|
Home > Archive > IIS Server Security > November 2005 > IIS 6.0 authentication ISSUE from a FQDN vs http://name
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 6.0 authentication ISSUE from a FQDN vs http://name
|
|
| Mike S 2005-11-29, 8:49 pm |
| iis 6 authentication ISSUE-------------
Issue- we have a virutal webiste (named WEBSITE) that we only want users of
a certain group to be able to access. The AD domain name is ABC.com. The
dns name for the website is WEBSITE.XYZ.COM. The host headers are setup as
follows- WEBSITE and WEBSITE.XYZ.COM. DNS entries are setup as follows-
under the ABC.COM zone- WEBSITE and under the XYZ.COM - WEBSITE. All name
resolution has been tested and works. IIS security settings for the virutal
webiste- WEBSITE are enable anonymous access UNCHECKED, Integrated Windows
Authentication IS CHECKED. NTFS permissions are set on the IIS home folder
for the group that we want to have access.
Wnen accessing site via http://WEBSITE we gain access to site with no logon
(if we are part of group- if not part of group we get a logon- which is what
we are looking for)
When trying to access http://WEBSITE.XYZ.COM we get a logon even if we are
part of the group that has ntfs rights to home folder.
Goal is for users in our domain to access site and not have a secondary
logon if they belong to an access group- and we can not use anonymous access
becuase we have app that looks at the user ID that is accessing the site.
Everything works when accessing http://WEBISTE
| |
| David Wang [Msft] 2005-11-30, 2:50 am |
| I doubt this is an IIS issue because IIS does not even know about FQDN vs
http://name -- that name gets resolved to an IP by the client to make direct
TCP IP/Port connection, and IIS only uses the Host headers to route
requests. Authentication decision is made independently, and you said that
it works for http://website
I think this is client-side auto-login misconfiguration:
http://blogs.msdn.com/david.wang/ar...rated_Auth.aspx
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Mike S" <Mike S@discussions.microsoft.com> wrote in message
news:2BD8D016-92DE-4FFA-9746-474FE87F79A3@microsoft.com...
iis 6 authentication ISSUE-------------
Issue- we have a virutal webiste (named WEBSITE) that we only want users of
a certain group to be able to access. The AD domain name is ABC.com. The
dns name for the website is WEBSITE.XYZ.COM. The host headers are setup as
follows- WEBSITE and WEBSITE.XYZ.COM. DNS entries are setup as follows-
under the ABC.COM zone- WEBSITE and under the XYZ.COM - WEBSITE. All name
resolution has been tested and works. IIS security settings for the virutal
webiste- WEBSITE are enable anonymous access UNCHECKED, Integrated Windows
Authentication IS CHECKED. NTFS permissions are set on the IIS home folder
for the group that we want to have access.
Wnen accessing site via http://WEBSITE we gain access to site with no logon
(if we are part of group- if not part of group we get a logon- which is what
we are looking for)
When trying to access http://WEBSITE.XYZ.COM we get a logon even if we are
part of the group that has ntfs rights to home folder.
Goal is for users in our domain to access site and not have a secondary
logon if they belong to an access group- and we can not use anonymous access
becuase we have app that looks at the user ID that is accessing the site.
Everything works when accessing http://WEBISTE
| |
| Ken Schaefer 2005-11-30, 2:50 am |
| As David says, this is not an IIS issue, it is a client-side configuration
issue. See this KB article:
http://support.microsoft.com/?id=258063
You can push the necessary changes out to your clients via a GPO if you
wish:
User Configuration -> Administrative Templates -> Windows Components ->
Internet Explorer -> Internet Explorer Control Panel -> Security Page ->
Site to Zone Assignment List
Cheers
Ken
"Mike S" <Mike S@discussions.microsoft.com> wrote in message
news:2BD8D016-92DE-4FFA-9746-474FE87F79A3@microsoft.com...
: iis 6 authentication ISSUE-------------
:
: Issue- we have a virutal webiste (named WEBSITE) that we only want users
of
: a certain group to be able to access. The AD domain name is ABC.com. The
: dns name for the website is WEBSITE.XYZ.COM. The host headers are setup
as
: follows- WEBSITE and WEBSITE.XYZ.COM. DNS entries are setup as follows-
: under the ABC.COM zone- WEBSITE and under the XYZ.COM - WEBSITE. All name
: resolution has been tested and works. IIS security settings for the
virutal
: webiste- WEBSITE are enable anonymous access UNCHECKED, Integrated
Windows
: Authentication IS CHECKED. NTFS permissions are set on the IIS home
folder
: for the group that we want to have access.
:
: Wnen accessing site via http://WEBSITE we gain access to site with no
logon
: (if we are part of group- if not part of group we get a logon- which is
what
: we are looking for)
:
: When trying to access http://WEBSITE.XYZ.COM we get a logon even if we are
: part of the group that has ntfs rights to home folder.
:
: Goal is for users in our domain to access site and not have a secondary
: logon if they belong to an access group- and we can not use anonymous
access
: becuase we have app that looks at the user ID that is accessing the site.
: Everything works when accessing http://WEBISTE
|
|
|
|
|