Digest Authentication of account in Trusted Domain fails

From: Jannie Hanekom (no-one@localhost)
Date: 04/23/03

• Next message: Jannie Hanekom: "Re: Unable to change passowrd"
• Previous message: Marv Ehlers: "running .exe programs"
• Next in thread: Jannie Hanekom: "Re: Digest Authentication of account in Trusted Domain fails"
• Reply: Jannie Hanekom: "Re: Digest Authentication of account in Trusted Domain fails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Jannie Hanekom" <no-one@localhost>
Date: Wed, 23 Apr 2003 20:17:04 +0100

Hi

I've got a set-up with two Windows 2000 Active Directory domains (A trusts
B) and a web server (member of domain A). I use Digest Authentication on
the web server. Reversible encryption is enabled and enforced on both
domains

Basic Authentication to both domains work properly, but Digest
Authentication only works for accounts in domain A (where the web server
is.) Looking at the log files, it seems as if specifying the domain name as
part of the user name (as in DOMAIN-B\administrator) is incorrectly parsed,
as the following data results:

Event ID: 529
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: \administrator
  Domain: B
  Logon Type: 3
  Logon Process: IIS

Note that User Name is '\administrator' - account name prefixed with a '\'.
A quick test to specify the 'default' domain of the web server (i.e.
DOMAIN-A\administrator) confirms this apparent bug, with a similar 529
event, only this time the domain is listed as A. Specifying the UPN in the
format administrator@domain-a.local doesn't work either.

In a nutshell, this prevents IIS from authenticating accounts in trusted
domains using Digest Authentication, which according to the documentation
should work. Any ideas on how to fix or work around this problem?

Jannie

---

• Next message: Jannie Hanekom: "Re: Unable to change passowrd"
• Previous message: Marv Ehlers: "running .exe programs"
• Next in thread: Jannie Hanekom: "Re: Digest Authentication of account in Trusted Domain fails"
• Reply: Jannie Hanekom: "Re: Digest Authentication of account in Trusted Domain fails"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Integrated Authentication - one way cross forest trust ... and is in the trusted domain) we are unable to get past the authentication ... Another web server has been brought up and we are receiving the same auth ... An error occurred during logon ... Caller User Name: - ... (microsoft.public.inetserver.iis) IIS using Integrated Authentication - Cross Forest Trust Issue ... and is in the trusted domain) we are unable to get past the authentication ... Another web server has been brought up and we are receiving the same auth ... An error occurred during logon ... Caller User Name: - ... (microsoft.public.windows.server.security) Integrated Authentication - one way cross forest trust ... >account that is in the same forest that the web server ... authentication to the trusting ... >Logon Failure: ... (microsoft.public.inetserver.iis) Re: IIS using Integrated Authentication - Cross Forest Trust Issue ... Error code: 0xc0000413 - Logon Failure: The machine you are logging onto ... is protected by an authentication firewall. ... The specified account is not ... > Another web server has been brought up and we are receiving the same auth ... (microsoft.public.windows.server.security) RE: prompted for username, password on iis5 running xp pro ... >Server will negociated an authentication method. ... >an valid username/password, the username/password box ... >the web server will send the content to the client. ... >the Web Server in Windows 2000 Server and Windows XP Pro ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)