, the browser tries to use the current user's
> credentials from a domain logon, and if this attempt is unsuccessful,
> the user is prompted to enter a user name and password. If you use
> integrated Windows authentication, the user's password is not
> transmitted to the server. If the user has logged on to the local
> computer as a domain user, the user does not have to authenticate
> again when the user accesses a network computer in that domain. Note
> that you must use Microsoft Internet Explorer 2.0 or later as your Web
> browser if you are using Windows Integrated authentication."
>
> http://support.microsoft.com/defaul...;en-us;324276#6
>
> So, in effect, you could argue that it is the whole point of
> Integrated Authentication, at least in terms of its intended
> application. However, that isn't to say that it will not work in a
> workgroup environment.
>
> Although I'm willing to accept that I could be wrong ;-)
Thanks - Paul, you beat me to it. That's the definition I use.
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
| Tom Kaminski [MVP] 2004-03-30, 8:43 am |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23$5DPNlFEHA.2512@TK2MSFTNGP10.phx.gbl...
> And if your credentials don't work, and you need to manually type them in,
> you need to supply the domain name (either as Domain\Username, or as a
User
> Principal Name; user@domain). Otherwise IIS assumes you are attempting to
> authenticate to the local machine, not the Domain.
Maybe this is the source of confusion - if your credentials *do* work (and
don't need to type them in) then IIS uses the domain - which is all that my
point was.
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
| Tom Kaminski [MVP] 2004-03-30, 8:43 am |
| "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uB1SIxhFEHA.2160@TK2MSFTNGP12.phx.gbl...
> "Tom Kaminski [MVP]" wrote
Integrated[color=darkred]
to[color=darkred]
>
to[color=darkred]
> domain.
> to
> the
>
> I am waiting with baited breath, as my experience has always
> been the same as Ken, local accounts only unless specified
> otherwise. If you really have seen it otherwise Tom, then can
> we compare what you have tweaked to get this behavior?
I haven't had to tweak anything. Read what Paul posted and think about it -
how can IIS use the account you logged on to your workstation with if IIS is
expecting it's own local accounts? The server's local account only exist in
the context of the server - you can't logon to your own machine with them.
A domain account, on the other hand, can be used on all machines in the
domain, both servers and workstation - hence the point of Windows Integrated
authentication - you're already logged on to your machine with a domain
account so IE/IIS will use that (in the background) and not prompt you
again.
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
|
|
| Ken Schaefer 2004-03-30, 9:36 pm |
|
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c4bscu$4s016@kcweb01.netnews.att.com...
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:%23$5DPNlFEHA.2512@TK2MSFTNGP10.phx.gbl...
: > And if your credentials don't work, and you need to manually type them
in,
: > you need to supply the domain name (either as Domain\Username, or as a
: User
: > Principal Name; user@domain). Otherwise IIS assumes you are attempting
to
: > authenticate to the local machine, not the Domain.
:
: Maybe this is the source of confusion - if your credentials *do* work (and
: don't need to type them in) then IIS uses the domain - which is all that
my
: point was.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
IIS only uses the domain if your credentials include the Domain. If I logon
using <machine>\LocalUser, then IIS is not going to "use the domain".
Likewise, if I logon to <Domain1>\User, and IIS is actually in Domain2, then
IIS isn't going to connect to the DCs for Domain2, even though IIS is in
that domain.
IIS does not "automatically logon to the domain". It uses whatever the
client computer sends. IE can send the credentials of the logged on user, or
the user can manually supply them. In neither case is the domain *that IIS
is in* automatically used.
Cheers
Ken
| |
| Ken Schaefer 2004-03-30, 9:36 pm |
|
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c4bs72$4rv17@kcweb01.netnews.att.com...
: "Bernard" <qbernard@hotmail.com.discuss> wrote in message
: news:eRY6uNjFEHA.580@TK2MSFTNGP11.phx.gbl...
: > If it's a DC, of coz it uses the domain,
: > if member server, you need domain\username syntax.
