|
Home > Archive > IIS Server Security > July 2004 > IIS Logon Credentials
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS Logon Credentials
|
|
| Steve Gear 2004-07-22, 6:00 pm |
| I am having a minor situation that I can't seem to find a
fix for. Whenever "Integrated" Authentication is checked
in IIS for my Exchange Virtual Directory, I must enter a
domain name preceding the username to logon to any
mailbox. Unchecked and works as expected, but I know
this is not secure and have deployed it successfully in
other organizations where this is turned on by default
and have no problems logging on to OWA or OMA.
Running Win2k3 Server and Exchange 2k3 Server and
accessing through a cisco pix firewall via the internet.
Any help would be appreciated,
Thx,
Steve
| |
| Bernard 2004-07-23, 2:49 am |
| This is by design I believe, you need to enter in this format
domain\username. Integrated Authentication might break over firewall, so it
would best to use 'basic' together with SSL to secure the connection.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Steve Gear" <trmfp@nospam.yahoo.com> wrote in message
news:23d001c4700c$c312e390$a501280a@phx.gbl...
> I am having a minor situation that I can't seem to find a
> fix for. Whenever "Integrated" Authentication is checked
> in IIS for my Exchange Virtual Directory, I must enter a
> domain name preceding the username to logon to any
> mailbox. Unchecked and works as expected, but I know
> this is not secure and have deployed it successfully in
> other organizations where this is turned on by default
> and have no problems logging on to OWA or OMA.
>
> Running Win2k3 Server and Exchange 2k3 Server and
> accessing through a cisco pix firewall via the internet.
>
> Any help would be appreciated,
>
> Thx,
>
> Steve
| |
|
| But I have successfully deployed this numerous times
behind firewalls and had Integrated and Basic Turned on
and had it work correctly.
As far as SSL is concerned, I have installed Certificate
Services and created a Certificate that I signed, will
this work? Will SSL connections then only require the
username and password without the domain name information?
Thanks for your help,
Steve
>-----Original Message-----
>This is by design I believe, you need to enter in this
format
>domain\username. Integrated Authentication might break
over firewall, so it
>would best to use 'basic' together with SSL to secure
the connection.
>
>--
>Regards,
>Bernard Cheah
>http://www.tryiis.com/
>http://support.microsoft.com/
>http://www.msmvps.com/bernard/
>
>
>
>"Steve Gear" <trmfp@nospam.yahoo.com> wrote in message
>news:23d001c4700c$c312e390$a501280a@phx.gbl...
find a[vbcol=seagreen]
checked[vbcol=seagreen]
a[vbcol=seagreen]
internet.[vbcol=seagreen]
>
>
>.
>
| |
|
| Are you saying that in your installations, you still had to enter a username
and a password, but no domain name?
If that's the case, the other installations are not using Integrated
Security either. It is probably blocked by a firewall, in which case the
browser will revert to Basic. You then have to enter a username/password. If
it was Integrated authentication (and IE is set the send the current user
credentials automatically; on by default except for Restricted zone), you
wouldn't see a logon dialog. (that's the point behind Integrated).
The reason you have to enter a domain name now, and not before, may be
related to the fact that you are browsing from a machine that's not part of
the domain of your Exchange server. IE will include the current domain name
if it is not provided in the login box.
HTH
--
Sven
"Steve" <trmfp@nospam.yahoo.com> wrote in message
news:2bf201c470ad$8e4d4be0$a301280a@phx.gbl...[vbcol=seagreen]
> But I have successfully deployed this numerous times
> behind firewalls and had Integrated and Basic Turned on
> and had it work correctly.
>
> As far as SSL is concerned, I have installed Certificate
> Services and created a Certificate that I signed, will
> this work? Will SSL connections then only require the
> username and password without the domain name information?
>
> Thanks for your help,
>
> Steve
>
>
> format
> over firewall, so it
> the connection.
> find a
> checked
> a
> internet.
| |
|
| Here is how it has worked for me in the past:
Setup Exchange and by default Integrated and Basic are
checked.
Attempt to logon from either inside or outside of the
domain and it will prompt you for username/password. At
this point the domain username and password must be typed
in and then the user is logged into their mailbox.
In this instance, when I have both turned on, it requires
me to enter the domain name before the username in some
shape or form (i.e. domain\username or
username@domainname.local). I realize it is more secure
to use integrated wit the domain name, but in the past it
has not been necessary.
But I think I would have to agree with what you are
saying that maybe in those other instances that it is
using Basic instead of integrated, but why would it no
override in this case?
What port or protocol does Integrated authentication
use? How can I open up the firewall to test this theory?
Thanks,
Steve
>-----Original Message-----
>Are you saying that in your installations, you still had
to enter a username
>and a password, but no domain name?
