|
Home > Archive > IIS Server Security > June 2005 > Windows Integrated Authentication on standalone server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Windows Integrated Authentication on standalone server
|
|
| Oyvind 2005-06-14, 7:53 am |
| Hi.
I wish to use Windows Integrated Authentication in IIS to authenticate
users logging on. The problem is that the web server is a standalone
server located in DMZ, and I wish to authenticate using domain accounts.
Am I right to assume that this is not possible, as long as the web
server is not in a domain trusted by the domain users are authenticated
with, or member of that domain ?
Will the only solution then be, to add the web server to a new domain,
and trust that domain (or add it to the already existing domain.) ?
Any help is greatly appreciated. Thanks!
- Oyvind
| |
| Tom Kaminski [MVP] 2005-06-14, 5:56 pm |
| "Oyvind" <oyvind@nospam.no> wrote in message
news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl...
> Hi.
>
> I wish to use Windows Integrated Authentication in IIS to authenticate
> users logging on. The problem is that the web server is a standalone
> server located in DMZ, and I wish to authenticate using domain accounts.
>
> Am I right to assume that this is not possible, as long as the web server
> is not in a domain trusted by the domain users are authenticated with, or
> member of that domain ?
>
> Will the only solution then be, to add the web server to a new domain, and
> trust that domain (or add it to the already existing domain.) ?
The whole point of Windows Integrated authentication is to use a domain.
--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
| |
| Ken Schaefer 2005-06-14, 8:51 pm |
| "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl...
: "Oyvind" <oyvind@nospam.no> wrote in message
: news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl...
: > Hi.
: >
: > I wish to use Windows Integrated Authentication in IIS to authenticate
: > users logging on. The problem is that the web server is a standalone
: > server located in DMZ, and I wish to authenticate using domain accounts.
: >
: > Am I right to assume that this is not possible, as long as the web
server
: > is not in a domain trusted by the domain users are authenticated with,
or
: > member of that domain ?
: >
: > Will the only solution then be, to add the web server to a new domain,
and
: > trust that domain (or add it to the already existing domain.) ?
:
: The whole point of Windows Integrated authentication is to use a domain.
That's not true. IWA will work fine for accounts local to the webserver.
There is no requirement for a domain.
Cheers
Ken
| |
| Jeff Cochran 2005-06-15, 7:48 am |
| On Tue, 14 Jun 2005 10:25:07 +0200, Oyvind <oyvind@nospam.no> wrote:
>I wish to use Windows Integrated Authentication in IIS to authenticate
>users logging on. The problem is that the web server is a standalone
>server located in DMZ, and I wish to authenticate using domain accounts.
>
>Am I right to assume that this is not possible, as long as the web
>server is not in a domain trusted by the domain users are authenticated
>with, or member of that domain ?
Correct. That's basic Windows security.
>Will the only solution then be, to add the web server to a new domain,
>and trust that domain (or add it to the already existing domain.) ?
Yep. You also need to ensure a few more ports are open in the
firewall for authentication. See:
http://support.microsoft.com/defaul...kb;en-us;832017
Jeff
| |
| Jeff Cochran 2005-06-15, 7:48 am |
| On Tue, 14 Jun 2005 10:25:07 +0200, Oyvind <oyvind@nospam.no> wrote:
>Hi.
>
>I wish to use Windows Integrated Authentication in IIS to authenticate
>users logging on. The problem is that the web server is a standalone
>server located in DMZ, and I wish to authenticate using domain accounts.
>
>Am I right to assume that this is not possible, as long as the web
>server is not in a domain trusted by the domain users are authenticated
>with, or member of that domain ?
>
>Will the only solution then be, to add the web server to a new domain,
>and trust that domain (or add it to the already existing domain.) ?
Also look at:
How to configure a firewall for domains and trusts:
http://support.microsoft.com/defaul...kb;en-us;179442
Jeff
| |
| Tom Kaminski [MVP] 2005-06-15, 7:48 am |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OgnKJoTcFHA.3040@TK2MSFTNGP14.phx.gbl...
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl...
> : "Oyvind" <oyvind@nospam.no> wrote in message
> : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl...
> : > Hi.
> : >
> : > I wish to use Windows Integrated Authentication in IIS to authenticate
> : > users logging on. The problem is that the web server is a standalone
> : > server located in DMZ, and I wish to authenticate using domain
> accounts.
> : >
> : > Am I right to assume that this is not possible, as long as the web
> server
> : > is not in a domain trusted by the domain users are authenticated with,
> or
> : > member of that domain ?
> : >
> : > Will the only solution then be, to add the web server to a new domain,
> and
> : > trust that domain (or add it to the already existing domain.) ?
> :
> : The whole point of Windows Integrated authentication is to use a domain.
>
>
> That's not true. IWA will work fine for accounts local to the webserver.
