I am curiuos if anyone has a suggestion about the use of the metabase
property "DefaultLogonDomain" to accomplish the purposes of pointing the IIS
server to authenticate against the domain instead of the local machine
database.

--
Jim R


"K12-Jammer" wrote:
[vbcol=seagreen]
> Dear Ingenious (nice play on words there)
>
> First, thanks for your response.  It addresses several key issues related 
to
> authentication and the key questions to ask/address when trying to do this
> thing.
> And, my apologies for not including the firewall/intranet/internet info.  
I
> thought about doing it and then the phone rang or something.
>
> FIREWALL QUESTION:
> I would like this to work both on the Intranet and Internet level.  On the
> Intranet level, there would be no firewall between the IIS and the web
> client.  On the Internet level there would be one.  Note that there is no
> firewall between the IIS and the Domain Controller as we are using a
> one-to-one NAT for external port 80 traffic which directs Internet request
s
> to the web server.  This was the recommended config by our firewall vendor
> (Watchguard).
>
>  Currently, the Integrated Windows Authentication works identically whethe
r
> inside or outside our network.  I believe that this is because the IIS and
> the Active Directory are in the same network.
>
> The only downside is what is considered to be the "strange username format
."
>
> DIGEST vs BASIC AUTHENTICATION MODES
> Let me start by throwing out BASIC as I don't want the clear text
> transmittal of passwords.  So then, I jump headlong into a vast pool of my
> own ignorance with regard to DIGEST mode.  From my readings I see that it
> requires a ?reverse hash of the encrypted password? to be stored in
> something.  That whole phraseology made me a bit concerned that I was open
ing
> up a security hole.
>
> My apologies for not being better informed on the realities of all that is
> related to Digest mode.  The reality is that we are fearful of what we don
't
> understand.  So at the moment I am fearful of Digest mode (though perhaps 
my
> fear is misplaced).
>
> I did try briefly to enable digest mode on my test box in my domain and di
d
> not have success.  I assume that this was because I did not reset my passw
ord
> thus enabling the reverse-hash-whatevering to occur.
>
> CONCLUSION:
> The Digest mode would certainly allow me to set the default domain though 
I
> am still uncertain of the security impact of using it.  Basic would also
> accomplish my objective but I am sure of the security impact of using clea
r
> text passwords over the Internet.  I am still curious about the potential 
use
> of the DefaultLogonDomain property in the Metabase.
>
> Thanks again.
>
> --
> Jim R
>
>
> "Indigenous" wrote:
> 

[ Post a follow-up to this message ]