Re: NTLM Authentication Across Forests
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/04/04
- Next message: zino: "RE: impersonate problem"
- Previous message: Gopal Krish: "Re: How to Strong name a aspx web page?"
- In reply to: Andrew: "NTLM Authentication Across Forests"
- Next in thread: Andrew: "Re: NTLM Authentication Across Forests"
- Reply: Andrew: "Re: NTLM Authentication Across Forests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Nov 2004 12:38:28 -0600
Are you using impersonation in your web.config?
Joe K.
"Andrew" <andrew.miadowicz@gmail.com> wrote in message
news:d6565709.0411040834.564f95f1@posting.google.com...
>I have a problem that I've spent a considerable amount of time
> researching and still haven't quite found the answer.
>
> I have an intranet web server in Domain A if Forest A. This server
> contains a website which in turn contains two files TestAccess.html
> and TestAccess.aspx. Both files have security settings which allow
> access to only one user Domain B\UserX. The user belongs to Domain B
> which is part of Forest B. All domains and forests are currently
> Window 2000. I also use .Net Framework 1.1. IIS is set up to use
> integrated authentication and there is a one way external trust
> between Domain A and Domain B (that is Domain A trusts Domain B).
>
> The problem is as follows. When UserX browses to the website and
> tries to access page TestAccess.html the page is served successfully.
> However, when the same user attempts to view page TestAccess.aspx, he
> gets an access denied error. Why is it so?
>
> Considering that the domains are in separate forests and that Kerberos
> authentication does not work across forests via external trust, the
> browser uses NTLM authentication. I've read multiple posts on the
> double-hop issue with NTLM, but this does not seem to apply here,
> since both .html and .aspx files reside on the same web server.
>
> I also tested the same website with a UserY in DomainA and everything
> worked fine, i.e. both pages could be viewed just fine. The security
> logs indicated that in this case Kerberos was used for authentication.
>
> So my question is: Why is the .aspx page not served to UserX? Do I
> have some kind of double-hop situation here even if the files are on
> the same machine?
>
> Please, help me make sense of this.
- Next message: zino: "RE: impersonate problem"
- Previous message: Gopal Krish: "Re: How to Strong name a aspx web page?"
- In reply to: Andrew: "NTLM Authentication Across Forests"
- Next in thread: Andrew: "Re: NTLM Authentication Across Forests"
- Reply: Andrew: "Re: NTLM Authentication Across Forests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
