RE: How to enable IWA over multiple servers
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
- Date: Wed, 14 Mar 2007 02:38:26 GMT
Hello Dan,
From your description, you have an ASP.NET application that use integratedwindows authentication to authenticate the client users(domain accounts),
you found that the application can gain client domain identity correctly
when the ASP.NET app is hosted on a DC ,but not correctly when hosted on a
normal webserver in the domain(intranet), correct?
Based on my experience, the problem behavior you met is likely due to the
logon user account you used to visit the web application and from which
machine you're performing the test. Are you testing the application(visit
the certain web page in the ASP.NET application) on the local machine(of
the webserver)? If so, are you logon through a local account on the
webserver rather than a domain user account?
When you try visiting a web application in IIS protected by integrated
windows authentication, the IE browser will send the current client logon
user identity to server(for intranet scenario) so that the IIS server can
get it. If you're visting the web app on local machine(the webserver), the
current logon session is directly used. If you logon through a local
account such as "web server machine\localuser", then, the IIS server will
certainly get the "web server machine\localuser" (rather than domain
account). On DC box, it is a bit particular because all the accounts on DC
are domain accounts(there is no local account on DC box), so even if you
logon DC through a "localuser" account, it is treated as
"domainname\localuser".
Therefore, for your scenario, I suggest you try testing on remote client
(logon through a domain account) and visit the web application and see the
behavior. I think the integrated windows authentication should work as
expect to get the domain user identity.
If you have anything unclear on this or any other questions, please feel
free to post here.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- RE: How to enable IWA over multiple servers
- From: musosdev
- RE: How to enable IWA over multiple servers
- Prev by Date: Re: Failed access to IIS metabase problem - Can anyone help please
- Next by Date: Active Directory Membership Provider Change Password
- Previous by thread: Re: Failed access to IIS metabase problem - Can anyone help please
- Next by thread: RE: How to enable IWA over multiple servers
- Index(es):
Relevant Pages
|
