RE: How to enable IWA over multiple servers

---

• From: musosdev <musoswire@xxxxxxxxxxxxxxxx>
• Date: Thu, 15 Mar 2007 07:48:28 -0700

---

I'll try that. Does that mean that adding http://192.168.0.4 to the trusted
sites on the clients would also work!?

"Dominick Baier" wrote:

ok - thats the reason -

whenever IE sees a dot in the URL - it does not send the credentials automatically
- try the machine name and see if that works...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

From IE, via IP address...

http://192.168.0.4:xxxx (xxxx being the port no)

"Dominick Baier" wrote:

Hi,

how are you accessing the web server? using the machine name - or a
fully qualified DNS name, like server.domain.com ?

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Steven,

Thanks for the mass of info!

I've checked with the system administrator on our domain, and we are
using domain logon, so I'm unsure as to why the credentials aren't
been passed.

Here's the flow a user goes through when trying to access the non-DC
web server..

1) Boot up computer and logon as ActiveDirectory username (im joe
bloggs, my username is jbloggs), so.. UserName: jbloggs, Password:
<whatever>, Domain: MYDOMAIN.

(this validates with our main active directory domain controller,
DC1, 192.168.0.1)

2) I double click the "Intranet" icon on my desktop. This loads IE
and goes to 192.168.0.4.

3) It pops up with a Windows Logon dialog, which says...

User name: 192.168.0.4\jbloggs
Password: <whatever>
There's the problem, it's trying to log me in to the domain server
as
a member of 192.168.0.4 (the web server), not a member of MYDOMAIN.
If I put my password in, it won't let me in and just pops the Logon
box up again. If I change the infomation to:

User name: MYDOMAIN\jbloggs
Password: <whatever>
Then it logs me straight in and up pops the Intranet.
The thing is... how do we get it to login as the Domain User, rather
than a user of the web server. I believe we could make the web
server a DC, which would replicate Active Directory, and everything
would work.

But... how can we do it without making the web server a DC?

I hope that's clear... I'm a developer, not a domain admin!

Thanks,

Dan

"Steven Cheng[MSFT]" wrote:

Hello Dan,

From your description, you have an ASP.NET application that use
integrated windows authentication to authenticate the client
users(domain accounts), you found that the application can gain
client domain identity correctly when the ASP.NET app is hosted on
a DC ,but not correctly when hosted on a normal webserver in the
domain(intranet), correct?

Based on my experience, the problem behavior you met is likely due
to the logon user account you used to visit the web application and
from which machine you're performing the test. Are you testing the
application(visit the certain web page in the ASP.NET application)
on the local machine(of the webserver)? If so, are you logon
through a local account on the webserver rather than a domain user
account?

When you try visiting a web application in IIS protected by
integrated windows authentication, the IE browser will send the
current client logon user identity to server(for intranet scenario)
so that the IIS server can get it. If you're visting the web app on
local machine(the webserver), the current logon session is directly
used. If you logon through a local account such as "web server
machine\localuser", then, the IIS server will certainly get the
"web server machine\localuser" (rather than domain account). On DC
box, it is a bit particular because all the accounts on DC are
domain accounts(there is no local account on DC box), so even if
you logon DC through a "localuser" account, it is treated as
"domainname\localuser".

Therefore, for your scenario, I suggest you try testing on remote
client (logon through a domain account) and visit the web
application and see the behavior. I think the integrated windows
authentication should work as expect to get the domain user
identity.

If you have anything unclear on this or any other questions, please
feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.a
sp x#notif ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues where an initial response from the community or a Microsoft
Support Engineer within 1 business day is acceptable. Please note
that each follow up response may take approximately 2 business days
as the support professional working with you may need further
investigation to reach the most efficient resolution. The offering
is not appropriate for situations that require urgent, real-time or
phone-based interactions or complex project analysis and dump
analysis issues. Issues of this nature are best handled working
with a dedicated Microsoft Support Engineer by contacting Microsoft
Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

.

---

• Follow-Ups:
  • RE: How to enable IWA over multiple servers
    • From: Dominick Baier

• References:
  • RE: How to enable IWA over multiple servers
    • From: Steven Cheng[MSFT]
  • RE: How to enable IWA over multiple servers
    • From: musosdev
  • RE: How to enable IWA over multiple servers
    • From: Dominick Baier
  • RE: How to enable IWA over multiple servers
    • From: musosdev
  • RE: How to enable IWA over multiple servers
    • From: Dominick Baier

• Prev by Date: Re: NT AUTHORITY\Network Service can't write to .NET Directory?
• Next by Date: Re: NT AUTHORITY\Network Service can't write to .NET Directory?
• Previous by thread: RE: How to enable IWA over multiple servers
• Next by thread: RE: How to enable IWA over multiple servers
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Event ID 529 on cleint workstation ... Security Event ID 529 is a failure audit for logon/logoff. ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ... (microsoft.public.windows.server.sbs) Re: Event ID 529 on cleint workstation ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) RE: How to enable IWA over multiple servers ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... how are you accessing the web server? ... Boot up computer and logon as ActiveDirectory username (im joe ... are you logon through a local account on the webserver rather ... (microsoft.public.dotnet.framework.aspnet.security) RE: How to enable IWA over multiple servers ... Boot up computer and logon as ActiveDirectory username (im joe ... a member of 192.168.0.4 (the web server), ... through a local account on the webserver rather than a domain user ... Microsoft MSDN Online Support Lead ... (microsoft.public.dotnet.framework.aspnet.security) RE: How to enable IWA over multiple servers ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... how are you accessing the web server? ... Boot up computer and logon as ActiveDirectory username (im joe ... are you logon through a local account on the webserver rather ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)