Re: Integrated Windows Authentication not working

From: Stephen L Nicoud (nicouds@hotmail.com)
Date: 05/14/02 

Date: Mon, 13 May 2002 19:59:56 -0700
From: Stephen L Nicoud <nicouds@hotmail.com>

> >MHughes wrote:
> >>
> >> I have a site with that I've set up to require SSL and
> have the following
> >> settings for authentication methods:
> >>
> >> Anonymous access - unchecked
> >> Basic authentication - checked
> >> default domain - local box
> >> Digest authentication - unchecked
> >> Integrated Windows authentication - checked
> >>
> >> Just to make sure the setting took, I rebooted my
> server.
> >>
> >> When I try to log into the site the certificate pops up
> and I select yes. I
> >> then expect a windows login box, but does not. I assume
> it is trying to use
> >> my domain account (which won't work because I've set up
> the site to accept
> >> only account on the local box) and never asks me to log
> in with different
> >> credentials.
> >>
> >> I have tried this outside of my domain and the same
> thing happend.
> >> Certificate process seems to work fine, but it never
> asks me to log in.
> >>
> >> I want to force the login box to come up. What am I
> doing wrong??

> Stephen L Nicoud <nicouds@hotmail.com> wrote
> >
> >Is your web server a member of a domain or does it have a
> trust to the
> >domain that contains your user account?
> >
> >Exactly how did you "set up the site to accept only
> account on the local
> >box"? Setting the "default domain" to the local box does
> not restrict
> >the site to only accounts that are local to the web
> server.
> >
> >What are the NTFS permissions on the files you are trying
> to access?
> >
> >If Integrated Windows Authentication (IWA) is selected
> and if Internet
> >Explorer (IE) is configured to allow IWA and if IE is
> configured to
> >submit credentials automatically for the IE security zone
> that contains
> >the host and if the user logged in to their computer with
> the same
> >account that is required to access the web-based content
> and if the user
> >does not have to go through a proxy server to reach the
> web server and
> >if the user's account has the "Access this computer from
> the network"
> >right on the web server, THEN IE will automatically
> submit credentials
> >(without prompting the user) and the user will gain
> access to protected
> >resources.

Michael wrote:
>
> My web server is a member of our domain.
>
> I did set up the default domain to the local box and
> understand that is basically the first place it looks to
> attempt authentication.

If you are using IE and if you have IIS configured for Integrated
Windows Authentication, then IE will FIRST try to send the credentials
of the person logged on to the client workstation. If that user is
logged in with an account (username and domain) that has the correct
permissions to access to requested resource, they will NOT be prompted.

The default domain box only comes in to play IF the user is prompted.
 
> I do not have NTFS permissions setup on the directory that
> access is being requested. The files are asp pages that
> access a db.

So you are saying that your .asp files are all on a FAT drive and not on
an NTFS drive?

>
> I understand that IE will attempt to send credentials
> initially, but I was under the impression that if those
> credentials were not valid, that the log in dialog box
> would come up and you could enter the credentials manually
> (this of course would be the case when coming through the
> Internet).

You should know that Integrated Windows Authentication should not be
used on the Internet because it is not compatible with most proxy
services.

>
> I had this working on other sites. The dialog box always
> came up, but for some reason it is not anymore. 

-- 
Reply to the newsgroup.

Relevant Pages

  • Re: winnt vs. sql auth
    ... The biggest benefit of using Windows Authentication is the security of the ... account access, then somewhere that account information must be stored. ... the storage of this information is on the very server that is at ... login credentials are transmitted over the network in cleartext. ...
    (microsoft.public.sqlserver.server)
  • Re: Integrated Windows Authentication not working
    ... My web server is a member of our domain. ... attempt authentication. ... I understand that IE will attempt to send credentials ... >> my domain account (which won't work because I've set up ...
    (microsoft.public.inetserver.iis.security)
  • Re: NT based roles using forms authentication
    ... You could create locked down local accounts on the web server and ... still use Windows authentication. ... >them selves and change between users without logging off the account. ... >> Windows manage the authentication and impersonation with a web.config ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Integrated Windows Authentication not working
    ... > settings for authentication methods: ... > my domain account (which won't work because I've set up the site to accept ... Is your web server a member of a domain or does it have a trust to the ... submit credentials automatically for the IE security zone that contains ...
    (microsoft.public.inetserver.iis.security)
  • RE: How to enable IWA over multiple servers
    ... Boot up computer and logon as ActiveDirectory username (im joe ... a member of 192.168.0.4 (the web server), ... through a local account on the webserver rather than a domain user ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)