NTLM Authentication Across Forests

From: Andrew (andrew.miadowicz_at_gmail.com)
Date: 11/04/04 

Date: 4 Nov 2004 08:34:06 -0800

I have a problem that I've spent a considerable amount of time
researching and still haven't quite found the answer.

I have an intranet web server in Domain A if Forest A. This server
contains a website which in turn contains two files TestAccess.html
and TestAccess.aspx. Both files have security settings which allow
access to only one user Domain B\UserX. The user belongs to Domain B
which is part of Forest B. All domains and forests are currently
Window 2000. I also use .Net Framework 1.1. IIS is set up to use
integrated authentication and there is a one way external trust
between Domain A and Domain B (that is Domain A trusts Domain B).

The problem is as follows. When UserX browses to the website and
tries to access page TestAccess.html the page is served successfully.
However, when the same user attempts to view page TestAccess.aspx, he
gets an access denied error. Why is it so?

Considering that the domains are in separate forests and that Kerberos
authentication does not work across forests via external trust, the
browser uses NTLM authentication. I've read multiple posts on the
double-hop issue with NTLM, but this does not seem to apply here,
since both .html and .aspx files reside on the same web server.

I also tested the same website with a UserY in DomainA and everything
worked fine, i.e. both pages could be viewed just fine. The security
logs indicated that in this case Kerberos was used for authentication.

So my question is: Why is the .aspx page not served to UserX? Do I
have some kind of double-hop situation here even if the files are on
the same machine?

Please, help me make sense of this.

Relevant Pages

  • Re: NTLM Authentication Across Forests
    ... > contains a website which in turn contains two files TestAccess.html ... > Considering that the domains are in separate forests and that Kerberos ... > authentication does not work across forests via external trust, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: prompted for username, password on iis5 running xp pro
    ... >Server will negociated an authentication method. ... >an valid username/password, the username/password box ... >the web server will send the content to the client. ... >the Web Server in Windows 2000 Server and Windows XP Pro ...
    (microsoft.public.inetserver.iis.security)
  • Re: Securing Windows Media Encoder streams/broadcasts
    ... >>The security comment was in response to the previous posters comment about ... >>protecting a URL and feeding the video on a web site, ... > authentication system yourself - as the previous poster stated, ... your web server on the encoder client machine modifies the ...
    (microsoft.public.windowsmedia.encoder)
  • RE: DMZ and AD Authentication
    ... authentication, and then permitting them users to access the AD for ... thru is the web server was compromised. ... I would recommend using the Cisco Security Agent on the web ... >Subject: DMZ and AD Authentication ...
    (Security-Basics)
  • RE: website inside or outside the domain?
    ... it is better not to have domain authentication traffic ... publicly accessible web server in a DMZ, with a DC also in the DMZ ... > webserver is ... network) its not the best model to use. ...
    (Focus-Microsoft)