:
: Isn't that Basic authentication? Remember, if Windows Integrated
: is setup correctly you don't get prompted.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
No.
a) There is nothing to configure with Windows Integrated Authentication that
somehow allows you to "avoid being prompted". That is out of the control of
the webserver. It is entirely up to the browser to determine if the current
logged on credentails are passed to the server. Mozilla, for example,
supports IWA (via NTLM v2), and never automatically sends credentials.
b) Regardless of whether you use Basic or IWA, if you *do not supply a
domain*, then IIS will authenticate you against the local accounts database.
On a DC, then this is the domain user accounts database. If a member server,
then the local member server's accounts database. Basic authentication does
provice a mechanism to override this (authenticate to the Domain by default)
but IWA DOES NOT provide this functionality.
Cheers
Ken
| |
| Ken Schaefer 2004-03-30, 9:36 pm |
|
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c4bs56$4s015@kcweb01.netnews.att.com...
: "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
: news:uB1SIxhFEHA.2160@TK2MSFTNGP12.phx.gbl...
: > "Tom Kaminski [MVP]" wrote
: > > "Ken Schaefer" wrote
: > > > "Tom Kaminski [MVP]" wrote
: > > > : "Nachi" wrote
: > > > : I've a Win2K machine joined to a domain. Setup the IIS to
: Integrated
: > > > : and the rest of authetication option are not set. Whenever I
browse
: to
: > > > : any HTML page, authentication happens locally and not against the
: > > > : domain joined.
: >
: > > > : Upon enabling basic authentication alone (with the domain pointing
: to
: > > > : the joined domain), it works by authenticating against the said
: > domain.
: > > > : But strangely with 'integrated authentication' alone, it always
goes
: > to
: > > > : local machine rather than joined domain. Is there a way to force
: > > > : authentication against domain explicitly?
: > > > :
: > > > : Specifically how are you testing this? IIS should use the domain.
: > > >
: > > >
: > > > Not in my experience...
: > > >
: > > > IIS interprets Username as <LocalIISServer>\Username rather than
: > > > <Domain>\Username
: > >
: > > I wonder why? It's always worked correctly in my environment - which
is
: > the
: > > whole point of Windows Integrated authentication (to use the domain).
: > >
: >
: > I am waiting with baited breath, as my experience has always
: > been the same as Ken, local accounts only unless specified
: > otherwise. If you really have seen it otherwise Tom, then can
: > we compare what you have tweaked to get this behavior?
:
: I haven't had to tweak anything. Read what Paul posted and think about
it -
: how can IIS use the account you logged on to your workstation with if IIS
is
: expecting it's own local accounts? The server's local account only exist
in
: the context of the server - you can't logon to your own machine with them.
You can logon to a machine with *any* account the machine accepts, and then
logon to a network resource with *any* credentials that the network resource
will accept. They can be different.
Tom, you'll just have to accept that IIS, in the absence of a Domain name,
will use the local user accounts database. It does not *default* to the
Domain.
: A domain account, on the other hand, can be used on all machines in the
: domain, both servers and workstation - hence the point of Windows
Integrated
: authentication - you're already logged on to your machine with a domain
: account so IE/IIS will use that (in the background) and not prompt you
: again.
Cheers
Ken
| |
| Roger Abell 2004-03-30, 10:37 pm |
| "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c4bs56$4s015@kcweb01.netnews.att.com...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uB1SIxhFEHA.2160@TK2MSFTNGP12.phx.gbl...
> Integrated
browse[color=darkred]
> to
> to
goes[color=darkred]
is[color=darkred]
>
> I haven't had to tweak anything. Read what Paul posted and think about
it -
> how can IIS use the account you logged on to your workstation with if IIS
is
> expecting it's own local accounts? The server's local account only exist
in
> the context of the server - you can't logon to your own machine with them.
> A domain account, on the other hand, can be used on all machines in the
> domain, both servers and workstation - hence the point of Windows
Integrated
> authentication - you're already logged on to your machine with a domain
> account so IE/IIS will use that (in the background) and not prompt you
> again.
>
But you are speaking of pre-existing credentials.
I am talking of prompted login authentication, which I believe
is also what the OP was asking about.
When prompted with Windows integrated authentication in use
there is no way to set a default SAM, it will always use the
machine local SAM.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
| |
| Bernard 2004-03-31, 2:36 am |
| No, with IWA you will get prompt if the access is failed.
it will not prompt you if IE (client browser sendin the correct credential)
at local zone mode.
