|
Home > Archive > IIS Server Security > March 2004 > Basic Authentication domains don't work properly
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Basic Authentication domains don't work properly
|
|
| 3ryon 5utherland 2004-03-29, 6:38 pm |
| Here is my setup:
Web Server is in DomainAD, which I want all users to authenticate
against when logging into the web site. Most users are logged into a
machine using DomainNT, with a few users logged into DomainAD (we're
in the early stages of an AD migration).
I would like the web site to allow both Integrated Auth (for users who
are already in DomainAD), and Basic Auth (for users who are still
logged in to DomainNT). When I turn on Integrated and Basic (pointing
to DomainAD) the DomainAD people work great, but the DomainNT people
must type in DomainAD\Username for their login. Just typing in their
user name does not work, it seems to ignore the hard coded Domain
value. Most of these users won't be able to remember that.
If I turn off Integrated Auth and just allow Basic Auth it uses the
value specified in the Domain field, but this causes issues with the
Search feature in Sharepoint, which is probably not an acceptable
solution. Is there some reason that Basic Auth ignores the domain
value it's pointed to when Integrated Auth is also enabled? Is there
a way to get around it?
| |
| Ken Schaefer 2004-03-29, 8:38 pm |
| When the webserver says to the user "you need to authenticate", it lists a
set of acceptable authentication mechanisms configured on the server, in
order from the most prefered (the strongest/most secure) to the least
prefered (the weakest/least secure).
The browser picks the highest method that it supports.
So, if the users are using Internet Explorer, then IWA (either Kerberos, or
NTLM v2) will always be used instead of Basic. Only when you turn off IWA
will Basic be used.
Cheers
Ken
"3ryon 5utherland" <bryons@home.com> wrote in message
news:b80974e7.0403291508.657b4ec6@posting.google.com...
: Here is my setup:
: Web Server is in DomainAD, which I want all users to authenticate
: against when logging into the web site. Most users are logged into a
: machine using DomainNT, with a few users logged into DomainAD (we're
: in the early stages of an AD migration).
:
: I would like the web site to allow both Integrated Auth (for users who
: are already in DomainAD), and Basic Auth (for users who are still
: logged in to DomainNT). When I turn on Integrated and Basic (pointing
: to DomainAD) the DomainAD people work great, but the DomainNT people
: must type in DomainAD\Username for their login. Just typing in their
: user name does not work, it seems to ignore the hard coded Domain
: value. Most of these users won't be able to remember that.
:
: If I turn off Integrated Auth and just allow Basic Auth it uses the
: value specified in the Domain field, but this causes issues with the
: Search feature in Sharepoint, which is probably not an acceptable
: solution. Is there some reason that Basic Auth ignores the domain
: value it's pointed to when Integrated Auth is also enabled? Is there
: a way to get around it?
| |
| Bernard 2004-03-30, 4:34 am |
| And this is the kb explain the behavior..
INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921
--
Regards,
Bernard Cheah
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:Osh9NYfFEHA.4084@TK2MSFTNGP11.phx.gbl...
> When the webserver says to the user "you need to authenticate", it lists a
> set of acceptable authentication mechanisms configured on the server, in
> order from the most prefered (the strongest/most secure) to the least
> prefered (the weakest/least secure).
>
> The browser picks the highest method that it supports.
>
> So, if the users are using Internet Explorer, then IWA (either Kerberos,
or
> NTLM v2) will always be used instead of Basic. Only when you turn off IWA
> will Basic be used.
>
> Cheers
> Ken
>
> "3ryon 5utherland" <bryons@home.com> wrote in message
> news:b80974e7.0403291508.657b4ec6@posting.google.com...
> : Here is my setup:
> : Web Server is in DomainAD, which I want all users to authenticate
> : against when logging into the web site. Most users are logged into a
> : machine using DomainNT, with a few users logged into DomainAD (we're
> : in the early stages of an AD migration).
> :
> : I would like the web site to allow both Integrated Auth (for users who
> : are already in DomainAD), and Basic Auth (for users who are still
> : logged in to DomainNT). When I turn on Integrated and Basic (pointing
> : to DomainAD) the DomainAD people work great, but the DomainNT people
> : must type in DomainAD\Username for their login. Just typing in their
> : user name does not work, it seems to ignore the hard coded Domain
> : value. Most of these users won't be able to remember that.
> :
> : If I turn off Integrated Auth and just allow Basic Auth it uses the
> : value specified in the Domain field, but this causes issues with the
> : Search feature in Sharepoint, which is probably not an acceptable
> : solution. Is there some reason that Basic Auth ignores the domain
> : value it's pointed to when Integrated Auth is also enabled? Is there
> : a way to get around it?
