IIS Server Security - Integrated Authentication fails on XP Pro IIS Server

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > September 2005 > Integrated Authentication fails on XP Pro IIS Server





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Integrated Authentication fails on XP Pro IIS Server
jgochin

2005-09-20, 6:05 pm

Machine Config follows...
-----------------------------------------------------------
HOST NAME: myworkstation
IIS Ver5.1
Resides on a private non-routable IP subnet
Is a member of a domain
XP Firewall is currently off
Logged in to workstation as a member of the domain
Default website has Anonymous Authentication turned OFF
Integrated Authenication is turned ON.
1 Virtual Directory / .NET Application (TEST) also with Anonymous
Authentication turned OFF and Integrated Authenication is turned ON.


Problem
---------------------------------------------------------------
The TEST application has a single page called test.aspx which simply returns
the values of Page.User.Indenity object; User Name, Authentication Type, and
IsAuthenticated.

In a perfect world the page would run, Integrated Authentication would do
its then and the page would return with the required information. In my
world different things happen under different scenarios.

Scenario 1
----------------
Logged on to myworkstation (Running Windows XP Pro) using a valid domain
account
Accessed page using the following url http://localhost/test/test.aspx
Page returns displaying the logged on user info as expected.

Scenario 2
----------------
Logged on to myworkstation (Running Windows XP Pro) using a valid domain
account
Accessed page using the following url
http://myworkstation.mydomain.local/test/test.aspx
I get promted with the IE Logon Dialog
No matter what I use as the logon name password I can't authenticated

Scenario 3
----------------
Logged on to myWin2k Server (Running Windows 2000 SBS) using a valid domain
account
Accessed page using the following url
http://myworkstation.mydomain.local/test/test.aspx
I get promted with the IE Logon Dialog this time also, but its because the
logged on user does not have proper permissions to access this page. This is
a good thing. I enter user name and password should have access and tada!!!!
Page returns displaying the logged on user info as expected.

Scenario 4
----------------
Logged on to myotherworkstation (Running XP Pro) using a valid domain account
Accessed page using the following url
http://myworkstation.mydomain.local/test/test.aspx
I get promted with the IE Logon Dialog
No matter what I use as the logon name password I can't authenticated

Anyone have an idea of what is going wrong here?

Thank you in advance for you help with this issue
Jeff Gochin
A-SYS-T, Inc.
jgochin@asystinc.com




Miha Pihler [MVP]

2005-09-20, 6:05 pm

Hi,

Try to add URL "http://myworkstation.mydomain.local" (your "server" URL) to
Local Intranet Zone in IE. Integrated Authentication will only work for
Local Intranet Zone and by default only URLs like http://myworkstation are
in Local Intranet Zone. Not even http://10.10.10.10 where 10.10.10.10 is IP
address of your workstation would work since this would not fall under Local
Intranet zone.

I hope it helps. If it doesn't post back and we will try to find another
solution. :-)

--
Mike
Microsoft MVP - Windows Security

"jgochin" <jgochin@discussions.microsoft.com> wrote in message
news:7ED51B52-20C6-45A5-865F-C4BB91AF00A1@microsoft.com...
> Machine Config follows...
> -----------------------------------------------------------
> HOST NAME: myworkstation
> IIS Ver5.1
> Resides on a private non-routable IP subnet
> Is a member of a domain
> XP Firewall is currently off
> Logged in to workstation as a member of the domain
> Default website has Anonymous Authentication turned OFF
> Integrated Authenication is turned ON.
> 1 Virtual Directory / .NET Application (TEST) also with Anonymous
> Authentication turned OFF and Integrated Authenication is turned ON.
>
>
> Problem
> ---------------------------------------------------------------
> The TEST application has a single page called test.aspx which simply
> returns
> the values of Page.User.Indenity object; User Name, Authentication Type,
> and
> IsAuthenticated.
>
> In a perfect world the page would run, Integrated Authentication would do
> its then and the page would return with the required information. In my
> world different things happen under different scenarios.
>
> Scenario 1
> ----------------
> Logged on to myworkstation (Running Windows XP Pro) using a valid domain
> account
> Accessed page using the following url http://localhost/test/test.aspx
> Page returns displaying the logged on user info as expected.
>
> Scenario 2
> ----------------
> Logged on to myworkstation (Running Windows XP Pro) using a valid domain
> account
> Accessed page using the following url
> http://myworkstation.mydomain.local/test/test.aspx
> I get promted with the IE Logon Dialog
> No matter what I use as the logon name password I can't authenticated
>
> Scenario 3
> ----------------
> Logged on to myWin2k Server (Running Windows 2000 SBS) using a valid
> domain
> account
> Accessed page using the following url
> http://myworkstation.mydomain.local/test/test.aspx
> I get promted with the IE Logon Dialog this time also, but its because the
> logged on user does not have proper permissions to access this page. This
> is
> a good thing. I enter user name and password should have access and
> tada!!!!
> Page returns displaying the logged on user info as expected.
>
> Scenario 4
> ----------------
> Logged on to myotherworkstation (Running XP Pro) using a valid domain
> account
> Accessed page using the following url
> http://myworkstation.mydomain.local/test/test.aspx
> I get promted with the IE Logon Dialog
> No matter what I use as the logon name password I can't authenticated
>
> Anyone have an idea of what is going wrong here?
>
> Thank you in advance for you help with this issue
> Jeff Gochin
> A-SYS-T, Inc.
> jgochin@asystinc.com
>
>
>
>


