403.1 and Integrated Windows Authentication
From: Josh Bigelow (jbigelow_at_usc.edu)
Date: 05/21/03
- Next message: Tom Kaminski [MVP]: "Re: IIS Version"
- Previous message: fredduc: "Re: IIS + AWSTATS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 May 2003 05:04:48 -0700
First of all let me thank Jerry III for correctly identifying why IIS 6.0
was rejecting my attempts to use Integrated Windows Authentication. Second,
let me apologize for erroneously stating that I had it working on Windows
2000; it turned out I did not. For those that didn't see my earlier post
(which is probably everyone considering this newsgroup has a nasty habit of
deleting posts over a week old, hint hint wink wink newsgroup moderators,
this irritates the hell out of everyone), let me recap. I am attempting to
use an ASP.NET app with integrated windows authentication to authenticate
users on my internal network. Previously, my problem was a consistent
failure to automatically handshake with the server, causing
username/password popups when there shouldn't have been. This was actually a
problem on the client side; in internet explorer > internet options >
security > custom level, all the way on the bottom, under User
Authentication > Logon, it must be set to 'Automatic logon with current
username and password' in order for the client and the server to handshake
properly. To correct this, I created a registry file which modifies the
setting for all 5 zones just by running the registry file. The contents of
the registry file are at the end of this post, if anyone is curious where
that setting is stored (FYI, zones 0 thru 4 are my computer, internet, local
intranet, trusted sites, and restricted sites, respectively). So that's
great, I test it with my client computer while logged in as an
administrator, works fine, hooray, just need to make sure clients set their
settings like that. To take care of that, I edit the custom errors in IIS to
return a 401.1 with a link to download the registry file which will set
their settings for them. Now just to be safe, I log into the client computer
with a normal user account, NOT an administrator. I have already modified
the settings as described above, yet I still get the login box!! So I click
cancel, and IIS returns a 401.3, which means that access was denied due to
the ACL on the resource. Great, so I do a little research, very little
information on ACLs, especially regarding how to edit them; the only
information I could find is some stuff on IIS 4.0/5.0 editing, but I don't
want to risk crashing my production site's metabase with instructions not
written for my version of IIS. So now my question is this: it is clear to me
that only the administrative group on my domain has access to the particular
site I've configured for authentication, but how do I edit the ACL to allow
access for other groups of users? Any help would be appreciated; please also
CC any correspondence to jbigelow@usc.edu.
Regards,
Josh Bigelow
-------------------------------------
Registry file contents:
---------------------------------------
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0]
"1A00"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1]
"1A00"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2]
"1A00"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3]
"1A00"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4]
"1A00"=dword:00000000
- Next message: Tom Kaminski [MVP]: "Re: IIS Version"
- Previous message: fredduc: "Re: IIS + AWSTATS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