>
>
| |
| 3ryon 5utherland 2004-03-30, 10:00 am |
| Thank you for your reply Ken, it certainly explains a lot (like why
this works fine for me in Mozilla Firefox, but not IE). Does anyone
know a way to make IWA assume that the user is trying to log into a
particular domain so that they don't have to specify a domain?
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<Osh9NYfFEHA.4084@TK2MSFTNGP11.phx.gbl>...
> When the webserver says to the user "you need to authenticate", it lists a
> set of acceptable authentication mechanisms configured on the server, in
> order from the most prefered (the strongest/most secure) to the least
> prefered (the weakest/least secure).
>
> The browser picks the highest method that it supports.
>
> So, if the users are using Internet Explorer, then IWA (either Kerberos, or
> NTLM v2) will always be used instead of Basic. Only when you turn off IWA
> will Basic be used.
>
> Cheers
> Ken
>
> "3ryon 5utherland" <bryons@home.com> wrote in message
> news:b80974e7.0403291508.657b4ec6@posting.google.com...
> : Here is my setup:
> : Web Server is in DomainAD, which I want all users to authenticate
> : against when logging into the web site. Most users are logged into a
> : machine using DomainNT, with a few users logged into DomainAD (we're
> : in the early stages of an AD migration).
> :
> : I would like the web site to allow both Integrated Auth (for users who
> : are already in DomainAD), and Basic Auth (for users who are still
> : logged in to DomainNT). When I turn on Integrated and Basic (pointing
> : to DomainAD) the DomainAD people work great, but the DomainNT people
> : must type in DomainAD\Username for their login. Just typing in their
> : user name does not work, it seems to ignore the hard coded Domain
> : value. Most of these users won't be able to remember that.
> :
> : If I turn off Integrated Auth and just allow Basic Auth it uses the
> : value specified in the Domain field, but this causes issues with the
> : Search feature in Sharepoint, which is probably not an acceptable
> : solution. Is there some reason that Basic Auth ignores the domain
> : value it's pointed to when Integrated Auth is also enabled? Is there
> : a way to get around it?
| |
| Ken Schaefer 2004-03-30, 9:36 pm |
| No, there is no way that I'm aware of.
Use Domain\Username
-or-
Use a UPN (that's what they are there for): user@domain.whatever
In any case, what "domain" do you want IIS to use? the Domain the user is
in? or the Domain that IIS is in? Remember, these can be different,
especially in an AD environment where you can have a forest of domain
heirachies.
Cheers
Ken
"3ryon 5utherland" <bryons@home.com> wrote in message
news:b80974e7.0403300648.2b6567ba@posting.google.com...
: Thank you for your reply Ken, it certainly explains a lot (like why
: this works fine for me in Mozilla Firefox, but not IE). Does anyone
: know a way to make IWA assume that the user is trying to log into a
: particular domain so that they don't have to specify a domain?
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:<Osh9NYfFEHA.4084@TK2MSFTNGP11.phx.gbl>...
: > When the webserver says to the user "you need to authenticate", it lists
a
: > set of acceptable authentication mechanisms configured on the server, in
: > order from the most prefered (the strongest/most secure) to the least
: > prefered (the weakest/least secure).
: >
: > The browser picks the highest method that it supports.
: >
: > So, if the users are using Internet Explorer, then IWA (either Kerberos,
or
: > NTLM v2) will always be used instead of Basic. Only when you turn off
IWA
: > will Basic be used.
: >
: > Cheers
: > Ken
: >
: > "3ryon 5utherland" <bryons@home.com> wrote in message
: > news:b80974e7.0403291508.657b4ec6@posting.google.com...
: > : Here is my setup:
: > : Web Server is in DomainAD, which I want all users to authenticate
: > : against when logging into the web site. Most users are logged into a
: > : machine using DomainNT, with a few users logged into DomainAD (we're
: > : in the early stages of an AD migration).
: > :
: > : I would like the web site to allow both Integrated Auth (for users who
: > : are already in DomainAD), and Basic Auth (for users who are still
: > : logged in to DomainNT). When I turn on Integrated and Basic (pointing
: > : to DomainAD) the DomainAD people work great, but the DomainNT people
: > : must type in DomainAD\Username for their login. Just typing in their
: > : user name does not work, it seems to ignore the hard coded Domain
: > : value. Most of these users won't be able to remember that.
: > :
: > : If I turn off Integrated Auth and just allow Basic Auth it uses the
: > : value specified in the Domain field, but this causes issues with the
: > : Search feature in Sharepoint, which is probably not an acceptable
: > : solution. Is there some reason that Basic Auth ignores the domain
: > : value it's pointed to when Integrated Auth is also enabled? Is there
: > : a way to get around it?
|
|
|
|
|