Re: Relationship between IIS security and .NET AuthenticationManager

IIS actually implements the authentication protocols that it supports
(Basic, Digest, Negotiate, Client Cert), so that behavior is governed by the
settings in the IIS metabase.

I'm not totally clear on what the authentication module in System.Net
actually do, especially in relation to ASP.NET, but Windows authentication
is already "done" by the time ASP.NET sees the request.

If you don't want negotiate (only NTLM), you need to change the appropriate
IIS metabase property. This is done with a script or with a tool like
Metabase Explorer. Inetmgr does not expose UI for this. I generally find
myself doing the exact opposite to get Kerberos support, but some people
want NTLM for some reason.

I'm not sure about books that go into this. I learned most of what I know
from struggling with a vendor SSO product for more than a year. :)

Joe K.

"Manny Vellon" <mvellon@xxxxxxxxxx> wrote in message
news:%23Fcq%23wYQGHA.5924@xxxxxxxxxxxxxxxxxxxxxxx
Is there a good explanation (web page, book, etc.) of how IIS security and
AuthenticationManager security interrelate in the context of Web services?
I am experimenting with this and don't understand why if I call
AuthenticationManager.Unregister() and remove all authentication modules
except NTLM, that it seems that my IIS server is still trying to do
"Negotiate" authentication (as determined by an Ethereal sniff and looking
at the HTTP response headers (the "WWW-Authenticate" header). I've set up
my IIS folder and file security (on my web service directory and .asmx
file) to specify "Integrated Windows Authentication". I have verified
that the Unregister calls are doing the right thing (by iterating through
the RegisteredModules and verifying that only NTLM remains).

thanks.



.

Relevant Pages

  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Can no longer access ActiveSync
    ... OMA and Exchange/Exchange-OMA virtual directory. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... issue may be caused by the Exchange attribute of original user account. ...
    (microsoft.public.exchange.admin)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
    (microsoft.public.inetserver.iis.security)
  • Re: SBS2k3 and activesync over the air
    ... the Exchweb virtual directory. ... ONLY 'Basic authentication' is selected ... please restart your IIS service and test your issue again. ... Regarding ActiveSync issue, support code 0x85010014 means error HTTP 500. ...
    (microsoft.public.windows.server.sbs)
  • Re: Relationship between IIS security and .NET AuthenticationManager
    ... by the settings in the IIS metabase. ... I'm not totally clear on what the authentication module in System.Net ... If you don't want negotiate (only NTLM), ...
    (microsoft.public.dotnet.framework.aspnet.security)