RE: How to enable IWA over multiple servers
- From: musosdev <musoswire@xxxxxxxxxxxxxxxx>
- Date: Thu, 15 Mar 2007 06:38:05 -0700
From IE, via IP address...
http://192.168.0.4:xxxx (xxxx being the port no)
"Dominick Baier" wrote:
Hi,.
how are you accessing the web server? using the machine name - or a fully
qualified DNS name, like server.domain.com ?
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Steven,
Thanks for the mass of info!
I've checked with the system administrator on our domain, and we are
using domain logon, so I'm unsure as to why the credentials aren't
been passed.
Here's the flow a user goes through when trying to access the non-DC
web server..
1) Boot up computer and logon as ActiveDirectory username (im joe
bloggs, my username is jbloggs), so.. UserName: jbloggs, Password:
<whatever>, Domain: MYDOMAIN.
(this validates with our main active directory domain controller, DC1,
192.168.0.1)
2) I double click the "Intranet" icon on my desktop. This loads IE and
goes to 192.168.0.4.
3) It pops up with a Windows Logon dialog, which says...
User name: 192.168.0.4\jbloggs
Password: <whatever>
There's the problem, it's trying to log me in to the domain server as
a member of 192.168.0.4 (the web server), not a member of MYDOMAIN.
If I put my password in, it won't let me in and just pops the Logon
box up again. If I change the infomation to:
User name: MYDOMAIN\jbloggs
Password: <whatever>
Then it logs me straight in and up pops the Intranet.
The thing is... how do we get it to login as the Domain User, rather
than a user of the web server. I believe we could make the web server
a DC, which would replicate Active Directory, and everything would
work.
But... how can we do it without making the web server a DC?
I hope that's clear... I'm a developer, not a domain admin!
Thanks,
Dan
"Steven Cheng[MSFT]" wrote:
Hello Dan,
From your description, you have an ASP.NET application that use
integrated windows authentication to authenticate the client
users(domain accounts), you found that the application can gain
client domain identity correctly when the ASP.NET app is hosted on a
DC ,but not correctly when hosted on a normal webserver in the
domain(intranet), correct?
Based on my experience, the problem behavior you met is likely due to
the logon user account you used to visit the web application and from
which machine you're performing the test. Are you testing the
application(visit the certain web page in the ASP.NET application) on
the local machine(of the webserver)? If so, are you logon through a
local account on the webserver rather than a domain user account?
When you try visiting a web application in IIS protected by
integrated windows authentication, the IE browser will send the
current client logon user identity to server(for intranet scenario)
so that the IIS server can get it. If you're visting the web app on
local machine(the webserver), the current logon session is directly
used. If you logon through a local account such as "web server
machine\localuser", then, the IIS server will certainly get the "web
server machine\localuser" (rather than domain account). On DC box,
it is a bit particular because all the accounts on DC are domain
accounts(there is no local account on DC box), so even if you logon
DC through a "localuser" account, it is treated as
"domainname\localuser".
Therefore, for your scenario, I suggest you try testing on remote
client (logon through a domain account) and visit the web application
and see the behavior. I think the integrated windows authentication
should work as expect to get the domain user identity.
If you have anything unclear on this or any other questions, please
feel free to post here.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp
x#notif ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues where an initial response from the community or a Microsoft
Support Engineer within 1 business day is acceptable. Please note
that each follow up response may take approximately 2 business days
as the support professional working with you may need further
investigation to reach the most efficient resolution. The offering is
not appropriate for situations that require urgent, real-time or
phone-based interactions or complex project analysis and dump
analysis issues. Issues of this nature are best handled working with
a dedicated Microsoft Support Engineer by contacting Microsoft
Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
- Follow-Ups:
- RE: How to enable IWA over multiple servers
- From: Dominick Baier
- RE: How to enable IWA over multiple servers
- References:
- RE: How to enable IWA over multiple servers
- From: Steven Cheng[MSFT]
- RE: How to enable IWA over multiple servers
- From: musosdev
- RE: How to enable IWA over multiple servers
- From: Dominick Baier
- RE: How to enable IWA over multiple servers
- Prev by Date: RE: How to enable IWA over multiple servers
- Next by Date: Re: NT AUTHORITY\Network Service can't write to .NET Directory?
- Previous by thread: RE: How to enable IWA over multiple servers
- Next by thread: RE: How to enable IWA over multiple servers
- Index(es):
Relevant Pages
|