> There is no requirement for a domain.
OK - what would be the benefit?
| |
| Ken Schaefer 2005-06-16, 2:48 am |
|
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:%23tUA0uacFHA.3204@TK2MSFTNGP12.phx.gbl...
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:OgnKJoTcFHA.3040@TK2MSFTNGP14.phx.gbl...
: > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
: > news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl...
: > : "Oyvind" <oyvind@nospam.no> wrote in message
: > : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl...
: > : > Hi.
: > : >
: > : > I wish to use Windows Integrated Authentication in IIS to
authenticate
: > : > users logging on. The problem is that the web server is a standalone
: > : > server located in DMZ, and I wish to authenticate using domain
: > accounts.
: > : >
: > : > Am I right to assume that this is not possible, as long as the web
: > server
: > : > is not in a domain trusted by the domain users are authenticated
with,
: > or
: > : > member of that domain ?
: > : >
: > : > Will the only solution then be, to add the web server to a new
domain,
: > and
: > : > trust that domain (or add it to the already existing domain.) ?
: > :
: > : The whole point of Windows Integrated authentication is to use a
domain.
: >
: >
: > That's not true. IWA will work fine for accounts local to the webserver.
: > There is no requirement for a domain.
:
: OK - what would be the benefit?
IWA describes a method of conveying a users credentials from the client to
the server (basically a way of having the client tell the server who the
client is). As such, it competes with Basic and Digest authentication
mechanisms. So Basic Auth can be used for local -or- domain accounts, and
IWA can be used for local or domain accounts as well.
Where/how the organisation manages the username/password store that the
server has access to is a completely separate matter. The arguments
regarding Domains -vs- Workgroup (local accounts) are the same regardless of
whether you are using Basic, Digest or IWA (NTLM or Kerberos)
authentication. [1]
Cheers
Ken
[1] Well, there's a limitation in Windows that Digest can't be used with
local accounts because an MD5 hash of the user's password can not be
calculated for a local user (there is no facility for storing passwords with
reversible encryption, and no facility for storing a pre-calculated hash).
But that is not a limitation in either the Digest standard or IIS, but how
the Windows local SAM was developed.
| |
| Tom Kaminski [MVP] 2005-06-17, 5:53 pm |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uKGMP7hcFHA.1448@TK2MSFTNGP14.phx.gbl...
>
>
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> news:%23tUA0uacFHA.3204@TK2MSFTNGP12.phx.gbl...
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : news:OgnKJoTcFHA.3040@TK2MSFTNGP14.phx.gbl...
> : > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> : > news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl...
> : > : "Oyvind" <oyvind@nospam.no> wrote in message
> : > : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl...
> : > : > Hi.
> : > : >
> : > : > I wish to use Windows Integrated Authentication in IIS to
> authenticate
> : > : > users logging on. The problem is that the web server is a
> standalone
> : > : > server located in DMZ, and I wish to authenticate using domain
> : > accounts.
> : > : >
> : > : > Am I right to assume that this is not possible, as long as the web
> : > server
> : > : > is not in a domain trusted by the domain users are authenticated
> with,
> : > or
> : > : > member of that domain ?
> : > : >
> : > : > Will the only solution then be, to add the web server to a new
> domain,
> : > and
> : > : > trust that domain (or add it to the already existing domain.) ?
> : > :
> : > : The whole point of Windows Integrated authentication is to use a
> domain.
> : >
> : >
> : > That's not true. IWA will work fine for accounts local to the
> webserver.
> : > There is no requirement for a domain.
> :
> : OK - what would be the benefit?
>
> IWA describes a method of conveying a users credentials from the client to
> the server (basically a way of having the client tell the server who the
> client is). As such, it competes with Basic and Digest authentication
> mechanisms. So Basic Auth can be used for local -or- domain accounts, and
> IWA can be used for local or domain accounts as well.
>
> Where/how the organisation manages the username/password store that the
> server has access to is a completely separate matter. The arguments
> regarding Domains -vs- Workgroup (local accounts) are the same regardless
> of
> whether you are using Basic, Digest or IWA (NTLM or Kerberos)
> authentication. [1]
>
> Cheers
> Ken
>
> [1] Well, there's a limitation in Windows that Digest can't be used with
> local accounts because an MD5 hash of the user's password can not be
> calculated for a local user (there is no facility for storing passwords
> with
> reversible encryption, and no facility for storing a pre-calculated hash).
> But that is not a limitation in either the Digest standard or IIS, but how
> the Windows local SAM was developed.
Right - so what's the benefit if he's not in a domain?
I wasn't saying it wouldn't work, just that the whole point was to use it in
a domain where some of the benefits are 1) password doesn't get sent over
the wire and 2) credentials can be passed in the background so the user
doesn't get prompted.
: )
--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
|
|
|
|
|