IIS Server Security - Re: IIS 6 Integrated Authentication and IE 6 - security credential

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > April 2005 > Re: IIS 6 Integrated Authentication and IE 6 - security credential





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: IIS 6 Integrated Authentication and IE 6 - security credential
Matthew Emsley

2005-04-06, 5:57 pm

I think I'm experiencing the smae problem. I have Win2003 with IIS6. I just
installed SP1.

My server is in a domain. I'm running two websites through IIS6. Anoymous
access is OFF, and I'm using Integrated Windows authentication

My server has a static IP address and the
DNS name is: FLOWER.COMPANY.COM
WINS name is: TLA-FLOWER
I have aliased the website names on companies DNS server to my IP address
Alias name 1: PETAL.COMPANY.COM
Alias name 2: STEM.COMPANY.COM

I have PETAL.COMPANY.COM as the default website.

Before SPI if i connected to http://PETAL it did not ask for a username and
password (it was in the Local Intranet Zone). After SP1 going to
http://PETAL or http://FLOWER asks me for a username and password and the
Domain username and password I use eventially result in a error 401.1. If,
however I use the WINS name: http://TLA-FLOWER I am not asked for the
username and password and I am able to connect to the webpage again on the
Local Intranet zone.

All help is appreciated.




"Andy Wright" wrote:

> Thanks for the information David. The article that you provided the link to
> mentioned includes the following:
>
> ----------------
> Forcing NTLM
> In the following situations, Kerberos fails and you must force IIS to use
> NTLM authentication by setting the NTAuthenticationProviders metabase
> property to NTLM.
>
> 1) When you isolate Web sites on a virtual directory level by configuring
> worker process identities as different domain accounts, Kerberos fails.
>
> 2) If you are using Integrated Windows authentication, are not using a WINS
> or DNS name for the server running IIS, and you want to use a local user
> account or the LocalService account as a worker process identity, Kerberos
> authentication fails because Active Directory will not "trust" the accounts.
> --------------
>
> Because I had configured the application as in 1) above, Kerberos was
> failing. When I set the NTAuthenticationProviders metabase property to NTLM
> the problem was fixed. This seems to work ok when set at the virtual
> directory level and so needn't have an impact on other applications in the
> Web site.
>
> Do you know of any references that describe the likely consequences of
> setting this metabase property for an application and any workrounds or
> configuration options that are available for applications that need to rely
> on Kerberos features?
>
> I also tried setting the Application Pool Identity for the entire web site
> rather than at the Application/Virtual Directory level and that seems to
> work ok even when Kerberos is enabled (NTAuthenticationProviders metabase
> property set to Negotiate,NTLM).
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:e5krHpmOFHA.2748@TK2MSFTNGP09.phx.gbl...
>
>
>
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com