IIS Integrated Authentication

[bponting]

Hello,

We are using IIS Integrated Authentication on a Win2k server in a workgroup. Users have matching accounts and passwords on the server and w2k workstations, and can login to the web site without being prompted.

We have joined the server to an ADS domain and disabled the workgroup accounts on the server, but now the users are prompted even though the user accounts and passwords between ADS and the users machine match. If the user enters the name of the user, password and domain in the prompt it works.

How do I force integrated authentication to look for the domain instead of the workgroup? I know basic authentication can be forced to look to a particular domain, but we need integrated so that the user is not prompted.

Hope someone can help.

Thanks,

Ben

 

[ReddLefty]

Well, a workaround is that the users type their full username:

DOMAIN\USERNAME
Password

But that might not be what your looking for.




"In space, nobody can hear you click..."

 

[bponting]

Thanks ReddLefty.

That would sort of defeat the purpose of Integrated Authentication. We're trying to develop a single sign on environment, so that once the user is authenticated to the desktop, they won't be prompted to login to any other systems. The desktop credentials are parsed to any system they are trying to access. We got this working for proxy, VPN, NDS and citrix systems, just not IIS yet.

I'm thinking we'll have to make the IIS server a Domain Controller. Not so good.

Ben

 

[koquito]

Let me clarify something. If you create an account on a member server and later an account locally on a workstation, those two accounts won't be the same when it comes to Integrated Authentication, even if they match in username and passwords, they don't have the same SID. The server looks at them as different accounts.
If your workstations are Windows NT based, check that your workstations are joined into your domain, and after that, make sure you are using the user accounts you created on your active directory, not the local accounts on the workstations. MAke sure, in the log in screeen you log into your domain, not the local machine name.
For this to happen you should have a domain controler in your network, to handle the authentication.

A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[bponting]

Thanks Koquito,

The SID doesn't play a part in IIS authentication. With Windows Integrated, as long as the username and password match on the workstation and the domain/local SAM on the server they will be authenticated.

I've got a good URL that explains it:

http://www.microsoft.com/technet/tr...003/proddocs/standard/sec_auth_intwinauth.asp

I know this works because we've had it working for months, the problem has only arrived when the server has been added to a domain.

Thanks anyway,

Ben

 

[koquito]

from what i understand that you are telling us. You have a server that is part of a domain, any accounts that you have on that serevr will belong to its domain, not to any workgroup. he workstations are using a workgroup environment, and those accounts in the workgroup will be different of those in the server because the server is part of a domain, and the accounts are different. If you want to try, create two accounts with the same username and password, one on the server and one in the workstation, and see if the account on the workstation can access the server without being prompted for authentication.
the accounts on the server have a domain included, lets say in the hash, the workstations don't have that part and that amkes them differ for authentication.

A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[pollux0]

in "internet explorer" in "internet options" under the "security" tab, edit the "custom settings" for "local intranet" or "internet". Under "User Authenticateion" you should be able to check, "Automatic Logon with current username and password". Also in the "security" tab click "sites", "advanced", you can add which sites are in that particular realm. Try messing with these settings until it works the way you want. Then in Active directory edit your group policy for the entire domain. Edit "internet explorer" settings with the setting you found appropriate. Usings group policy will change the settings on all "internet explorers" for all users

 

[bponting]

Koquito,

The IIS server was built as a workgroup and accounts created in the workgroup locally on the server.

Our workstation accounts are in another workgroup, the accounts are created by Novell ZENworks DLU based on NDS user accounts. We use DirXML to automatically create exactly the same accounts in the Active Directory domain and the passwords are also synchronised.

So the workgroup account created locally on every workstation is exactly the same as the account in Active Directory.

When the IIS server is a member of the domain it still retains it's original workgroup accounts, but can also access the AD domain accounts. So when authenticating to IIS, it always looks at the local SAM (workgroup) that has only a few accounts in it, not the AD domain that automatically holds all of our user accounts. This can only be done by prompting the user for the Domain name.

We want to use pass through logins using integrated authentication. This does work if we make the server a domain controller, however we don't want ot make an IIS server accessible from the Internet a Domain Controller.

Hope this clarfies,

thanks,

Ben

 

[bponting]

Pollux0,

Thanks for the reply,

We tried this. The problem seems to be that the IIS server will always attempt to compare user credentials to it's local SAM (workgroup) rather than the remote AD domain of which it is a member. If we use basic authentication, you can tell IIS to always look at a particular domain when authenticating. However you need to use Integrated Authentication to enable pass through (non prompted) login.

What IE needs is a setting in the "Automatic logon with current username and password" that allows you to configure a particular domain name to be sent with your current username and password information. I was hoping there may be a registry key or something that could do this.

We also tried making the workstations members of the domain we want IIS to authenticate against. No luck, IE still doesn't send the domain name to IIS.

Thanks anyway,

Ben

 

[pollux0]

i see..the problem doesn’t look like it is with iis but with the users internet explorer settings. Adding those client machines to that domain should work...theoretically.

just a wild guess.. My computer->properties->network id-> properties->More.. What is the primary dns suffix of this computer say when the computer is not part of the domain and when it is part of the domain?

 

[bponting]

We did test making the workstation part of the domain and it still prompted you. The root of the problem is that IIS looks at its local SAM (workgroup) instead of the AD domain of which it is apart. If IE could forward the domian info in the authentication window automaticall along with the current logged in username and password, it should work. But where can you set this. I don't think you can.

So I think only solution is make the IIS a Domain Controller then it has only one SAM to compare user accounts to. We tested this and it works, but IIS on a Domain Controller is a security problem?

 

[koquito]

Ok, now I understand your configuration. Your IIS is a on a member server.I assume ou are using the IP adrees of the ISS server or its computer name. My suggestion is, create a DNS entry (alias) on your Domain controler to point to your IIS member server IP address.
The after that is created, call your IIS server on your browser by its DNS name.

A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[koquito]

Also, did you tried adding the users(or group) from the domain, locally on the member serverwith the proper rights?

A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[bponting]

koquito,

When you make a server or workstation a memebr of a domain it is automatically added to the DNS using dynamic updates. I can ping the server by it's name using DNS. But this still doesn't help our problem.

If we add the users to the local servers SAM it works fine. But the point of adding the IIS server to the domain was so that it would use the domain accounts, rather than us having to add 2000 user accounts manually and set passwords, doubling our user admin.

Thanks anyway,

Ben

 

[koquito]

Sometimes the host records are no created.
You can use groups instead.

A+, MCP, CCNA
marbinpr@hotmail.com

"I just know that I know nothing"
Socrates (469-399 B.C.E.)

 

[AgentM]

I also have a similar problem.
I am trying to use IIS 5.0 personal web server on Win 2K Professional with SP4.

I have a web application that I have configured to use NT Authentication, but I don't want the logon prompt to appear everytime users use the app. Once they lognin that should be enough.

The app works fine on a Win 2K Sp3 machine.

Anybody got any clues as to what I am doing wrong?