|
Home > Archive > IIS Server Security > September 2005 > Integrated Authenticatoin - Default to the main domain
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Integrated Authenticatoin - Default to the main domain
|
|
| Jonathan Palmer 2005-07-18, 5:52 pm |
| I have a Windows 2003/IIS 6.0 application running on a machine that is a
member of the domain but is not a domain controller.
If a user goes to this site and fills in their unqualified user name (i.e.
without a domain name), the authenticeation fails (as the IIS tries to
authenticate against the local accounts) and the logon screen reappears with
servername.mydomain.com\ appended infront of the user name, forcing the user
to know to delete the 'servername.'.
How can I get IIS to always attempt to authenticate against the main domain,
instead of its local accounts database?
| |
| Tom Kaminski [MVP] 2005-07-18, 5:52 pm |
| "Jonathan Palmer" <Jonathan Palmer@discussions.microsoft.com> wrote in
message news:9E1A1EFC-BC6B-4607-A298-64AF847A3679@microsoft.com...
>I have a Windows 2003/IIS 6.0 application running on a machine that is a
> member of the domain but is not a domain controller.
>
> If a user goes to this site and fills in their unqualified user name (i.e.
> without a domain name), the authenticeation fails (as the IIS tries to
> authenticate against the local accounts) and the logon screen reappears
> with
> servername.mydomain.com\ appended infront of the user name, forcing the
> user
> to know to delete the 'servername.'.
>
> How can I get IIS to always attempt to authenticate against the main
> domain,
> instead of its local accounts database?
If you're using Windows Integrated authentication, why have the users
prompted at all?
http://support.microsoft.com/?id=258063
--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
| |
|
| If this is an intranet environment you should be able to avoid logon
prompting alothgether with the following:
1) Enable Integrated Windows Authentication (disable anonymous).
2) Browsers (IE) security should be set, for local intranet zone, for
automatic logon only in intranet (this is the default setting)
3) Security for the folder/directory which contains the web site (set from
windows explorer) should include "Authenticated Users" (You could use
specific domain users or groups is you need to be more restrictive).
The third item above is probably all you are missing.
"Jonathan Palmer" <Jonathan Palmer@discussions.microsoft.com> wrote in
message news:9E1A1EFC-BC6B-4607-A298-64AF847A3679@microsoft.com...
I have a Windows 2003/IIS 6.0 application running on a machine that is a
member of the domain but is not a domain controller.
If a user goes to this site and fills in their unqualified user name (i.e.
without a domain name), the authenticeation fails (as the IIS tries to
authenticate against the local accounts) and the logon screen reappears with
servername.mydomain.com\ appended infront of the user name, forcing the user
to know to delete the 'servername.'.
How can I get IIS to always attempt to authenticate against the main domain,
instead of its local accounts database?
| |
| Kim Kragh 2005-09-02, 5:57 pm |
| I have the same problem as Jonathan. And I have boths authenticated users
comming from the intranet and people from home logging on through a NAT in
the firewall. I will try to explain further:
The maschine is dt1 (on the domain), the website is vt and the domain is
intranet. From the inside, if authenticated users go to http://dt1/vt they
are on and everything is fine. This website is actually a virtual directory
on the default website.
Now I would like users to use the app (IssueTracker) from home. Here they
are not authenticated and should be prompted for their domain credentials.
The address is issuetracker.comp.dk and they first have to supply
username/password to get nat'ed through the firewall. The firewall redirects
to the IP of dt1.
To catch these request I have set up a new website on dt1 with hostheader.
Same path to the app and same security settings.
I have not tried it from outside yet, but using this new website from the
inside now prompts the already authenticated users? As is it does not
recognize the authenticated users? Is that due to a outsite address
(issuetracker.comp.dk)?
Furthermore, when supplying the credentials, the user is rejected with the
issuetracker.comp.dk/username in the new password prompt. If they replace
issuetracker.comp.dk with intranet, he's in.
So I'm back to Jonathans question: Why is dt1 not using the domain as
default?
I will get back with info of how the thing behaves from the outside.
At last (if still not clear) I would like to have all users use the
issuetracker.comp.dk address and of course; the inside users get right in,
the home users supply their domain credentials (but without intranet\....)
Thanks in advance!
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:OmzhR37iFHA.3608@TK2MSFTNGP12.phx.gbl...
> "Jonathan Palmer" <Jonathan Palmer@discussions.microsoft.com> wrote in
> message news:9E1A1EFC-BC6B-4607-A298-64AF847A3679@microsoft.com...
>
> If you're using Windows Integrated authentication, why have the users
> prompted at all?
> http://support.microsoft.com/?id=258063
>
> --
> Tom Kaminski IIS MVP
> http://www.microsoft.com/windowsser...ty/centers/iis/
> http://mvp.support.microsoft.com/
> http://www.iistoolshed.com/ - tools, scripts, and utilities for running
> IIS
>
|
|
|
|
|