IIS Server Security - IIS6, WIN2k3SP1 and integrated authentication

Author

IIS6, WIN2k3SP1 and integrated authentication

msuk

2005-04-14, 7:50 am

All,

I have IIS6 running on my Windows 2003 SP1 enterprise server and have a
problem accessing websites using IE6 that are using integrated
authentication over the interner.

When I browse to a virtual directory that only has annoymous access over the
internet I am
able to see the page using IE6. Now if I browse to a virtual directory that
is using only integrated authentication on a WinXP SP2 machine over the
internet I am prompted
to enter a username and password which I do so in the following format:

Username: domain\username
passwiord: *******

the page appears. If I do the same thing in Windows 2000 SP4 IE6 over the
internet I am
prompted for username, password and domain which I enter and then get a http
401.1 error.

If I use Firefox 1.02 on my Windows 2000 SP4 machine over the internet I am
prompted for user
and password that I enter in the following format:

Username: domain\username
passwiord: *******

and the page appears, so my question is why does IE6 give me a http 401.1
error - not authorized to view page?

I recently installed SP1 for Windows 2003 and applied the following:

http://support.microsoft.com/defaul...kb;en-us;896861

Can some please help :-)

Thanks
msuk

David Wang [Msft]

2005-04-21, 2:49 am

According to KB 896861, it applies only if the client and server are on the
same machine (i.e. accessing localhost). This is not what you are doing, so
it is no surprise that it does nothing for you.

If the server is in a domain, it is probably because IE tried (and failed)
to get Kerberos working over the Internet (probably because you don't have
it working), while Firefox tried (and randomly succeeded) to get NTLM
working.

Determine which authentication protocol you want to use, and configure
client/server to use that protocol.

It would be useful to look at the web server's log files for the failed
401.x requests to know what sub status error as well as Win32 status code.
Otherwise, you are just blindly guessing.

Integrated authentication over the Internet is pretty much only going to
work with Kerberos (NTLM is connection based authentication and will be very
hit-and-miss, depending on the network proxies between client and server),
so you'll want to make Kerberos work.

Here are some URLs to get started :
http://www.microsoft.com/WINDOWS200...y/kerbsteps.asp
http://www.microsoft.com/technet/pr...y/constdel.mspx
http://www.microsoft.com/technet/pr...ty/kerbnlb.mspx

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"msuk" <msuk@discussions.microsoft.com> wrote in message
news:3D6F8A95-9D19-40B5-BB58-4AA4420C5F2A@microsoft.com...
All,

I have IIS6 running on my Windows 2003 SP1 enterprise server and have a
problem accessing websites using IE6 that are using integrated
authentication over the interner.

When I browse to a virtual directory that only has annoymous access over the
internet I am
able to see the page using IE6. Now if I browse to a virtual directory that
is using only integrated authentication on a WinXP SP2 machine over the
internet I am prompted
to enter a username and password which I do so in the following format:

Username: domain\username
passwiord: *******

the page appears. If I do the same thing in Windows 2000 SP4 IE6 over the
internet I am
prompted for username, password and domain which I enter and then get a http
401.1 error.

If I use Firefox 1.02 on my Windows 2000 SP4 machine over the internet I am
prompted for user
and password that I enter in the following format:

Username: domain\username
passwiord: *******

and the page appears, so my question is why does IE6 give me a http 401.1
error - not authorized to view page?

I recently installed SP1 for Windows 2003 and applied the following:

http://support.microsoft.com/defaul...kb;en-us;896861

Can some please help :-)

Thanks
msuk