RE: How to enable IWA over multiple servers

Dominick,

Fair point - problem was the sysadmin had upgraded it to a DC so we couldn't
really test it.

However, we downgraded it and it *looks* like it's working,

Thanks for your help



Dan


"Dominick Baier" wrote:

just try it - i would have to try it too...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

I'll try that. Does that mean that adding http://192.168.0.4 to the
trusted sites on the clients would also work!?

"Dominick Baier" wrote:

ok - thats the reason -

whenever IE sees a dot in the URL - it does not send the credentials
automatically - try the machine name and see if that works...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

From IE, via IP address...

http://192.168.0.4:xxxx (xxxx being the port no)

"Dominick Baier" wrote:

Hi,

how are you accessing the web server? using the machine name - or a
fully qualified DNS name, like server.domain.com ?

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Steven,

Thanks for the mass of info!

I've checked with the system administrator on our domain, and we
are using domain logon, so I'm unsure as to why the credentials
aren't been passed.

Here's the flow a user goes through when trying to access the
non-DC web server..

1) Boot up computer and logon as ActiveDirectory username (im joe
bloggs, my username is jbloggs), so.. UserName: jbloggs, Password:
<whatever>, Domain: MYDOMAIN.

(this validates with our main active directory domain controller,
DC1, 192.168.0.1)

2) I double click the "Intranet" icon on my desktop. This loads IE
and goes to 192.168.0.4.

3) It pops up with a Windows Logon dialog, which says...

User name: 192.168.0.4\jbloggs
Password: <whatever>
There's the problem, it's trying to log me in to the domain server
as
a member of 192.168.0.4 (the web server), not a member of
MYDOMAIN.
If I put my password in, it won't let me in and just pops the
Logon
box up again. If I change the infomation to:
User name: MYDOMAIN\jbloggs
Password: <whatever>
Then it logs me straight in and up pops the Intranet.
The thing is... how do we get it to login as the Domain User,
rather
than a user of the web server. I believe we could make the web
server a DC, which would replicate Active Directory, and
everything
would work.
But... how can we do it without making the web server a DC?

I hope that's clear... I'm a developer, not a domain admin!

Thanks,

Dan

"Steven Cheng[MSFT]" wrote:

Hello Dan,

From your description, you have an ASP.NET application that use
integrated windows authentication to authenticate the client
users(domain accounts), you found that the application can gain
client domain identity correctly when the ASP.NET app is hosted
on a DC ,but not correctly when hosted on a normal webserver in
the domain(intranet), correct?

Based on my experience, the problem behavior you met is likely
due to the logon user account you used to visit the web
application and from which machine you're performing the test.
Are you testing the application(visit the certain web page in the
ASP.NET application) on the local machine(of the webserver)? If
so, are you logon through a local account on the webserver rather
than a domain user account?

When you try visiting a web application in IIS protected by
integrated windows authentication, the IE browser will send the
current client logon user identity to server(for intranet
scenario) so that the IIS server can get it. If you're visting
the web app on local machine(the webserver), the current logon
session is directly used. If you logon through a local account
such as "web server machine\localuser", then, the IIS server will
certainly get the "web server machine\localuser" (rather than
domain account). On DC box, it is a bit particular because all
the accounts on DC are domain accounts(there is no local account
on DC box), so even if you logon DC through a "localuser"
account, it is treated as "domainname\localuser".

Therefore, for your scenario, I suggest you try testing on remote
client (logon through a domain account) and visit the web
application and see the behavior. I think the integrated windows
authentication should work as expect to get the domain user
identity.

If you have anything unclear on this or any other questions,
please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default
.a sp x#notif ications.

Note: The MSDN Managed Newsgroup support offering is for
non-urgent issues where an initial response from the community or
a Microsoft Support Engineer within 1 business day is acceptable.
Please note that each follow up response may take approximately 2
business days as the support professional working with you may
need further investigation to reach the most efficient
resolution. The offering is not appropriate for situations that
require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature
are best handled working with a dedicated Microsoft Support
Engineer by contacting Microsoft Customer Support Services (CSS)
at http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers
no rights.




.

Relevant Pages

  • RE: How to enable IWA over multiple servers
    ... Boot up computer and logon as ActiveDirectory username (im joe ... a member of 192.168.0.4 (the web server), ... through a local account on the webserver rather than a domain user ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: How to enable IWA over multiple servers
    ... Boot up computer and logon as ActiveDirectory username (im joe ... a member of 192.168.0.4 (the web server), ... client domain identity correctly when the ASP.NET app is hosted on ... through a local account on the webserver rather than a domain user ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: How to enable IWA over multiple servers
    ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... how are you accessing the web server? ... Boot up computer and logon as ActiveDirectory username (im joe ... are you logon through a local account on the webserver rather ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Users get locked out
    ... The user account has been automatically locked because too many invalid ... logon attempts or password change attempts have been requested. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... Routing Engine, Microsoft Exchange Information Store, Microsoft Exchange ... System Attendant service' logon on account is "Local System Account", ...
    (microsoft.public.windows.server.sbs)