>
>If that's the case, the other installations are not
using Integrated
>Security either. It is probably blocked by a firewall,
in which case the
>browser will revert to Basic. You then have to enter a
username/password. If
>it was Integrated authentication (and IE is set the send
the current user
>credentials automatically; on by default except for
Restricted zone), you
>wouldn't see a logon dialog. (that's the point behind
Integrated).
>
>The reason you have to enter a domain name now, and not
before, may be
>related to the fact that you are browsing from a machine
that's not part of
>the domain of your Exchange server. IE will include the
current domain name
>if it is not provided in the login box.
>
>HTH
>
>--
>
>Sven
>
>
>"Steve" <trmfp@nospam.yahoo.com> wrote in message
>news:2bf201c470ad$8e4d4be0$a301280a@phx.gbl...
Certificate[vbcol=seagreen]
information?[vbcol=seagreen]
enter[vbcol=seagreen]
know[vbcol=seagreen]
successfully in[vbcol=seagreen]
default[vbcol=seagreen]
>
>
>.
>
| |
|
|
> Here is how it has worked for me in the past:
>
> Setup Exchange and by default Integrated and Basic are
> checked.
>
> Attempt to logon from either inside or outside of the
> domain and it will prompt you for username/password. At
> this point the domain username and password must be typed
> in and then the user is logged into their mailbox.
That would indicate that Integrated Authentication is not used, or at least
that the first logon attempt (with the credentials the user used to logon to
his/her machine) failed.
I believe there is actually a way to visually distinguish the IE login
boxes. I am not sure, but I think the one for Basic would not have a domain
field. The one for integrated does have a domain text box too (or vice
versa; not sure).
>
> In this instance, when I have both turned on, it requires
> me to enter the domain name before the username in some
> shape or form (i.e. domain\username or
> username@domainname.local). I realize it is more secure
> to use integrated wit the domain name, but in the past it
> has not been necessary.
Ok, but is the user who is logging on the Exchange server logged on to the
same domain as the Exchange server?
Also, does it happen with all clients?
>
> But I think I would have to agree with what you are
> saying that maybe in those other instances that it is
> using Basic instead of integrated, but why would it no
> override in this case?
>
> What port or protocol does Integrated authentication
> use? How can I open up the firewall to test this theory?
I am not sure, technet site has a list of TCP and UDP ports used by Windows.
You should look for Kerberos ports.[vbcol=seagreen]
>
> Thanks,
>
> Steve
> to enter a username
> using Integrated
> in which case the
> username/password. If
> the current user
> Restricted zone), you
> Integrated).
> before, may be
> that's not part of
> current domain name
> Certificate
> information?
> enter
> know
> successfully in
> default
| |
| Bernard 2004-07-26, 2:56 am |
| I doubt Integrated windows auth will work - refer
INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921
SSL is recommended when you using Basic auth, as
user credential is sent in plain text, whereas
for Integrated windows, no user credential was passed.
only access token...
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Steve" <trmfp@nospam.yahoo.com> wrote in message
news:2bf201c470ad$8e4d4be0$a301280a@phx.gbl...[vbcol=seagreen]
> But I have successfully deployed this numerous times
> behind firewalls and had Integrated and Basic Turned on
> and had it work correctly.
>
> As far as SSL is concerned, I have installed Certificate
> Services and created a Certificate that I signed, will
> this work? Will SSL connections then only require the
> username and password without the domain name information?
>
> Thanks for your help,
>
> Steve
>
>
> format
> over firewall, so it
> the connection.
> find a
> checked
> a
> internet.
| |
|
| Bernard:
I am not sure if this article is still relevant. Even though it has been
updated on 7/13/2004, it does not apply to Windows 2003 or IE 6 (assuming
Steve is using IE 6).
--
Sven
"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:edyrPzrcEHA.716@TK2MSFTNGP11.phx.gbl...
> I doubt Integrated windows auth will work - refer
> INFO: How IIS Authenticates Browser Clients
> http://support.microsoft.com/?id=264921
>
> SSL is recommended when you using Basic auth, as
> user credential is sent in plain text, whereas
> for Integrated windows, no user credential was passed.
> only access token...
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Steve" <trmfp@nospam.yahoo.com> wrote in message
> news:2bf201c470ad$8e4d4be0$a301280a@phx.gbl...
>
>
| |
| Bernard 2004-07-27, 8:55 pm |
| Yes, it does. Actually, you can Open IIS MMC, F1 - help.
then look for Web authentication section. With IIS6.0, there's
additional new auth scheme, like passport and etc. but some
basic rules still apply....
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"SA" <informatica@freemail.nl> wrote in message
news:u5y7Au9cEHA.3564@TK2MSFTNGP09.phx.gbl...
> Bernard:
>
> I am not sure if this article is still relevant. Even though it has been
> updated on 7/13/2004, it does not apply to Windows 2003 or IE 6 (assuming
> Steve is using IE 6).
>
> --
>
> Sven
>
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:edyrPzrcEHA.716@TK2MSFTNGP11.phx.gbl...
>
>
|
|
|
|
|