|
Home > Archive > IIS Server Security > June 2004 > Digest Authentication on Win2003
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Digest Authentication on Win2003
|
|
| Clementius 2004-06-26, 10:16 am |
| Hi,
We are trying to use Digest Authentication on IIS 6.0. The IIS server is in
a dmz. The home directory for the default web site points to a share located
on another Win2003 server residing inside the network. We opened the
required ports inbound on the firewall and were able to access the share
drive from Windows Explorer on the IIS server. When going to IIS default
page, we are prompted for a username and password (as expected). We cannot
login using the administrator account or any other account. We get prompted
3 times and finally get: HTTP Error 401.3 - Unauthorized: Access is denied
due to an ACL set on the requested resource.
The firewall log file does not show any denied traffic from IIS to the
internal server.
Any thoughts? Thanks for your help. C
| |
| Clementius 2004-06-26, 10:16 am |
| I read on Win2000mag that Digest Authentication requires IIS 5.0 to run on a
domain controller. Is this true with IIS 6.0 and Windows 2003? Thank you. C
"Clementius" <anonymous@discussions.microsoft.com> wrote in message
news:O%237vlU%23VEHA.3696@TK2MSFTNGP10.phx.gbl...
> Hi,
> We are trying to use Digest Authentication on IIS 6.0. The IIS server is
in
> a dmz. The home directory for the default web site points to a share
located
> on another Win2003 server residing inside the network. We opened the
> required ports inbound on the firewall and were able to access the share
> drive from Windows Explorer on the IIS server. When going to IIS default
> page, we are prompted for a username and password (as expected). We cannot
> login using the administrator account or any other account. We get
prompted
> 3 times and finally get: HTTP Error 401.3 - Unauthorized: Access is denied
> due to an ACL set on the requested resource.
> The firewall log file does not show any denied traffic from IIS to the
> internal server.
> Any thoughts? Thanks for your help. C
>
>
| |
| Clementius 2004-06-26, 10:16 am |
| From
http://www.microsoft.com/resources/...isRG_SEC_9.mspx :
"Digest authentication. This authentication method operates much like Basic
authentication, except that passwords are sent across the network as a hash
value for additional security. Digest authentication is available only on
domains with domain controllers running Windows server operating systems."
Does someone have input about the previous requirements and whether digest
authentication requires the IIS server to be a domain controller? Thank you.
C
"Clementius" <anonymous@discussions.microsoft.com> wrote in message
news:O%23KFpg%23VEHA.2288@TK2MSFTNGP10.phx.gbl...
> I read on Win2000mag that Digest Authentication requires IIS 5.0 to run on
a
> domain controller. Is this true with IIS 6.0 and Windows 2003? Thank you.
C
>
> "Clementius" <anonymous@discussions.microsoft.com> wrote in message
> news:O%237vlU%23VEHA.3696@TK2MSFTNGP10.phx.gbl...
> in
> located
cannot[vbcol=seagreen]
> prompted
denied[vbcol=seagreen]
>
>
| |
| Ken Schaefer 2004-06-26, 10:16 am |
| Hi,
Digest Authentication requires that the user accounts are Domain accounts
(not local accounts), however IIS itself does not need to be running on a
domain controller.
For more information on the requirements to get Digest, and Advanced Digest
authentication working, please get the free sample chapter from my IIS 6.0
security book (there's a link on my homepage: www.adopenstatic.com). The
first section deals in depth with authentication mechanisms and requirements
Cheers
Ken
"Clementius" <anonymous@discussions.microsoft.com> wrote in message
news:uwSzjn%23VEHA.3740@TK2MSFTNGP12.phx.gbl...
: From
:
http://www.microsoft.com/resources/...isRG_SEC_9.mspx :
: "Digest authentication. This authentication method operates much like
Basic
: authentication, except that passwords are sent across the network as a
hash
: value for additional security. Digest authentication is available only on
: domains with domain controllers running Windows server operating systems."
: Does someone have input about the previous requirements and whether digest
: authentication requires the IIS server to be a domain controller? Thank
you.
: C
:
:
: "Clementius" <anonymous@discussions.microsoft.com> wrote in message
: news:O%23KFpg%23VEHA.2288@TK2MSFTNGP10.phx.gbl...
: > I read on Win2000mag that Digest Authentication requires IIS 5.0 to run
on
: a
: > domain controller. Is this true with IIS 6.0 and Windows 2003? Thank
you.
: C
: >
: > "Clementius" <anonymous@discussions.microsoft.com> wrote in message
: > news:O%237vlU%23VEHA.3696@TK2MSFTNGP10.phx.gbl...
: > > Hi,
: > > We are trying to use Digest Authentication on IIS 6.0. The IIS server
is
: > in
: > > a dmz. The home directory for the default web site points to a share
: > located
: > > on another Win2003 server residing inside the network. We opened the
: > > required ports inbound on the firewall and were able to access the
share
: > > drive from Windows Explorer on the IIS server. When going to IIS defau
lt
: > > page, we are prompted for a username and password (as expected). We
: cannot
: > > login using the administrator account or any other account. We get
: > prompted
: > > 3 times and finally get: HTTP Error 401.3 - Unauthorized: Access is
: denied
: > > due to an ACL set on the requested resource.
: > > The firewall log file does not show any denied traffic from IIS to the
: > > internal server.
: > > Any thoughts? Thanks for your help. C
: > >
: > >
: >
: >
:
:
| |
| Srikanth 2004-06-26, 10:16 am |
| Check to see whether the domain users have enough permissions on the content
folder.
-Srikanth, IIS
"Clementius" <anonymous@discussions.microsoft.com> wrote in message
news:O%237vlU%23VEHA.3696@TK2MSFTNGP10.phx.gbl...
> Hi,
> We are trying to use Digest Authentication on IIS 6.0. The IIS server is
in
> a dmz. The home directory for the default web site points to a share
located
> on another Win2003 server residing inside the network. We opened the
> required ports inbound on the firewall and were able to access the share
> drive from Windows Explorer on the IIS server. When going to IIS default
> page, we are prompted for a username and password (as expected). We cannot
> login using the administrator account or any other account. We get
prompted
> 3 times and finally get: HTTP Error 401.3 - Unauthorized: Access is denied
> due to an ACL set on the requested resource.
> The firewall log file does not show any denied traffic from IIS to the
> internal server.
> Any thoughts? Thanks for your help. C
>
>
|
|
|
|
|