hi

ive been having a bit of a read around the forum and whilst i see many threa
ds that deal with this, i havent found one to make things completely clear f
or me yet.

the web server i am dealing with runs outside of our domain, and this is fin
e for 99% of the things we need to run with public access.  however, im curr
ently trying to set up an asp site with integrated windows authentication in
 the domain.  i have the site on a share in the domain with read and execute
 access granted to the groups that need access to this.

running the site from a server in the domain it behaves exactly as expected,
 users are prompted for username and password on connection and everything r
uns fine.  from the public webserver though i have only been able to connect
 specifying an account in the "connect as" field in the site properties in i
is.

i dont know, perhaps im missing something basic here, but i really thought t
hat the passthrough authentication should work like this.  can i get this wo
rking this way or am i going to have to expose the domain to the internet?

thanks

James

[ Post a follow-up to this message ]

James,

This isn't going to work as you want it to.  If you try to configure
Integrated Windows Authentication on a non-domain joined machine then you
can only authenticate against local accounts, so if a user presents domain
credentials to the web server, then IIS doesn't understand them.  The
important point is that you still need to authenticate successfully to IIS
*before* it will pass those credentials through to the backend file share.
So when you run the site on a web server in the domain all is well, because
the web server can perform auth against the Domain, and when you configure
'connect as' credentials this is fine because then we don't care who IIS
thinks the user is, we're going to use the 'connect as' creds regardless
(but then of course this defeats the benefit of passthru).

You might consider creating a new domain in the DMZ with a 1-way trust to
the corp domain rather than bridging the corp domain into the DMZ directly.

Cheers
Phil

This posting is provided "AS IS" with no warranties, and confers no rights.


"JimiC" <JimiC.1j5tx2@mail.webservertalk.com> wrote in message
news:JimiC.1j5tx2@mail.webservertalk.com...
>
> hi
>
> ive been having a bit of a read around the forum and whilst i see many
> threads that deal with this, i havent found one to make things
> completely clear for me yet.
>
> the web server i am dealing with runs outside of our domain, and this
> is fine for 99% of the things we need to run with public access.
> however, im currently trying to set up an asp site with integrated
> windows authentication in the domain.  i have the site on a share in
> the domain with read and execute access granted to the groups that need
> access to this.
>
> running the site from a server in the domain it behaves exactly as
> expected, users are prompted for username and password on connection
> and everything runs fine.  from the public webserver though i have only
> been able to connect specifying an account in the "connect as" field in
> the site properties in iis.
>
> i dont know, perhaps im missing something basic here, but i really
> thought that the passthrough authentication should work like this.  can
> i get this working this way or am i going to have to expose the domain
> to the internet?
>
> thanks
>
> James
>
>
>
> --
> JimiC
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message886414.html
>

[ Post a follow-up to this message ]