jgochin

2005-09-20, 6:05 pm

Thanks.

That did the trick. I must admit, I did try what you suggested very early
on but it did not work. I suspect I may have also needed to enable
delegation for myworkstation on the AD Server which I just did recently.

In any case it is now working... thanks for focusing me back on the obvious

- Jeff

"Miha Pihler [MVP]" wrote:

> Hi,
>
> Try to add URL "http://myworkstation.mydomain.local" (your "server" URL) to
> Local Intranet Zone in IE. Integrated Authentication will only work for
> Local Intranet Zone and by default only URLs like http://myworkstation are
> in Local Intranet Zone. Not even http://10.10.10.10 where 10.10.10.10 is IP
> address of your workstation would work since this would not fall under Local
> Intranet zone.
>
> I hope it helps. If it doesn't post back and we will try to find another
> solution. :-)
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "jgochin" <jgochin@discussions.microsoft.com> wrote in message
> news:7ED51B52-20C6-45A5-865F-C4BB91AF00A1@microsoft.com...
>
>
>
jgochin

2005-09-20, 6:05 pm

I take it back the problem still exists. Only "Scenario" 4 was fixed by
adding the wildcard domain to the Intranet List of Sites. "Scenario 2" is
still a problem.

"Miha Pihler [MVP]" wrote:

> Hi,
>
> Try to add URL "http://myworkstation.mydomain.local" (your "server" URL) to
> Local Intranet Zone in IE. Integrated Authentication will only work for
> Local Intranet Zone and by default only URLs like http://myworkstation are
> in Local Intranet Zone. Not even http://10.10.10.10 where 10.10.10.10 is IP
> address of your workstation would work since this would not fall under Local
> Intranet zone.
>
> I hope it helps. If it doesn't post back and we will try to find another
> solution. :-)
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "jgochin" <jgochin@discussions.microsoft.com> wrote in message
> news:7ED51B52-20C6-45A5-865F-C4BB91AF00A1@microsoft.com...
>
>
>
Miha Pihler [MVP]

2005-09-20, 6:05 pm

Did you add the site to Local Intranet Zone on the "other" Workstation? Can
you see Local Intranet Zone Icon in Right corner of the browser?

My recommendation would also be to test this on server (e.g. IIS 5 or IIS 6)
and I am pretty sure it would work (it should) :-)

--
Mike
Microsoft MVP - Windows Security

"jgochin" <jgochin@discussions.microsoft.com> wrote in message
news:7C7AC86E-F68C-47D2-A897-D7FCB5340E8B@microsoft.com...[vbcol=seagreen]
>I take it back the problem still exists. Only "Scenario" 4 was fixed by
> adding the wildcard domain to the Intranet List of Sites. "Scenario 2" is
> still a problem.
>
> "Miha Pihler [MVP]" wrote:
>


jgochin

2005-09-20, 6:05 pm

Yes I did. Like I said in the "Other" workstation now works. But the
workstation running IIS 5.1 still exhibits the problem. It only works
correctly with "localhost".


"Miha Pihler [MVP]" wrote:

> Did you add the site to Local Intranet Zone on the "other" Workstation? Can
> you see Local Intranet Zone Icon in Right corner of the browser?
>
> My recommendation would also be to test this on server (e.g. IIS 5 or IIS 6)
> and I am pretty sure it would work (it should) :-)
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "jgochin" <jgochin@discussions.microsoft.com> wrote in message
> news:7C7AC86E-F68C-47D2-A897-D7FCB5340E8B@microsoft.com...
>
>
>
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com