In IIS 6.0, you will get 401.2, follow by 401.1, until you authenticated
(200)
--
Regards,
Bernard Cheah
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c4bs72$4rv17@kcweb01.netnews.att.com...
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:eRY6uNjFEHA.580@TK2MSFTNGP11.phx.gbl...
>
> Isn't that Basic authentication? Remember, if Windows Integrated is setup
> correctly you don't get prompted.
>
> --
> Tom Kaminski IIS MVP
> http://www.iistoolshed.com/ - tools, scripts, and utilities for running
IIS
> http://mvp.support.microsoft.com/
> http://www.microsoft.com/windowsser...ty/centers/iis/
>
>
>
| |
| Tom Kaminski [MVP] 2004-03-31, 8:42 am |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OACM7FsFEHA.2580@TK2MSFTNGP12.phx.gbl...
>
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> news:c4bscu$4s016@kcweb01.netnews.att.com...
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : news:%23$5DPNlFEHA.2512@TK2MSFTNGP10.phx.gbl...
> : > And if your credentials don't work, and you need to manually type them
> in,
> : > you need to supply the domain name (either as Domain\Username, or as a
> : User
> : > Principal Name; user@domain). Otherwise IIS assumes you are attempting
> to
> : > authenticate to the local machine, not the Domain.
> :
> : Maybe this is the source of confusion - if your credentials *do* work
(and
> : don't need to type them in) then IIS uses the domain - which is all that
> my
> : point was.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
>
> IIS only uses the domain if your credentials include the Domain. If I
logon
> using <machine>\LocalUser, then IIS is not going to "use the domain".
>
> Likewise, if I logon to <Domain1>\User, and IIS is actually in Domain2,
then
> IIS isn't going to connect to the DCs for Domain2, even though IIS is in
> that domain.
>
> IIS does not "automatically logon to the domain". It uses whatever the
> client computer sends. IE can send the credentials of the logged on user,
or
> the user can manually supply them. In neither case is the domain *that IIS
> is in* automatically used.
I'm clear on this - I was *never* talking about manually supplying
credentials. : )
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
| Tom Kaminski [MVP] 2004-03-31, 8:42 am |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:Ovav7HsFEHA.744@TK2MSFTNGP09.phx.gbl...
>
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> news:c4bs72$4rv17@kcweb01.netnews.att.com...
> : "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> : news:eRY6uNjFEHA.580@TK2MSFTNGP11.phx.gbl...
> : > If it's a DC, of coz it uses the domain,
> : > if member server, you need domain\username syntax.
> :
> : Isn't that Basic authentication? Remember, if Windows Integrated
> : is setup correctly you don't get prompted.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
>
> No.
>
> a) There is nothing to configure with Windows Integrated Authentication
that
> somehow allows you to "avoid being prompted". That is out of the control
of
> the webserver. It is entirely up to the browser to determine if the
current
> logged on credentails are passed to the server. Mozilla, for example,
> supports IWA (via NTLM v2), and never automatically sends credentials.
>
> b) Regardless of whether you use Basic or IWA, if you *do not supply a
> domain*, then IIS will authenticate you against the local accounts
database.
> On a DC, then this is the domain user accounts database. If a member
server,
> then the local member server's accounts database. Basic authentication
does
> provice a mechanism to override this (authenticate to the Domain by
default)
> but IWA DOES NOT provide this functionality.
Agreed.
a) I was referring to "configuring" the whole system, including IE. It's
understood that there's nothing to configure in IIS.
b) I was never referring to manually supplying credentials with Windows
Integrated authentication. In my intranet-based mind, the whole point in
using Windows Integrated is to avoid the prompt and having to manually
provide credentials (which is what I see as its benefit over Basic in an
intranet environment).
I just should have stayed out of this one ... : )
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
| Tom Kaminski [MVP] 2004-03-31, 8:42 am |
| "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23yB35DtFEHA.1156@TK2MSFTNGP12.phx.gbl...
> I am talking of prompted login authentication, which I believe
> is also what the OP was asking about.
Yup - and I missed that.
|
|
|
|
|